Page Information

1. Introduction

Purpose: This document outlines W.E.B.S Ltd‘s policies and procedures to maintain compliance with the Payment Card Industry Data Security Standard (PCI DSS) Level 4, which provides guidelines for securing cardholder data.

Scope: Applies to all employees, contractors, and third-party vendors with access to cardholder data.

Review and Maintenance: This document will be reviewed annually or as needed to ensure ongoing compliance.

2. Information Security Policy

W.E.B.S Ltd is committed to protecting cardholder data to maintain the trust of our customers and ensure compliance with PCI DSS standards. All cardholder data (CHD) should be protected from unauthorized access or use.

Policy Requirements:

  • All employees handling sensitive cardholder information must adhere to this policy.
  • Employees must receive training on data protection and privacy, with an emphasis on PCI DSS compliance.
  • Any breaches or suspected breaches of cardholder data must be immediately reported to the designated security officer.

3. Cardholder Data Handling and Protection

Data Minimization: Only essential cardholder data should be collected. The full Primary Account Number (PAN) should be masked, except where needed by authorized personnel.

Access Control: Access to cardholder data is restricted to authorized personnel based on job functions.

Encryption: Cardholder data must be encrypted when stored and transmitted across public networks using strong cryptographic protocols (e.g., AES-256, TLS 1.2 or higher).

4. Network Security

Firewall Configuration: Firewalls are configured to protect cardholder data and restrict external access to internal systems that handle payment data.

Network Segmentation: Cardholder data environment (CDE) is segmented from other networks to minimize risk.

Regular Security Scans: W.E.B.S Ltd conducts quarterly network scans and an annual vulnerability assessment to detect and address potential vulnerabilities.

5. Access Control Measures

User Authentication: Unique IDs are assigned to each user. Passwords are required to be strong (at least eight characters, including numbers, symbols, and uppercase/lowercase letters) and changed every 90 days.

Physical Security: Physical access to areas where cardholder data is processed or stored is restricted to authorized personnel only. Visitors must be escorted in sensitive areas.

Monitoring and Logging: All access to cardholder data is logged. Logs are regularly reviewed and retained for at least 90 days.

6. Data Retention and Disposal

Data Retention Policy: Cardholder data is retained only as long as necessary for business or legal reasons.

Data Disposal: When cardholder data is no longer needed, it is securely disposed of by cross-cut shredding or secure data wiping to ensure it cannot be reconstructed or recovered.

7. Incident Response Plan

Incident Identification: Any employee suspecting a security incident involving cardholder data must report it immediately to the designated security officer.

Response Steps:

  • Contain the incident to prevent further exposure.
  • Identify the cause and affected areas.
  • Notify all necessary parties, including any card brands and relevant regulatory bodies, if required.
  • Implement corrective actions to prevent future incidents.

Testing: The incident response plan is tested annually to ensure effectiveness.

8. PCI DSS Training and Compliance Verification

Employee Training: All employees handling cardholder data are required to complete annual PCI DSS compliance training.

Annual Compliance Review: An internal assessment of PCI DSS requirements is conducted annually. Compliance is documented and any required action items are tracked to completion.

9. Third-Party Service Providers

Due Diligence: W.E.B.S Ltd conducts a risk assessment on all third-party vendors handling cardholder data to ensure compliance with PCI DSS standards.

Service Provider Agreements: Agreements with third-party service providers include PCI DSS compliance requirements and acknowledge responsibility for the security of cardholder data they handle.

10. Governance and Compliance Reporting

Compliance Oversight: The designated security officer oversees PCI DSS compliance, coordinates training, manages incident response, and liaises with third parties to verify compliance.

Documentation and Record-Keeping: Compliance documentation is maintained for a minimum of three years and includes:

  • Policy updates
  • Employee training records
  • Quarterly and annual security scans
  • Incident response records
  • Annual PCI compliance self-assessment questionnaire (SAQ) records

11. Acknowledgement

All employees must sign the compliance agreement confirming they have read and understood the policy and commit to its standards. Non-compliance may result in disciplinary action.

Employee Signature: _______________________

Date: _______________________

Appendix A – PCI DSS Requirements Summary

(For employee reference)

Terms and Conditions of FREE Website Offer

Website Scope:
The promotion offers a basic business website of up to 5 pages (Home, About, Services, Contact, etc.), which includes a modern, professional design using available templates.

Hosting and Domain:
Hosting is provided for 6 months FREE as part of the promotion. .co.uk Domain for 1 year is FREE with an option to buy more years or choose another domain extension.

Content Submission:
The client must provide all text, images, and content needed for the website.

Revisions are limited to a reasonable amount (e.g., 2-3 rounds of edits).

Completion Timeline:
The website will be completed within 4-6 weeks of project approval, depending on the client’s responsiveness.

Promotion Frequency:
The offer is valid once a month, and one startup will be selected from the pool of applicants.

Selection Criteria:
Applications will be reviewed based on the clarity of the business idea, the potential for impact, and the business’s readiness to launch.

Non-Transferable:
This promotion is non-transferable and must be used by the original applicant. The website created through this offer cannot be re-sold or transferred to another party.

No Resale Clause:
The website provided under this promotion is intended solely for the use of the applicant’s business and cannot be re-sold or distributed as part of a third-party service.

Moral and Legal Standards:
We reserve the right to refuse projects that may be deemed questionable in terms of morality or legality.

Additionally, we cannot accept websites that may cause a conflict of interest with our existing customers.

Intellectual Property:
Ownership of the website design and structure remains with the client, but W.E.B.S Ltd retains the right to showcase the website in our portfolio, unless otherwise agreed upon.

Domain Names

Nominet Members since 1999. Aimed at Business Users who need reliability.

Business Hosting

Business Hosting for Websites and Apps, including FREE SSL & Backups

Customer Area

Login securely and manage every aspects of your account with us.