Rezgo is committed to meeting the Data Security Standard of the Payment Card Industry Council. To that end, we have adopted the following security policy. This policy states requirements for the protection of such sensitive data according to the PCI Data Security Standard (Version 1.2 is current upon publication date of this policy).
This policy applies to all employees of Rezgo and to all others given use of, or having access to, sensitive data.
This security policy applies to sensitive data stored, processed and transmitted within or among any and all Rezgo information systems, whether individually controlled or shared, stand-alone or networked, and all computer systems and communication facilities owned, leased and operated by or on behalf of Rezgo. This includes, at minimum, networking devices, mainframes, workstations, personal computers, smart phones, telephones, wireless devices and any associated peripheral equipment and software.
Restrict Physical Access to Cardholder Data
Physical access to all credit-card data must be restricting, using appropriate building access controls to limit and monitor physical access to restricted credit-card data. Required measures include:
- Video monitoring of all areas where credit-card data is handled or stored;
- Storage of access log data for at least three months;
- Restrict physical access to publicly accessible computer network access points, including wireless access points;
- Visitors must be authorized before entering areas where credit-card data is handled or stored;
- Visitors must receive a form of physical identification that identifies them as visitors;
- A visitor log to maintain a physical audit trail of visitor activity. The log must be retained for a minimum of three months;
- Secure destruction of media containing credit-card data:
- Paper: cross-cut shred, incinerate or pulp;
- Electronic media: securely overwrite data, degauss, shred or otherwise completely destroy
Rezgo maintains a variety of documents in the course of conducting daily business. Some of these documents may contain sensitive data or references to information that could provide access to sensitive data. Access to these documents is explicitly restricted to a “need to know” basis, and all unauthorized access or sharing of restricted information may be met with disciplinary and/or legal action.
Install and Maintain a Firewall Configuration to Protect Data
Use a firewall at each Internet connection point on the company network.
Develop and document a firewall configuration that denies all traffic from nontrusted networks and hosts, except for those protocols necessary for the secure transmission of credit-card data;
Develop and maintain a list of network services and ports required for business purposes;
Develop and maintain a network diagram with all connections to credit-card-related data, including a diagram for any wireless networks
List justifications for any open protocols aside from hypertext transfer protocol (HTTP), secure sockets layer (SSL), secure shell (SSH) and virtual private network (VPN);
Develop and maintain documentation that justifies any open firewall ports that could be considered a risk to network security;
Develop and maintain a router-configuration diagram that demonstrates restricted access between public networks and any company computer system that stores credit-card data;
Document personal computer firewall requirements;
Prohibit direct public access between external networks and any system component that stores credit card related data (for example, databases, logs and trace files);
Document all firewall rule sets.
Do not use Vendor-Supplied Defaults for System Passwords and Other Security Parameters
Prohibit the use of vendor-supplied default settings and remove unnecessary functionality supplied by vendors and prepackaged software solutions that could create a security vulnerability.
Always change vendor-supplied default settings before installing a system on the company network, including passwords, simple network management protocol (SNMP) community strings and deletion of unnecessary system accounts;
Document standards for system builds;
Document all enabled services, daemons and protocols on servers;
Document all security parameters enabled on each server;
Remove any unnecessary functionality, such as features, scripts, drivers, file systems and unnecessary Web servers;
Document all applications installed on each company server;
Allow only ONE primary function for each company server (example: Web servers, database servers and domain name system (DNS) services should NOT be implemented in any combination on the same server).
Encrypt Transmission of Cardholder Data and Sensitive Information Across Public Networks
Transmission of credit-card data across open, public networks must be encrypted, including the use of e-mail encryption software by employees. Cryptography is to be applied as defined by the PCI DSS 1.2 Glossary.
Maintain a documented list of URL(s) used for transactions or passing credit-card-related information.
Encrypt all wireless traffic used for transmitting credit-card data.
Encrypt credit-card data transmissions using WiFi protected access (WPA or WPA2) technology, IPSEC VPN, or SSL/TLS. Never use wired equivalent privacy (WEP) to protect confidentiality and access to a wireless network.
Document any current e-mail encryption software being used by employees, if any credit-card data is to be transmitted via e-mail communications.
Use and Regularly Update Anti-Virus Software
Use anti-virus software or programs and regular anti-virus signature updates, and document this use.
