- Users shall not use unencrypted end-user messaging services such as instant messaging, emails or chat to send account details like credit card or debit card information. Such information shall not be sent if a certified encryption tool is not available.
- External network devices like mobile phones, PDAs, tablets, USB flash drives, laptops, modems, wireless and remote-access technologies are prohibited from using within the Hydra cardholder data environments (CDE).
- Sensitive data like credit or debit cardholder name and number shall not be stored in external storage devices, namely hard disk drives, memory sticks, or any other external storage media. Storage of such sensitive data must only be done under the supervision of the Security Officer using proper encryption tools.
- All personnel employed here at Hydra are responsible for safekeeping of its valuable assets especially confidential customer information. Any activity deemed suspicious or suspected breach in Hydra’s security must be promptly reported to the Security Officer.
- All documents concerning credit and debit card information must be securely locked away.
6.2. Credit and Debit Card Handling Policy
Here, we state the basic obligatory necessities applicable to all employees the handle or come upon credit or debit cardholder information within Hydra. Additionally, any third party that utilises or accesses any of Hydra's credit or debit cardholder information, either physically or logically must likewise abide by the clauses in this section. It is not Hydra's motive to hold cardholder information, nevertheless, this portion of the policy outlines what to do if such a circumstance emerges.
- Inability to safeguard credit or debit card information can result to huge fines from banks, costly investigations, expensive lawsuits, loss of credibility or worst, revocation of the rights to take payment by credit or debit cards; which would incredibly hamper Hydra's capacity to do business.
- Only authorised personnel should handle credit or debit card information.
- Cardholder information ought to be managed in such a way as it is expressly approved by the role of the job.
220.127.116.11. Definitions of Card Data and its Requirements
- The ‘Credit Card Data’ implied here, includes the 16 digit card number (Primary Account Number or PAN), card holder’s name, the issue and expiry dates and the card verification value (CVV). Electronically stored PAN must always be encrypted and the cardholder information must be stored securely when kept with the PAN.
- Utmost care ought to be taken when handling the CVV and it should never be stored anywhere, albeit on a bit of paper, a form, in a database, in a worksheet or any other electronic arrangement, regardless of the possibility that it is encrypted. The only exception to this may be when taking a payment where the CVV is required to be temporarily stored (pre-authorisation) while an arrangement is made to take the payment. The CVV information must be wiped out as soon as the transaction is authorised.
- On the off chance that a full card number is seen when it is not required by your job description during the execution of your job, either by mistake or by intention, please report this to the Security Officer. However, if your employment requires that you require access to the full credit card number and it is not mentioned in your job’s detail of responsibilities, then, please report this to your supervisor so they can revise your job description and validate it with the HR.
18.104.22.168. Requirements of Handling Card Information
- The credit card information should not be stored in Hydra.
- Credit card information is private and confidential. So, if a credit card information is stored for whatever reason it must be properly safeguarded. Thus, card information stored in the system must be encrypted. On the off chance that it is put away on paper, it must be bolted away at all times unless being used. Any card number stored in the system must be reported to the Security Officer.
- Credit card information should not be stored on CDs, USB sticks, memory cards, laptops or desktop computers or any media storage device unless on approved systems. Do no store the credit card data when in doubt.
- Credit card information should not be stored in worksheet or in any other reports, until and unless it is especially required. If so, the data should be encrypted to AES – 256 bit standard and expressly approved by the Security Officer in written.
- Any card information upon discovery on Hydra’s frameworks must be accounted for to the Security Officer at once.
22.214.171.124. Printing of Credit Card Information
No cardholder information will be inside Hydra and subsequently there will be no printing of cardholder information. Printing of cardholder information is explicitly prohibited should such information exist.
126.96.36.199. Handling Documents with Credit Card Information
There are various situations where the card information is lawfully put away on paper, be it a chargeback mail, a spurious document, a special case report, etc. This information should be held just until the system is ready to handle the card information electronically.
188.8.131.52. Caution and Alertness
- Credit card information may be unintentionally left on a desk, fax machines, printers, the system’s recycle bin, in a temporary file, on a screen, in an email (in spite of the fact that this is against the Payment Card Industry Data Security Standard (PCI DSS)), in a swap file, etc.
