NOTE: Since implementation of this policy, in 2016 we put in place a system of physical checks of card payment processing hardware (IE our PDQ machine), to include verifying model and serial numbers, in order to ensure that the machine has not been tampered with or replaced by unauthorised persons.
Scope of Compliance
The PCI requirements apply to all systems that store, process or transmit cardholder data. Currently, Hygeia’s cardholder environment consists only of a standalone dial-out terminal and does not include storage of cardholder data on any computer system.
Due to the limited nature of the environment, this policy is designed to meet PCI requirements as defined in Self-Assessment Questionnaire (SAQ) B, version 2.0, October 2010. Should Hygeia implement additional acceptance channels, begin storing, processing or transmitting cardholder data in electronic format or otherwise become ineligible to validate compliance under SAQ B it will be the responsibility of the Practice Director, Neil Phillips, to determine the appropriate compliance criteria and implement additional policies and controls as needed.
Requirement 3: Protect Stored Cardholder Data
We do not retain sensitive authentication data post-authorisation. Team members are instructed not to record such information. If any information is written down this is immediately shredded so that it is unrecoverable. [PCI Requirement 3.2]
Payment systems adhere to the following requirements regarding non-storage of sensitive authentication data after authorisation (even if encrypted):
The full contents of any track data from the magnetic stripe (located on the back of a card), equivalent data contained on a chip or elsewhere are not stored under any circumstances. [PCI Requirement 3.2.1]
The card verification code or value is not stored under any circumstances. [PCI Requirement 3.2.2]
Neither the PIN nor the encrypted PIN block are stored under any circumstances. [PCI Requirement 3.2.3]
Hygeia will mask the display of PANs (Primary Account Numbers) and limit the viewing of PANs to only those team members and other parties with a legitimate need. A properly masked PAN will show only the first six and last four digits. [PCI Requirement 3.3]
Requirement 4: Encrypt Transmission of Cardholder Data Across open, Public Networks
Sending unencrypted PANs by end-user messaging technologies is prohibited. Examples of end-user technologies include email, instant messaging and chat. [PCI Requirement 4.2]
Requirement 7: Restrict Access to Cardholder Data by Business Need to Know
Access to Hygeia’s cardholder system components and data is limited to only those individuals whose jobs require such access. [PCI Requirement 7.1]
Access limitations include the following:
Access rights for priviledged user IDs must be restricted to the least privileges necessary to perform job responsibilities. [PCI Requirement 7.1.1]
Privileges must be assigned to individuals based on job classification and function. [PCI Requirement 7.1.2]
Requirement 9: Restrict Physical Access to Cardholder Data
Hard copy materials containing confidential or sensitive information (eg paper receipts, paper reports, etc) are subject to the following storage guidelines:
All media must be physically secured. [PCI Requirement 9.6]
Strict control must be maintained over the internal or external distribution of any kind of media containing cardholder data. These controls include: Media must be classified so that the sensitivity of the data can be determined [PCI requirement 9.7.1] and media must be sent by a secure carrier or other delivery method that can be accurately tracked [PCI Requirement 9.7.2].
