MENU
Information Security Policy
Introduction
To safeguard Focused Driven Compliance Advisors, LLC‘s information technology resources and to protect the confidentiality of data, adequate security measures must be taken. This Information Security Policy reflects Focused Driven Compliance Advisors, LLC s commitment to comply with required standards governing the security of sensitive and confidential information.
Focused Driven Compliance Advisors, LLC can minimize inappropriate exposures of confidential or sensitive information, loss of data and inappropriate use of computer networks and systems by complying with reasonable standards (such as Payment Card Industry Data Security Standard), attending to the proper design and control of information systems, and applying sanctions when violations of this security policy occur.
Security is the responsibility of everyone who uses Focused Driven Compliance Advisors, LLC‘s information technology resources. It is the responsibility of employees, contractors, business partners, and agents of Focused Driven Compliance Advisors, LLC. Each should become familiar with this policy's provisions and the importance of adhering to it when using Focused Driven Compliance Advisors, LLC‘s computers, networks, data and other information resources. Each is responsible for reporting any suspected breaches of its terms. As such, all information technology resource users are expected to adhere to all policies and procedures mandated by Focused Driven Compliance Advisors, LLC.
Purpose / Scope
The primary purpose of this security policy is to establish rules to ensure the protection of confidential or sensitive information and to ensure protection of Focused Driven Compliance Advisors, LLC‘s information technology resources. The policy assigns responsibility and provides guidelines to protect Focused Driven Compliance Advisors, LLC‘s systems and data against misuse or loss.
This security policy applies to all users of computer systems, centrally managed computer systems, or computers that are authorized to connect to Focused Driven Compliance Advisors, LLC‘s data network. It may apply to users of information services operated or administered by Focused Driven Compliance Advisors, LLC (depending on access to sensitive data, etc.). Individuals working for institutions affiliated with Focused Driven Compliance Advisors, LLC are subject to these same definitions and rules when they are using Focused Driven Compliance Advisors, LLC‘s information technology resources.
This security policy applies to all aspects of information technology resource security including, but not limited to, accidental or unauthorized destruction, disclosure or modification of hardware, software, networks or data.
This security policy has been written to specifically address the security of Credit Card Data used by Focused Driven Compliance Advisors, LLC.
Credit card data stored, processed or transmitted with Focused Driven Compliance Advisors, LLC’s Merchant ID must be protected, and security controls must conform to the Payment Card Industry Data Security Standard (PCI DSS).
Cardholder data within this document is defined as the full Primary Account Number (PAN) which may also appear in conjunction with Cardholder Name, Service Code, or Expiration date. Sensitive Authentication Data within this document is defined as the Card Validation Code (CVC, CVV2, CID, CAV2 and CVC2), Credit Card PIN, and any form of magnetic stripe data from the card (Track 1, Track 2). Account Data within this document is defined by any combination of Cardholder Data and Sensitive Authentication Data.
Security Policy Ownership and Responsibilities
It is the responsibility of the custodian(s) of this security policy to publish and disseminate these policies to all relevant Focused Driven Compliance Advisors, LLC system users (including vendors, contractors, and business partners). In addition, the custodian(s) must see that the security policy addresses and complies with all standards Focused Driven Compliance Advisors, LLC is required to follow (such as the PCI DSS). This policy document will also be reviewed at least annually by the custodian(s) (and any relevant data owners) and updated as needed to reflect changes to business objectives or the risk environment.
Questions or comments about this policy should be directed to the custodian(s) info@focuseddrivencompliance.com or call 833-233-2777.
Additional Process and Standards Documents Referenced by this Security Policy
This policy document defines the Focused Driven Compliance Advisors, LLC security policies relating to the protection of sensitive data and particularly credit card data. Details on Focused Driven Compliance Advisors, LLC standards and procedures in place to allow these policies to be followed are contained in other documents referenced by this policy. Table 2 lists other documents that accompany this security policy document, which help define Focused Driven Compliance Advisors, LLC data security best practices.