- An excellent example of unexpected locations to find credit card information would be in call recordings. Every now and then, some phone calls may be recorded for security and quality purposes. Some of the recordings may undoubtedly contain credit card information. These recordings should be edited by removing any detail of the customer’s credit card information before it is utilised for training or any other purposes. So, a personnel undergoing training should not hear any card detail.
- Nonetheless, this is tolerable if as an aspect of your job responsibilities you are required to listen to the complete calls (e.g. routine quality checking). Be that as it may, storing such calls for any time frame must be done only in a secure and approved storage system.
- It is the responsibility of each employee to safeguard Hydra’s properties which also includes all types of information. So, it is essential that if you happen to come across any insecure credit card information, regardless of the possibility that your job responsibility includes working with credit card information, you should:
- secure the information, e.g. store it in a secure location,
- report it to your supervisor and
- report it to the Security Officer at once.
6.3. PCI - DSS Credit Card Data Management Policy
Here, we state the basic obligatory necessities applicable to all data (in soft format or hard format) created, transmitted, stored or managed by Hydra within the CDE (Cardholder Data Environment). Additionally, any third party that utilises or accesses any of the credit or debit cardholder information within the CDE, either physically or logically must likewise abide by the clauses in this section.
184.108.40.206. Data Classification Standard
- Here are the 4 levels of data classification recognised in Hydra:
Public Data - Public data is information that is readily available to the general public, such as our website, published accounts, circulars, etc. Such a data in the public domain is categorised as ‘Public’ and requires no particular protection or marking.
Internal Use - Information that can be published or distributed by its proprietor to relevant personnel of Hydra, its associates and other members, as deemed suitable by the data proprietors with no constraint on the substance or time of publication is classified as ‘Internal’.
Restricted Use - Such information that can only be accessed by authorised individuals as the system only grant access to valid and appropriate users is classified as ‘Restricted’. Valid log in credentials is required to access such information. Data characterised as Personal Data by the Data Protection Act falls into this classification. Publication or circulation of such information is not intentional and may bring upon unwanted attention, but is rather unlikely that this will cause financial or reputational harm to Hydra. However, under the Data Protection Act large collection of ‘Restricted’ information may get to be named ‘Confidential’, in this manner requiring a higher authorisation level to access the information.
Confidential Data - Delicate and confidential information such as credit or debit cardholder data, intellectual property of Hydra or any information that in a competitor’s hand could give that competitor favourable position over Hydra. Every single classified data in the cardholder data environment must be set apart as secret/private and have an information proprietor allotted. Access to private information must be controlled so that the information is accessible to only exclusive clients that have a 'need to know' i.e. access to the information is necessary to carry out one’s job responsibility. Classified information must not be replicated or shared in any arrangement without the authorisation of the information proprietor. Every single confidential data stored electronically in the cardholder data environment ought to be encrypted before storage.
- All data in the CDE must be handled as per this policy.
220.127.116.11. PCI-DSS Data Holding
- Cardholder information must not be held on any Hydra framework.
- Other information alluding to the cardholder data environment will be dealt with as defined below.
18.104.22.168.1. Payment Card Data
Payment card information will not be stored within Hydra.
22.214.171.124.2. Revenue Protection Agreement
All paper copies or data relating to charge-backs, fraud prevention and revenue protection must be cross-cut shredded and destroyed after they have met their holding period.
126.96.36.199.3. Documentation of Physical Location and Information Systems
All documentation concerning with the Information Systems inside the PCI-DSS CDE, including system network diagram, firewall access, passwords and configuration of the system and documentation of backup must be held safely with only authorised access.
188.8.131.52.4. Audit Logs
Audit logs are out of scope as there will be no cardholder data in Hydra.
184.108.40.206. Security of Cardholder Data
Within the CDE (Cardholder Data Environment):
- Private information in the CDE must not be sent to any outside authority without the Division Head’s authorisation and the approval of the data proprietor, i.e. 2 separate individuals.
- All information physically sent to an outer source must be sent by means of secure messenger or other secure delivery technique, as permitted ahead of time by the information proprietor to guarantee it is precisely followed.
- All data must be stored as per their classification disregarding the type of media it is held in.
- All physical backup media must be sent by means of secure transport.
- All information sent remotely should be logged and their records held for at least 12 months.
- All electronic and physical (paper) private information, particularly on the off chance that it contains cardholder information, must have real time security controls enforced at all times.
- Every single classified data must be put away safely and all means of access to it be protected and controlled in view of a client's "need to know".