Document current use of virus protection software;
Document that installed anti-virus programs can detect and protect against other forms of malicious software (malware), including spyware and adware;
Maintain a copy of anti-virus logs and reports.
Develop and Maintain Secure Systems and Applications
Develop and maintain secure computer systems and software applications, and ensure that security measures are included for new or upgraded systems and applications.
Maintain separate development, test and production (live) environments.
Separate the duties of those who work on the development, test and production environments.
Remove all custom accounts, usernames and passwords before a system goes live.
Do not use “live” data from production systems for testing or development of new systems.
Remove all test data and test accounts from production systems before they go live.
Keep a copy of the last formal code review report for in-house created systems and applications.
Restrict Access to Data to a Need-to-Know Basis
Access to all credit-card data must be restricted strictly on a need-to-know basis, limiting access to only those employees who must access the data to perform their job duties.
Install and maintain access controls that restrict computer user access to only those systems and resources required for performing their jobs.
Maintain access logs that show which employees had access to what data, and when, for all computer systems.
Assign a Unique ID to Each Person With Computer Access
Each person with computer access MUST be assigned a unique account ID with a password known only to that individual.
Passwords must change every 90 days.
Passwords must be a minimum of 7 characters, containing numeric, alphabetic and special characters.
New passwords cannot be the same as previous passwords.
If a user tries to log in but is unsuccessful after six attempts, that user account must be automatically locked out for 30 minutes or until a system administrator is contacted to manually unlock the account.
Set a computer idle lock out time of 15 minutes and require a password to gain access to the computer again.
Maintain a list of any inactive accounts.
Keep a copy for six months of all employees with computer access.
Ensure that no shared accounts and passwords exist on any computer systems.
Track and Monitor all Access to Network Resources and Cardholder Data
All access to Rezgo network and cardholder data must be tracked and monitored for any signs of suspicious or unauthorized activity.
Capture system logs and maintain log records for 12 months.
Monitor system logs daily or use automated alerting mechanisms to ensure that suspicious or unauthorized activity is quickly detected.
Respond swiftly to any indications of suspicious or unauthorized activity.
Protect Stored Data
Stored credit-card data must be protected from unauthorized use at all times.
- Do not allow the display of personal account numbers in full; display of the first six and/or the last four digits is permissible.
- If personal account numbers must be stored, they must be protected in one of four ways:
- Strong encryption with secure encryption key management
- Truncation of account number
- Strong one-way hash
- Use of index tokens and pads
OUR SERVICE PROVIDERS
Closely manage all third-party service providers and partners to ensure that all business conducted on Rezgo’s behalf is performed to the PCI DSS requirements and standards.
All new contracts must be reviewed from a security perspective to ensure that services provided by third parties will be rendered in a PCI-compliant manner.
All existing contracts should be reviewed at least annually and updated as needed to ensure that third-party services continue to meet PCI requirements.
Where possible, conduct an on-site inspection of any potential new third party or partner and document the state of secure data practices.
OUR SECURITY PROGRAM
Regularly Test Security Systems and Processes
All Rezgo systems must be tested quarterly to ensure that security systems and processes are in place and performing as needed.
Develop and maintain a security-breach-response plan, and test the plan at least annually.
Perform internal and external vulnerability scans of all systems connected to the cardholder data environment, per current PCI DSS requirements.
Ensure that all credit-card data is completely destroyed (degauss disks, shred paper) once the data or the medium that the data resides upon is no longer needed for clear business purposes.
Maintain a Security Policy That Addresses Information Security
The Rezgo information security policy is to be reviewed and updated as needed at least annually by Rezgo management.
Rezgo will train all new employees on data security practices to a level appropriate for their job positions.
All employees will receive security awareness training at least annually, and all employees must sign this policy to indicate that the policy is understood and will be abided by.
Background checks are suggested for all employees with access to one credit-card number at a time, and mandatory for all employees with access to multiple credit card numbers at a time in performing their duties.
When an employee moves to a new position within Rezgo, a review of the employee’s new role and what sensitive data access that the new role requires will be conducted. Access to sensitive data may be granted or revoked based on need-to-know basis according to the new job duties. A background check may also be required for a current employee moving from a role where no access to sensitive data was required to a role that necessitates access to sensitive data.