Table 2 – Security Process and Standards Documents Referenced by Policy
Note: The document name references contained in this table and in footnotes throughout this security policy should be replaced with the company-specific standards document name.
Document Name Location or Custodian
System Hardening and Configuration Standards info@focuseddrivencompliance.com
Full Data Retention and Storage Procedures info@focuseddrivencompliance.com
Vulnerability Discovery and Risk Ranking Process info@focuseddrivencompliance.com
Operating Procedures info@focuseddrivencompliance.com
Service Provider Compliance Validation Process info@focuseddrivencompliance.com
Incident Response Plan info@focuseddrivencompliance.com
2 Secure Configurations are applied to all system components
2.2 System components are configured and managed securely
In order to ensure system components are configured consistently and securely and reduce the opportunities available to an attacker, Focused Driven Compliance Advisors, LLC securely configures and manages system components as follows:
● Configuration standards shall be developed, implemented, and maintained to:
○ Cover all system components.
○ Address all known security vulnerabilities.
○ Be consistent with industry-accepted system hardening standards or vendor hardening recommendations.
○ Be updated as new vulnerability issues are identified, as defined in PCI DSS Requirement 6.3.1.
○ Be applied when new systems are configured and verified as in place before or immediately after a system component is connected to a production environment. (PCI DSS Requirement 2.2.1)
● When a vendor default account(s) is used, the default password should be changed per PCI DSS Requirement 8.3.6.
● If a vendor default account(s) is not used, the account should be removed or disabled. (PCI DSS Requirement 2.2.2)
Protect Stored Cardholder Data
Note: The following section applies to merchants with paper records that include stored cardholder account data (for example, receipts or printed reports).
3.1 Processes and mechanisms for protecting stored account data are defined and understood
Focused Driven Compliance Advisors, LLC ensures documented processes and mechanisms for applying secure configurations to all system components are defined and understood, as follows:
● All security policies and operational procedures that are identified in this section shall be documented, kept up to date, in use, and known to all affected parties. (PCI DSS Requirement 3.1.1)
● Roles and responsibilities for performing activities in this section shall be documented, assigned, and understood.
3.2 Storage of account data is kept to a minimum
To ensure that sensitive data is securely destroyed or deleted as soon as it is no longer needed, Focused Driven Compliance Advisors, LLC maintains a formal data retention policy that identifies what data needs to be retained, for how long, and where that data resides, as follows:
● Account data storage shall be kept to a minimum through implementation of data retention and disposal policies, procedures, and processes that include at least the following:
○ Coverage for all locations of stored account data.
○ Coverage for any sensitive authentication data (SAD) stored prior to completion of authorization.
Note: The previous bullet is a best practice until 31 March 2025, after which it will be required as part of Requirement 3.2.1 and must be fully considered during a PCI DSS assessment.
○ Limiting data storage amount and retention time to that which is required for legal or regulatory, and/or business requirements.
○ Specific retention requirements for stored account data that defines length of retention period and includes a documented business justification.
○ Processes for secure deletion or rendering account data unrecoverable when no longer needed per the retention policy.
○ A process for verifying, at least once every three months, that stored account data exceeding the defined retention period has been securely deleted or rendered unrecoverable. (PCI DSS Requirement 3.2.1).
6 Development and Maintenance of Secure Systems and Software
All system components must have appropriate software patches to protect against the exploitation and compromise of account data by malicious individuals and malicious software
Appropriate software patches must be evaluated and tested sufficiently to determine that the patches do not conflict with existing security configurations. For bespoke and custom software, numerous vulnerabilities can be avoided by applying software lifecycle (SLC) processes and secure coding techniques.
