1. Introduction
Purpose: This document outlines W.E.B.S Ltd‘s policies and procedures to maintain compliance with the Payment Card Industry Data Security Standard (PCI DSS) Level 4, which provides guidelines for securing cardholder data.
Scope: Applies to all employees, contractors, and third-party vendors with access to cardholder data.
Review and Maintenance: This document will be reviewed annually or as needed to ensure ongoing compliance.
2. Information Security Policy
W.E.B.S Ltd is committed to protecting cardholder data to maintain the trust of our customers and ensure compliance with PCI DSS standards. All cardholder data (CHD) should be protected from unauthorized access or use.
Policy Requirements:
- All employees handling sensitive cardholder information must adhere to this policy.
- Employees must receive training on data protection and privacy, with an emphasis on PCI DSS compliance.
- Any breaches or suspected breaches of cardholder data must be immediately reported to the designated security officer.
3. Cardholder Data Handling and Protection
Data Minimization: Only essential cardholder data should be collected. The full Primary Account Number (PAN) should be masked, except where needed by authorized personnel.
Access Control: Access to cardholder data is restricted to authorized personnel based on job functions.
Encryption: Cardholder data must be encrypted when stored and transmitted across public networks using strong cryptographic protocols (e.g., AES-256, TLS 1.2 or higher).
4. Network Security
Firewall Configuration: Firewalls are configured to protect cardholder data and restrict external access to internal systems that handle payment data.
Network Segmentation: Cardholder data environment (CDE) is segmented from other networks to minimize risk.
Regular Security Scans: W.E.B.S Ltd conducts quarterly network scans and an annual vulnerability assessment to detect and address potential vulnerabilities.
5. Access Control Measures
User Authentication: Unique IDs are assigned to each user. Passwords are required to be strong (at least eight characters, including numbers, symbols, and uppercase/lowercase letters) and changed every 90 days.
Physical Security: Physical access to areas where cardholder data is processed or stored is restricted to authorized personnel only. Visitors must be escorted in sensitive areas.
Monitoring and Logging: All access to cardholder data is logged. Logs are regularly reviewed and retained for at least 90 days.
6. Data Retention and Disposal
Data Retention Policy: Cardholder data is retained only as long as necessary for business or legal reasons.
Data Disposal: When cardholder data is no longer needed, it is securely disposed of by cross-cut shredding or secure data wiping to ensure it cannot be reconstructed or recovered.
7. Incident Response Plan
Incident Identification: Any employee suspecting a security incident involving cardholder data must report it immediately to the designated security officer.
Response Steps:
- Contain the incident to prevent further exposure.
- Identify the cause and affected areas.
- Notify all necessary parties, including any card brands and relevant regulatory bodies, if required.
- Implement corrective actions to prevent future incidents.
Testing: The incident response plan is tested annually to ensure effectiveness.
8. PCI DSS Training and Compliance Verification
Employee Training: All employees handling cardholder data are required to complete annual PCI DSS compliance training.
Annual Compliance Review: An internal assessment of PCI DSS requirements is conducted annually. Compliance is documented and any required action items are tracked to completion.
9. Third-Party Service Providers
Due Diligence: W.E.B.S Ltd conducts a risk assessment on all third-party vendors handling cardholder data to ensure compliance with PCI DSS standards.
Service Provider Agreements: Agreements with third-party service providers include PCI DSS compliance requirements and acknowledge responsibility for the security of cardholder data they handle.
10. Governance and Compliance Reporting
Compliance Oversight: The designated security officer oversees PCI DSS compliance, coordinates training, manages incident response, and liaises with third parties to verify compliance.
Documentation and Record-Keeping: Compliance documentation is maintained for a minimum of three years and includes:
- Policy updates
- Employee training records
- Quarterly and annual security scans
- Incident response records
- Annual PCI compliance self-assessment questionnaire (SAQ) records
11. Acknowledgement
All employees must sign the compliance agreement confirming they have read and understood the policy and commit to its standards. Non-compliance may result in disciplinary action.
Employee Signature: _______________________
Date: _______________________
Appendix A – PCI DSS Requirements Summary
(For employee reference)