Credit Card Policy – Shipping Smile

Shipping Smile Credit Card Policy
Anas Rharrass, Owner/CEO

Effective Date: April 17, 2020
Last Content Update: July 01, 2022

Purpose

This policy explains anas rharrass and SHIPPINGSMILE’s credit card security requirements as required by the Payment Card Industry Data Security Standard (PCI DSS) Program. Anas Rharrass and SHIPPINGSMILE management is committed to these security policies to protect information utilized by Anas Rharrass and SHIPPINGSMILE in attaining its business goals. All employees are required to adhere to the policies described within this document.

Scope of Compliance

The PCI requirements apply to all systems that store, process, or transmit cardholder data. Currently, Anas Rharrass and SHIPPINGSMILE ’s cardholder environment consists only of limited payment applications (typically point-of-sale systems) connected to the internet but does not include storage of cardholder data on any

computer system

Due to the limited nature of the in-scope environment, this policy is intended to meet the PCI requirements as defined in the Self-Assessment Questionnaire (SAQ) C, ver. 2.0, October, 2010. Should Anas Rharrass and SHIPPING SMILE implement additional acceptance channels, begin storing, processing, or transmitting cardholder data in electronic format, or otherwise become ineligible to validate compliance under SAQ C, it will be the responsibility of Anas Rharrass and SHIPPING SMILE to determine the appropriate compliance criteria and implement additional policies and controls as needed.

Policy

Requirement 1: Build and Maintain a Secure Network

Firewall Configuration

Firewalls must restrict connections between untrusted networks and the systems in the cardholder data environment.
Inbound and outbound traffic should only allow necessary connections. All others must be denied.
All open ports and services should be documented, including port/service details, source/destination, and business justification.
Perimeter firewalls should be installed between wireless networks and the cardholder data environment.
Direct public access to the cardholder data environment from the Internet must be prohibited.

Firewall Configuration Specifics:

Inbound and outbound traffic from the cardholder data environment must be explicitly authorized.
Stateful inspection (dynamic packet filtering) must be implemented on firewalls.

Requirement 2: Do Not Use Vendor-Supplied Defaults for System Passwords and Other Security Parameters

Vendor Defaults

All vendor-supplied defaults (passwords, SNMP community strings, unnecessary accounts) must be changed before installing systems on the network.
Wireless systems’ default settings must be changed, including encryption keys, passwords, and SNMP strings.
Firmware on wireless devices must support strong encryption for data transmission.

Unneeded Services and Protocols

Only necessary services and protocols should be enabled. All unneeded services must be disabled.

Non-Console Administrative Access

Non-console administrative access must be encrypted using technologies such as SSH, VPN, or SSL/TLS.

Requirement 3: Protect Stored Cardholder Data

Prohibited Data

Sensitive authentication data must be securely deleted post-authorization to prevent recovery.
Cardholder data storage rules:
- Full contents of track data and PIN must never be stored.
- Card verification codes and PIN blocks must not be stored.

Displaying PAN

PANs must be masked. Only the first six and last four digits should be visible to authorized parties with legitimate access.

Requirement 4: Encrypt Transmission of Cardholder Data Across Open, Public Networks

Transmission of Cardholder Data

Cardholder data transmitted across open networks must be protected using strong encryption methods like IPSEC or SSL/TLS.
Only trusted keys or certificates can be accepted. HTTPS must appear in URLs when cardholder data is being entered.

Industry Best Practices

Wireless networks transmitting cardholder data must use strong encryption for authentication and transmission (e.g., IEEE 802.11i).

Sending Unencrypted PANs

Unencrypted PANs must never be transmitted via end-user messaging technologies like email, instant messaging, or chat.

Requirement 5: Use and Regularly Update Anti-Virus Software or Programs

Anti-Virus

Anti-virus logs must be maintained according to compliance requirements.

Anti-virus software must be installed on all systems susceptible to malware, capable of detecting, removing, and protecting against all known types of malicious software.

Anti-virus programs must be regularly updated, actively running, and configured to perform periodic scans.

Requirement 6: Develop and Maintain Secure Systems and Applications

Security Patches

All critical high-risk security patches must be applied within 14 days of release, including patches for operating systems and installed applications.

Requirement 7: Restrict Access to Cardholder Data by Business Need to Know

Limit Access to Cardholder Data

Access to Anas Rharrass and Shipping Smile’s cardholder system components and data is limited to individuals whose jobs require access.