6.3 Security Vulnerabilities are Identified and Addressed.
● Focused Driven Compliance Advisors, LLC will identify and manage security vulnerabilities as follows: New security vulnerabilities are identified using industry-recognized sources for security vulnerability information, including alerts from international and national computer emergency response teams (CERTs), vulnerabilities are assigned a risk ranking based on industry best practices and consideration of potential impact, risk rankings identify, at a minimum, all vulnerabilities considered to be a high-risk or critical to the environment and vulnerabilities for bespoke and custom, and third-party software (for example operating systems and databases) are covered. (PCI DSS Requirement 6.3.1)
● All system components are protected from known vulnerabilities by installing applicable security patches/updates as follows: critical or high-security patches/updates (identified according to the risk ranking process at Requirement 6.3.1) are installed within one month of release and all other applicable security patches/updates are installed within an appropriate time frame as determined by Focused Driven Compliance Advisors, LLC (for example, within three months of release).(PCI DSS Requirement 6.3.3)
6.4 Protection of Public-Facing Web Applications Against Attacks
● All payment page scripts that are loaded and executed in the consumer’s browser are managed as follows: A method is implemented to confirm that each script is authorized, a method is implemented to assure the integrity of each script and an inventory of all scripts is maintained with written justification as to why each is necessary.(PCI DSS Requirement 6.4.3)Note: This is a future dated PCI DSS Requirement effective after 31 March 2025. This new requirement will replace Requirement 6.4.1 once its effective date is reached. (See PCI DSS Requirement 6.4.2 and 6.4.3). Please update this bullet point to reflect how your company is addressing this requirement and then remove this “Note”.
8 Identify and Authenticate Access to System Components
It is critical to assign a unique identification (ID) to each person with access to critical systems or software. This ensures that each individual is uniquely accountable for his or her actions. When such accountability is in place, actions taken on critical data and systems are performed by, and can be traced to, known and authorized users. Detailed authentication procedures should be developed and documented to meet the following policies.
8.2 User Identification and Related Accounts for Users and Administrators are Strictly Managed throughout an Account’s Lifecycle
● Assign all users a unique ID before granting access to system components or cardholder data. (PCI DSS Requirement 8.2.1)
● Only use group, shared, or generic accounts, or other shared authentication credentials, when necessary, on an exception basis and manage as follows: (PCI DSS Requirement 8.2.2)
o Account use is prevented unless needed for an exceptional circumstance.
o Use is limited to the time needed for the exceptional circumstance.
o Business justification for use is documented.
o Use is explicitly approved by management.
o Individual user identity is confirmed before access to an account is granted.
o Every action taken is attributable to an individual user.
● Immediately revoke access for terminated users. (PCI DSS Requirement 8.2.5)
8.3 Authentication for Users and Administrators
● All user access to system components for users and administrators is authenticated via at least one of the following authentication factors: (PCI DSS Requirement 8.3.1)
o Something you know, like a password or passphrase.
o Something you have, like a token device or smart card.
o Something you are, like a biometric element.
● When passwords/passphrases are used as authentication factors to meet Requirement 8.3.1, they are set and reset for each user as follows: (PCI DSS Requirement 8.3.5)
o Set to a unique value for first-time use and upon reset.
o Forced to be changed immediately after the first use.
● When passwords/passphrases are used as authentication factors to meet Requirement 8.3.1, they must meet the following minimum level of complexity: (PCI DSS Requirement 8.3.6)
o A minimum length of 12 characters (or if the system does not support 12 characters, a minimum length of 8 characters).
o Contain both numeric and alphabetic characters.
● Do not allow an individual to submit a new password/passphrase that is the same as any of the last four passwords/passphrases they have used. (PCI DSS Requirement 8.3.7)
● When passwords/passphrases are used as the only authentication factor for user access (i.e., in any single-factor authentication implementation) then either: (PCI DSS Requirement 8.3.9)
o Passwords/passphrases are changed at least once every 90 days, OR
o The security posture of accounts is dynamically analyzed, and real-time access to resources is automatically determined accordingly.
o Factors are assigned to an individual user and not shared among multiple users.
o Physical and/or logical controls ensure only the intended account can use that factor to gain access.