- Private information, particularly cardholder information, put away on any type of media, such as hard drives, CD’s, DVD’s, USB sticks, backups, paper, etc. should be accounted for to guarantee the secure storage is overseen and recorded.
- Occasional media inventories must be performed on a yearly basis. Proof of media inventories will be maintained.
- Every single private data, for example, cardholder information, access passwords must be encrypted when stored. Stored data incorporates every single logical locations, such as log files, reports, backups, reports, debugging files, servers, database, etc.
- All system and application passwords are classified as private/secret information and should be encrypted in all types of data transfer and during storage.
220.127.116.11. Location of Cardholder Data Storage
Hydra does not store cardholder data
18.104.22.168. Disposal of Cardholder Data
- Hydra ought not store or hold any cardholder data.
- However, if cardholder information does exist on any framework, the accompanying conditions apply:
- All information must be safely discarded after its purpose is served disregarding the type of storage used.
- All written or printed hard copies of cardholder information must be physically discarded/shredded at the end of its retention period. A quarterly check-up procedure must be set up to affirm that all non-electronic cardholder information has been properly discarded in an opportune way.
- Hydra requires that, before they leave Hydra, all printed copy materials are crosscut shredded, burned or pulped so they can't be remade.
- Cardholder data to be shredded or destroyed should be stored in lockable containers with restricted access. These containers should be clearly marked “To Be Shredded”.
22.214.171.124. Cardholder Data on Mobile
No cardholder data will be stored on mobile device.
6.4. Physical Security
6.4.1. Checking devices for security vulnerabilities
- All devices must undergo routine assessment by authorised personnel to find out if the devices has been tampered with or substituted with a fake component (e.g. card skimmer). The serial numbers of the devices should also be inspected every now and then.
- The staff must undergo special training in order to report component tempering and apprehend any suspecting behaviour.
- Any suspicion regarding tempering of device components must be promptly reported to the concerning Security Officer.
6.4.2. Personnel Check for Individuals
- Properly check the identity document of anyone claiming to be maintenance or repair worker before giving them permission to check and troubleshoot the faulty device.
- Devices without proper verification should not be introduced, replaced or returned.
- Be wary of dubious behaviour around the devices.
- Any dubious characters or suspect of device tempering should be promptly reported to the Security Officer.
6.5. Acceptable Use
- Provided information system facilities are for business purposes. Authorised use of such facilities must be in agreement with the Access Control Policy and Conditions of Use of IT Facilities.
- It is obligatory to comply with the terms and conditions of Access Control Policy and Conditions of Use for all the users in order to access the equipment and systems within the CDE.
- Staff and other personnel who intentionally violate these terms and conditions will be liable to disciplinary action up to and including dismissal without notice. Culprits will be prosecuted under the Computer Misuse Act 1990.
- It is the duty of every user to responsibly use the equipment they have been assigned to as well as abide by all policies and applicable laws of Hydra.
- Users must make sure that all the devices of Hydra must have anti-virus installed, operating and should be up to date. Any failure of devices or provision should be reported to IT Service Desk.
- Downloading and installation of any software on Hydra systems is restricted without authorisation from the Security Officer.
- Without the authorisation or permission of the Security Officer, any IT systems, equipment should not be installed on Hydra network.
Hydra computer systems are used by all users, including permanent, contract and temporary staff within the CDE. IT systems, equipment and information must be used according to Hydra security policies and procedures. Responsibilities for all users:
- Being aware about complying all the procedures and policies applicable to their area of responsibilities;
- Keeping Hydra equipment under their authority safe from any damage or unauthorised access;
- The equipment provided by Hydra should be used for business purpose only;
- Keeping customer information safe from any loss or unauthorised access;
- Protecting their passwords and not disclosing user accounts;
- Making sure that all the facilities and systems like the Internet, should be used complying with Hydra’s ‘Conditions of Use of IT Facilities’.
- Locking or logging off the workstations and clearing the desks when leaving and at the end of the day;
- Any Hydra property, equipment or information should not be removed without authorisation from the organization premises;
- Any personal equipment should not be connected to any Hydra networks within the CDE;
- Installation, modifying or copying any software on Hydra equipment should not be done without authorisation;
- Any security incidents should be immediately reported to the Security Officer.
Responsibilities will be defined in job descriptions for carrying out specific information or security duties where applicable.