Access Limitations

Privileged User IDs: Access rights for privileged user IDs must be restricted to the least privileges necessary for job responsibilities.
Role-Based Access Control: Privileges must be assigned based on job classification and function.

Requirement 8: Assign a Unique ID to Each Person with Computer Access

Remote Access

Two-factor authentication must be incorporated for remote access to the network by employees, administrators, and third parties.

Vendor Accounts

Vendor remote access accounts must only be enabled during the required period and monitored during use.

Requirement 9: Restrict Physical Access to Cardholder Data

Physically Secure All Media Containing Cardholder Data

Storage Guidelines for Hard Copy Media:
- All media must be physically secured.
- Strict control must be maintained over the distribution of media containing cardholder data, including:
  - Media classification to determine sensitivity.
  - Secure carrier or delivery method for media distribution.
  - Logs to track all media moved from secured areas, requiring management approval.

Destruction of Data

Media containing cardholder data must be destroyed when no longer needed for business or legal reasons.
- Hardcopy Media Destruction: Must be shredded, incinerated, or pulped so data cannot be reconstructed.

Requirement 11: Regularly Test Security Systems and Processes

Testing for Unauthorized Wireless Access Points

Quarterly Testing: Anas Rharrass and Shipping Smile will test to ensure no unauthorized wireless access points are present in the cardholder data environment.
This includes detecting and identifying:
- WLAN cards in system components
- Portable wireless devices connected by USB
- Wireless devices attached to network devices
Automated monitoring must generate alerts if unauthorized devices are detected.
Unauthorized device detection must be included in the Incident Response Plan.

Vulnerability Scanning

External Scans: External vulnerability scans must be conducted by an Approved Scanning Vendor (ASV) and meet ASV Program guide requirements.

Quarterly Scans: Anas Rharrass and Shipping Smile will perform vulnerability scans on all in-scope systems at least quarterly and after significant network changes.

Internal Vulnerability Scans: This must continue until passing results are obtained or all “high” vulnerabilities are resolved.

Requirement 12: Maintain a Policy that Addresses Information Security for Employees and Contractors

Security Policy

Anas Rharrass and Shipping Smile shall establish, publish, maintain, and disseminate a security policy that addresses how the company will protect cardholder data. (PCI Requirement 12.1)

This policy must be reviewed at least annually and updated as needed to reflect changes to business objectives or the risk environment. (PCI Requirement 12.1.3)

Critical Technologies

Anas Rharrass and Shipping Smile shall establish usage policies for critical technologies (for example, remote-access technologies, wireless technologies, removable electronic media, laptops, tablets, personal data/digital assistants (PDAs), email, and internet usage). (PCI Requirement 12.3)

These policies must include the following:

Explicit approval by authorized parties to use the technologies (PCI Requirement 12.3.1)
Authentication for use of the technology (PCI Requirement 12.3.2)
A list of all such devices and personnel with access (PCI Requirement 12.3.3)
Acceptable uses of the technologies (PCI Requirement 12.3.5)
Acceptable network locations for the technologies (PCI Requirement 12.3.6)
Automatic disconnect of sessions for remote-access technologies after a specific period of inactivity (PCI Requirement 12.3.8)
Activation of remote-access technologies for vendors and business partners only when needed, with immediate de-activation after use (PCI Requirement 12.3.9)

Security Responsibilities

Anas Rharrass and Shipping Smile’s policies and procedures must clearly define information security responsibilities for all personnel. (PCI Requirement 12.4)

Incident Response Policy

The Systems Security Administrator shall establish, document, and distribute security incident response and escalation procedures to ensure timely and effective handling of all situations. (PCI Requirement 12.5.3)

Incident Identification

Employees must be aware of their responsibilities in detecting security incidents to facilitate the incident response plan and procedures. All employees have the responsibility to assist in the incident response procedures within their particular areas of responsibility. Some examples of security incidents that an employee might recognize in their day-to-day activities include, but are not limited to:

Theft, damage, or unauthorized access (e.g., papers missing from their desk, broken locks, missing log files, an alert from a security guard, video evidence of a break-in, or unscheduled/unauthorized physical entry)
Fraud – Inaccurate information within databases, logs, files, or paper records

Reporting an Incident

The Systems Security Administrator should be notified immediately of any suspected or real security incidents involving cardholder data:

Contact the Systems Security Administrator to report any suspected or actual incidents. The Internal Audit’s phone number should be well known to all employees and should page someone during non-business hours.
No one should communicate with anyone outside of their supervisor(s) or the Systems Security Administrator about any details or generalities surrounding any suspected or actual incident. All communications with law enforcement or the public will be coordinated by the Executive Dean of Technology Solutions.
Document any information you know while waiting for the Systems Security Administrator to respond to the incident. If known, this must include date, time, and the nature of the incident. Any information you can provide will aid in responding in an appropriate manner.