9 Restrict Physical Access to Cardholder Data
Any physical access to locations that house cardholder data provide the opportunity for individuals to access data and to remove hardcopies and should be appropriately restricted. Detailed physical security procedures should be developed and documented to meet the following policies.
Note: For the purposes of Requirement 9, “onsite personnel” refers to full-time and part-time employees, temporary employees, contractors, and consultants who are physically present on the Focused Driven Compliance Advisors, LLC’s premises. A “visitor” refers to a vendor, guest of any onsite personnel, service workers, or anyone who needs to enter the facility for a short duration, usually not more than one day. “Media” refers to all paper media containing cardholder data.
9.4 Securely Store, Access, Distribute, and Destroy Media with Cardholder Data
● Focused Driven Compliance Advisors, LLC will define specific procedures to physically secure all media, including but not limited to paper receipts, paper reports. (PCI DSS Requirement 9.4.1)
● Store media backups in a secure location, preferably an off-site facility, such as an alternate or backup site, or a commercial storage facility and review the security of storage locations at least once every 12 months. (PCI DSS Requirement 9.4.1.1)
● Classify all media with cardholder data in accordance with the sensitivity of the data. (PCI DSS Requirement 9.4.2)
● Maintain strict control over the external distribution of media with cardholder data, including the following: (PCI DSS Requirement 9.4.3)
o Media sent outside the facility is logged.
o Send the media by secured courier or other delivery method that can be accurately tracked.
o Logs must show management approval, and tracking information. Retain media transfer logs.
o Ensure management approves all media with cardholder data that is moved from a secured area, including when media is distributed to individuals. (PCI DSS Requirement 9.4.4)
● Destroy hard-copy materials containing cardholder data when it is no longer needed for business or legal reasons, as follows: (PCI DSS Requirement 9.4.6)
o Materials are cross-cut shredded, incinerated, or pulped so that cardholder data cannot be reconstructed.
o Materials are stored in secure storage containers prior to destruction.
11 Regularly Test Security Systems and Processes
Vulnerabilities are continually being introduced by new software and discovered in current software. System components, processes, and bespoke and custom software must be tested frequently to ensure security controls continue to reflect a changing environment. Detailed testing procedures should be developed and documented to meet the following policies.
11.3 Vulnerability Assessment Scans
● External vulnerability assessment scans must be performed at least every three months and after any significant change in the cardholder data environment (e.g., changes in firewall rules, or upgrades to products within the environment, etc.). (PCI DSS Requirement 11.3)
● External vulnerability scans must (PCI DSS Requirement 11.3.2)
o Be performed at least every three months, and after any significant change.
o Be performed by an Approved Scanning Vendor (ASV) approved by the Payment Card Industry Security Standards Council (PCI SSC), or by qualified personnel (if the scan is performed after any significant change).
o Rescans are performed as needed to confirm that vulnerabilities are resolved per the ASV Program Guide requirements for a passing scan.
o Contain no vulnerabilities that are scored 4.0 or higher by the CVSS.
o Run on all external IP addresses that could be used to gain access to the cardholder data environment. (PCI DSS Requirement 11.3)
● Ensure that results of each quarter’s internal and external vulnerability assessments are to be documented and retained for review. (PCI DSS Requirement 11.3)
11.6 Change Detection on Payment Pages
● Deploy a change-detection mechanism to alert personnel to unauthorized modification (including indicators of compromise, changes, additions, and deletions) to the HTTP headers and the contents of payment pages as received by the consumer browser. This mechanism is configured to evaluate the received HTTP header and payment page at least once every seven days or periodically at a defined frequency that is the result of targeted risk analysis which is performed according to all elements specified in Requirement 12.3.1. (PCI DSS Requirement 11.6.1) Note: This is a future dated PCI DSS Requirement effective after 31 March 2025. Please update this bullet point to reflect how your company is addressing this requirement and then remove this “Note”.
