This policy is intended to relay the importance of security and protecting cardholders data.
- To establish the Recover Roofing & Reconstruction Service’s policy for the secure handling of sensitive card holder data including but not limited to magnetic strip data, Cardholders name, Primary Account Numbers (PAN’s), expiration date, and service code
- To establish the policies and procedures to manage the relationship(s) with Service Providers.
This policy applies to all employees and systems of Recover Roofing & Reconstruction
Policies to Restrict Physical Access to Cardholders Data
The importance of protecting cardholders data is paramount. Allowing data theft or destruction, inadvertently sharing confidential information, infecting system networks with viruses, misuse of company resources, allowing the theft of company property, and allowing the compromise of private or confidential company or client information are all very real examples of what might result from a security compromise.
1.0 All paper that contains cardholders data is to be identified and physically secured in a locked drawer. No electronic cardholders data will ever be stored.
2.0 Strict control is to be maintained over the internal or external distribution of any kind of media that contains cardholders data
- Media is classified and clearly marked as confidential
- Media is sent by secured courier or other delivery method that can be accurately tracked
3.0 Management approval is to be obtained prior to moving any and all media containing cardholders data from a secured area.
4.0 Strict control must be maintained over the storage and accessibility of media that contains cardholders data. Only senior management, or their designates, will have access to media containing cardholders data.
5.0 Media containing cardholders data is to be destroyed when it is no longer needed for business or legal reasons.
- Paper materials are to be shredded, incinerated, or pulped so that cardholders data cannot be reconstructed.
- The general rule is that media containing cardholders date will be destroyed when over 180 days old. Exceptions to the rule must be approved by senior management.
Policies that Address Information Security for Contractors and Service Providers
1.0 A list of Service Providers must be maintained. This list will be updated and reviewed by senior management when necessary but at least every 180 days.
2.0 A written Agreement that includes an acknowledgment that the service providers are responsible for the security of cardholders data the service provider possess is required from each service provider.
3.0 Due diligence is to be performed prior to the engagement of Service Providers. Procedures performed will include when possible:
- A visit to the Service Providers physical offices to discuss security practices and procedure with their management and staff.
- A written statement acknowledging their responsibilities to securely process, handle and transmit cardholder data.
- Written proof that the Service Provider is PCI compliant.
- Request reliable industry references.
4.0 A program is to be maintained to monitor Service Providers’ PCI DSS compliance status. On an annual basis a request for a new compliance certificate will be requested.
Senior Management Approval:
Name: Conan Primm
Date: April 7, 2017