Healing Beacon Foundation
Defining Sensitive Data
Healing Beacon Foundation defines sensitive data as magnetic stripe data – information on the black strip located on the back of the card, such as the cardholder name, account number, or expiration date. Sensitive data also includes the personal identification number (PIN) of the cardholder and the three- or four-digit validation code located on the front or back of the card.
Storage of Cardholder Data
It is the policy of the Healing Beacon Foundation that point-of-sale (POS) terminals used by the Healing Beacon Foundation will not store any cardholder data in electronic format.
It is policy that Healing Beacon Foundation will not store any cardholder data in paper format.
For each existing POS terminal, Healing Beacon Foundation will validate with its vendor or vendors whether any POS terminals store cardholder data.
It is policy that Healing Beacon Foundation will not store, in any form, the card validation code (CVC) or card verification value (CVV) – the three- or four-digit number printed on the front or back of a payment card – used to verify card-not-present transactions.
It is policy that Healing Beacon Foundation will not store the PIN or the encrypted PIN block.
It is policy that the primary account number (PAN) will be masked when displayed. On the receipt, only the first six or last four digits will be displayed. Please Note: These values are usually blocked out with an asterisk (*) or an X.
On occasion, Healing Beacon Foundation will employ the services of outside firms to perform accounting, financial, or other services based upon business necessity. Healing Beacon Foundation will perform appropriate due diligence on vendors – who gain direct access to or who could gain access to sensitive data – in order to determine the satisfactoriness of their security controls and procedures.
For example: Healing Beacon Foundation may occasionally employ professional accountants or certified public accountants (CPAs) to perform tax and accounting services. As appropriate,Healing Beacon Foundation will obtain pertinent information from the accountant or CPA to ensure that all sensitive data maintained by Healing Beacon Foundation is fully controlled and protected by the accountant or CPA.
Protection of Transmitted Data
It is policy that unencrypted PANs will not be sent using end-user messaging technologies, such as e-mail, instant messaging, and chat services.
Procedurally, Healing Beacon Foundation does not allow the submission of card numbers by customers or the public through unsecure e-mail, whether directly or through Healing Beacon Foundation’s Web site, or by public e-mail systems (for example:Yahoo!®, MSN®, or AOL®), instant messaging, or chat services.
POS Terminals and Associated Hardware
It is policy that access to POS terminals operated by [Merchant Name], as well as associated equipment (for example: servers or printers), shall be limited to authorized personnel whose jobs require such access.
As of the current date of this policy, [all personnel] or [the following employees] have authorized physical access to POS terminals and associated hardware.
Backup tapes containing transaction information are required to be stored in a secure safe at all times, unless new data is being transferred to the tapes or research information is being gathered from the tapes.
It is the policy of Healing Beacon Foundation that all paper receipts and documents containing cardholder data or transaction information will be stamped as “confidential.” Please Note: It is acceptable to group all POS receipts and use one confidential stamp on the envelope holding the receipts or on the cover sheet on top of the receipts.
It is the policy of Healing Beacon Foundation that all backup tapes and similar media will have a “confidential” label denoting the sensitivity of the data residing on them.
It is the policy of Healing Beacon Foundation that only authorized personnel, as determined by Healing Beacon Foundation, have the authority to access the information residing on backup tapes and similar media.
Transport of Media
It is the policy of Healing Beacon Foundation that all media sent by a secured courier or other delivery methods will be properly tracked at all times. Designated employees will be responsible for monitoring the transport progress of all media.
It is the policy of Healing Beacon Foundation that only management – designated as [Juliet Julius] – can authorize the moving of any or all media containing cardholder data from a secure location, particularly when media is distributed to individuals.
It is the policy of Healing Beacon Foundation that all media – whether tape, hard drive, paper, or otherwise – that contains cardholder data, shall be completely and promptly destroyed once it is determined to no longer be needed for business or legal reasons. This determination will be made by Healing Beacon Foundation management.
Whenever media is destroyed, the following will be logged on a standard log report:
– Person who destroyed the media
– Type of media
– Type of information that resided on the media
It is the policy of Healing Beacon Foundation that all hard-copy materials shall be appropriately shredded, incinerated, or pulped so that cardholder data cannot be reconstructed.
The destroying of documents shall be performed by authorized personnel and shall be performed at all times within the confines of Healing Beacon Foundation.
Documents that are slated for shredding shall be promptly shredded. It is not acceptable to maintain opened baskets containing documents to be shredded for any period of time. It is policy that once a document is scheduled for shredding, the document shall be shredded within 24 hours.
It is the policy of Healing Beacon Foundation that no employees are allowed remote access to any internal systems. Healing Beacon Foundation has prohibited such access through logical and physical controls.
If Healing Beacon Foundation decides at some point in the future to allow remote access to one or multiple employees, all appropriate security measures and controls will be analyzed and implemented to ensure that all cardholder information remains well-controlled.
If business requirements necessitate the deployment of wireless technology at some future date, all appropriate security measures and controls will be analyzed and implemented to ensure that all cardholder information remains well-controlled.
E-mail and Internet Access
Employees are allowed to use the Internet and e-mail during their lunch hours. It has been determined that these systems stand alone and do not have any interaction with cardholder data, including POS terminals.
All employees will be reminded through training that they are not allowed to disseminate any sensitive data to customers, in any format, whether through e-mail, personal digital assistant (PDA), Web site, or other distribution methods.
Immediately upon identification of a breach or possible breach of sensitive cardholder data, Healing Beacon Foundation will take prompt action to prohibit further unauthorized disclosure of such information.
Once Healing Beacon Foundation has determined that the breach is contained, all appropriate parties will be notified.
This policy shall be provided to each new employee upon hiring.
Healing Beacon Foundation shall review the contents of this policy with all employees annually, regardless of whether they are new or longtime employees.
Annual training will incorporate incident response.
Vendors and Service Providers
It is policy that Healing Beacon Foundation will monitor its vendors’ and service providers’ Payment Card Industry (PCI) Data Security Standard (DSS) compliance statuses annually. Such monitoring may take the form of audit reports or summary letters received from the vendor or service provider or the vendor’s or service provider’s auditor or information technology (IT) consulting firm.
Healing Beacon Foundation deals with the following vendors and service providers who can access, or may be able to gain access to, sensitive cardholder data.
Appropriate due diligence will be performed on all vendors and service providers prior to entering into formal agreements.
Agreements will incorporate non-disclosure statements. They will also address proper physical and logical security controls. Vendor and service provider contracts will state that the vendor or service provider is responsible for the security of the cardholder data the vendor or service provider possesses.
Healing Beacon Foundation reserves the right to acquire annual audit reports on any vendor or service provider pertaining to operational and security environments. This shall be written in the contract.
The following due diligence information may be obtained, as relevant to the nature of the relationship:
• Disaster recovery
All Healing Beacon Foundation employees are bound by the requirements of this policy. Management reserves the right to punish or terminate employees due to non-compliance with any provisions within this policy or for failure to follow basic security principles.
This policy will be reviewed annually by Healing Beacon Foundation management and updated as needed. Any updates will be added as addendums. Addendums to this policy will be distributed to, and discussed with, all employees as necessary.