Maintain an Information Security Policy
Without strong security policies and procedures, many of the layers of security controls become ineffective at preventing data breach. Unless consistent policy and practices are adopted and followed at all times, security controls break down due to inattention and poor maintenance. The following documentation policies address maintaining the Focused Driven Compliance Advisors, LLC security policies described in this document.
12 Support Information Security with Organizational Policies and Programs
A strong security policy sets the security tone for Focused Driven Compliance Advisors, LLC and informs employees and vendors what is expected of them. All employees and vendors should be aware of the sensitivity of data and their responsibilities for protecting it.
Note: For the purposes of Requirement 12, “personnel” refers to full-time and part-time employees, temporary employees, contractors, and consultants with security responsibilities for protecting account data or that can impact the security of account data.
12.8 Policies for Working with Third Party Service Providers (TPSPs)
● To conform to industry best practices, it is required that due diligence be performed before engaging with new service providers and is monitored for current service providers that store, process, or transmit cardholder data on Focused Driven Compliance Advisors, LLC’s behalf. Service providers, which could affect the Cardholder Data, are also in-scope of this policy.
● Focused Driven Compliance Advisors, LLC shall maintain a documented list of all applicable service providers in use and the services they provide. (PCI DSS Requirement 12.8.1)
● A written agreement with all applicable service providers is required and must include an acknowledgement of the service providers’ responsibility for securing all cardholder data they receive from or on behalf of Focused Driven Compliance Advisors, LLC, or to the extent that they could affect the security of a cardholder data environment (PCI DSS Requirement 12.8.2). In addition, the service provider must agree to provide compliance validation evidence on an annual basis. (PCI DSS Requirement 12.8.4). Prior to engaging with an applicable service provider, a thorough due diligence process should be followed. (PCI DSS Requirement 12.8.3)
● Focused Driven Compliance Advisors, LLC shall review the PCI DSS attestation of compliance form(s) for its third-party service providers and confirmed that the third-party service providers are PCI DSS compliant for the services being used by the merchant. (PCI DSS Requirement 12.8.4).
● Focused Driven Compliance Advisors, LLC shall maintain a list of which PCI DSS requirements are managed by each service provider, which are managed by Focused Driven Compliance Advisors, LLC, and any that are shared between the service provider and Focused Driven Compliance Advisors, LLC. (PCI DSS Requirement 12.8.5)
12.10 Incident Response Plan Policies
Incidents or suspected incidents regarding the security of the Cardholder Data Environment or cardholder data itself must be handled quickly and in a controlled, coordinated and specific manner. An incident response plan (IRP) must be developed and followed in the event of a breach or suspected breach. The following policies specifically address the Focused Driven Compliance Advisors, LLC IRP :
● Focused Driven Compliance Advisors, LLC must maintain a documented IRP and be prepared to respond immediately to a system breach. (PCI DSS Requirement 12.10)
● The IRP must clearly define roles and responsibilities for response team members. (PCI DSS Requirement 12.10.1)
● The IRP must define contact/communication strategies to be used in the event of a compromise including notification of payment brands. (PCI DSS Requirement 12.10.1)
● The IRP must define specific incident response procedures to be followed for different types of incidents. (PCI DSS Requirement 12.10.1)
● The IRP must document business recovery and continuity procedures. (PCI DSS Requirement 12.10.1)
● The IRP must detail all data backup processes. (PCI DSS Requirement 12.10.1)
● The IRP must contain an analysis of all legal requirements for reporting compromises of cardholder data (for example, California Bill 1386 which requires notification of affected consumers in the event of an actual or suspected compromise of California residents’ data). (PCI DSS Requirement 12.10.1)
● The IRP must address coverage and responses for all critical system components. (PCI DSS Requirement 12.10.1)
● The IRP must include or reference the specific incident response procedures from the payment brands. (PCI DSS Requirement 12.10.1)