Logs must be maintained to track all media that is moved from a secured area and management approval must be obtained prior to moving the media. [PCI Requirement 9.8]
Strict control must be maintained over the storage and accessibility of media containing cardholder data. [PCI Requirement 9.9]
All media containing cardholder data must be destroyed when no longer needed for business or legal reasons. [PCI Requirement 9.10]
Hard copy media must be destroyed by shredding, incineration or pulping so that cardholder data cannot be reconstructed. Container storing of information waiting to be destroyed must be secured to prevent access to the contents. [PCI Requirement 9.10.1]
Requirement 12: Maintain a Policy that Addresses Information Security for Employees and Contractors
Hygeia will establish, publish, maintain and disseminate a security policy that addresses how the business will protect cardholder data. [PCI Requirement 12.1]
The policy will be reviewed at least annually and will be updated as necessary to reflect changes to business objectives or the risk environment. [PCI Requirement 12.1.3]
Hygeia will establish usage policies for critical technologies (eg remote-access technologies, wireless technologies, removable electronic media, laptops, tablets, PDAs, email and internet usage). [PCI Requirement 12.3]
These policies will include the following:
Explicit approval by authorised parties to use the technologies. [PCI Requirement 12.3.1]
A list of all such devices and personnel with access. [PCI Requirement 12.3.3]
Acceptable uses of the technologies. [PCI Requirement 12.3.5]
Hygeia’s policies and procedures will clearly define information security responsibilities for all personnel. [PCI Requirement 12.4]
Hygeia will establish, document and disseminate security incident response and escalation procedures to ensure timely and effective handling of all situations. [PCI Requirement 12.5.3]
Team members must be aware of their responsibilities in detecting security incidents to facilitate the incident response plan and procedures. All team members have the responsibility to assist in the incident response procedures within their particular areas of responsibility. Some examples of security incidents that a team member might recognise in their day-to-day activities include, but are not limited to:
Theft, damage or unauthorised access (eg papers missing from their desk, broken locks, evidence of a break-in or unscheduled entry)
Fraud – inaccurate information within databases, logs, files or paper records
The Practice Director, Neil Phillips, must be notified immediately of any actual or suspected security incidents involving cardholder data. If this is not possible, notify the Clinical Director, Joanne Giddy, instead.
Team members must not communicate details or generalities surrounding any actual or suspected incident to anyone outside the organisation (ie Hygeia). All communications with law enforcement agencies will be conducted by the Practice Director, Neil Phillips.
Team members must document/record any information they have about the incident. This should include date, time and the nature of the incident. Any information that can be provided will aid an appropriate response.
Responses can include or proceed through the following stages: identification, severity classification, containment, eradication, recovery and root cause analysis resulting in improvement of security controls.
Contain, eradicate, recover and perform root cause analysis.
1. Notify applicable card associations.
Visa: Provide the compromised Visa accounts to Visa Fraud Control Group with ten business days. For assistance, contact merchant/acquiring bank. Account numbers must be securely sent to Visa as instructed by them. It is critical that all potentially compromised accounts are provided. Visa will distribute the compromised Visa account numbers to issuers and ensure the confidentiality of entity and non-public information. Refer to visa.com for more information.
MasterCard: Contact merchant bank for specific details on what to do following a compromise.
Discover Card: Contact relationship manager or call the support line for further assistance.
2. Alert all necessary parties, including merchant/acquiring bank and law enforcement agencies.
3. Perform an analysis of legal requirements for reporting compromises in every country where clients were affected.
4. Collect and protect information associated with the intrusion. In the event that forensic investigation is required the Practice Director, Neil Phillips, will identify appropriate forensic specialists.
5. Eliminate the intruder’s means of access and any related vulnerabilities.
6. Research potential risks related to or damage caused by the intrusion method used.
Not more than one week following the incident, the Practice Director will review the results of any investigation to determine the root cause of the compromise and evaluate the effectiveness of the incident response plan. He will also review other security protocols to determine their appropriateness for current risks. Any identified areas in which the plan, policy or security control can be made more effective or efficient must be improved accordingly.
Hygeia will ensure that all team members are made aware of the importance of cardholder data security through the practice induction procedure for new personnel and by ongoing training for existing team members. [PCI Requirement 12.6]
Hygeia will implement and maintain policies and procedures to manage service providers where necessary. [PCI Requirement 12.8]
This process must include the following:
Maintain a list of service providers. [PCI Requirement 12.8.1]
Maintain a written agreement that includes an acknowledgement that the service providers are responsible for the security of the cardholder data they possess. [PCI Requirement 12.8.2]
Implement a process to perform proper due diligence prior to engaging a service provider. [PCI Requirement 12.8.3]
Monitor service providers’ PCI DSS compliance status. [PCI Requirement 12.8.4]
Web version 3: 3.8.2016 (reviewed 1.9.2017)
Previous version: 28.7.2012; 21.2.2013 (reviewed 12.3.2013; 19.6.2014; 5.6.2015)