Incident Response

Responses can include or proceed through the following stages: identification, severity classification, containment, eradication, recovery, and root cause analysis resulting in improvement of security controls.

Contain, Eradicate, Recover, and perform Root Cause Analysis
1. Notify applicable card associations.
  - Visa: Provide the compromised Visa accounts to Visa Fraud Control Group within ten (10) business days. For assistance, contact 1-(650)-432-2978. Account numbers must be securely sent to Visa as instructed by the Visa Fraud Control Group. It is critical that all potentially compromised accounts are provided. Visa will distribute the compromised Visa account numbers to issuers and ensure the confidentiality of entity and non-public information.
  - MasterCard: Contact your merchant bank for specific details on what to do following a compromise. Details on the merchant bank (aka. the acquirer) can be found in the Merchant Manual at link. Your merchant bank will assist when you call MasterCard at 1-(636)-722-4100.
  - Discover Card: Contact your relationship manager or call the support line at [email protected] for further guidance.
2. Alert all necessary parties. Be sure to notify:
  - Merchant bank
  - Local FBI Office
  - U.S. Secret Service (if Visa payment data is compromised)
  - Local authorities (if appropriate)
3. Perform an analysis of legal requirements for reporting compromises in every state where clients were affected. The following source of information must be used: link
4. Collect and protect information associated with the intrusion. In the event that forensic investigation is required, the CIO will work with legal and management to identify appropriate forensic specialists.
5. Eliminate the intruder’s means of access and any related vulnerabilities.
6. Research potential risks related to or damage caused by intrusion method used.

Root Cause Analysis and Lessons Learned

Not more than one week following the incident, members of IT and all affected parties will meet to review the results of any investigation to determine the root cause of the compromise and evaluate the effectiveness of the Incident Response Plan. Review other security controls to determine their appropriateness for the current risks. Any identified areas in which the plan, policy, or security control can be made more effective or efficient must be updated accordingly.

Security Awareness

Anas Rharrass and Shipping Smile shall establish and maintain a formal security awareness program to make all personnel aware of the importance of cardholder data security. (PCI Requirement 12.6)

Service Providers

Anas Rharrass and Shipping Smile shall implement and maintain policies and procedures to manage service providers. (PCI Requirement 12.8) This process must include the following:

Maintain a list of service providers (PCI Requirement 12.8.1)
Maintain a written agreement that includes an acknowledgement that the service providers are responsible for the security of the cardholder data the service providers possess (PCI Requirement 12.8.2)
Implement a process to perform proper due diligence prior to engaging a service provider (PCI Requirement 12.8.3)
Monitor service providers’ PCI DSS compliance status (PCI Requirement 12.8.4)

Employee Acceptable Use Policy for Handling Payment Card Data

Purpose

This policy is designed as a supplement to system policies, procedures, and guidelines for the purpose of addressing PCI DSS SAQ C merchant requirements. This policy applies to all Anas Rharrass and Shipping Smile systems that store, process, or transmit cardholder data and users with access to cardholder data.

Policy

All personnel, system employees or contractors, that are authorized to use devices that handle or store cardholder data must adhere to system usage policies, procedures, and guidelines including Minnesota State system Policy 5.22 Acceptable Use of Computers and Information Technology Resources and Minnesota State system Procedure 5.22.1 Acceptable Use of Computers and Information Technology Resources.

Anas Rharrass and Shipping Smile maintains a list of all devices that handle or store cardholder data, and a list of the personnel that are authorized to use the devices. Devices are labeled with a purpose, an owner, and their contact information. Anas Rharrass and Shipping Smile maintains a list of all products and service providers.

Policies and procedures are maintained and implemented to manage service providers that handle Anas Rharrass and Shipping Smile’s cardholder data. When cardholder data is shared with service providers, Anas Rharrass and Shipping Smile requires written acknowledgement that security of the data is the responsibility of the provider. A program is implemented to monitor service providers’ compliance with PCI DSS.

Access Control

Purpose

Policy

All systems in the payment processing environment must be protected with the use of a unique username and password. Unique user accounts indicate that every account used is associated with an individual user and/or process with no use of generic group accounts used by more than one user or process.