This document describes Background screening information security’ policies and practices for managing its secure platform for background screening hosted eCommerce, specifically payment card transactions, and the data related to eCommerce. This policy is intended to comply with the requirements of the Payment Card Industry Data Security Standard (“PCI DSS”). The PCI DSS is included by reference herein; however, background screening Information security will be the sole determinant of how PCI DSS’ requirements will be applied within Background screening operations. This document will be annually reviewed and updated as appropriate to maintain compliance with the PCI DSS.
For the purposes of this document, the eCommerce infrastructure consists of the computing resources (i.e., servers, storage, network and storage switches, firewalls, physical racks containing these, and related software) that process, transmit, or store payment card data, or can directly access such resources. Servers that are part of the eCommerce infrastructure and any systems that can otherwise directly access computing resources that contain payment cardholder data must be registered as regulated computers.
Background screening personnel who access information resources that transmit, process, or store payment card data are responsible for the application of this and related policies. In the case of contractors who require such access, it is the responsibility of the Background screening department services group overseeing the contractor activity to ensure that the contractor is informed of and abides by the relevant IT policies and procedures.
IT Security department is responsible for identifying network security threats, coordinating threat response, and directing forensic analysis. IT Security department maintains any firewalls, access control systems, and security event and information management systems used by background screening services to support eCommerce. IT Security department will be responsible for coordinating external network scans and any penetration testing of the eCommerce infrastructure.
Systems engineering and administration is responsible for the installation and maintenance of the server, storage, and database platforms which support the eCommerce infrastructure as well as those used by eCommerce applications. Systems and database administrators work with the IT Security group to proactively address security threats through maintenance activities and to respond to security threats if necessary.
Data center operations is responsible for the physical security of the Background screeninig services eCommerce environment, the maintenance of the data center environment and power, and the coordination of routine “production” processes within the Background screening services Data Center.
Data Networking is responsible for the management of the network media layers of the eCommerce infrastructure, including the physical network components and functions such as network switching and routing.
The Desktop Support Group is responsible for the installation, maintenance, and security configuration of many workstations used by eCommerce application staff. In the event of a security incident involving these workstations, Desktop Support will work with IT Security to conduct forensic analysis of the event and to mitigate the threat if workstations they support may be involved. Workstations not supported by Desktop Support must meet the standards of the PCI DSS and Stern screening reserves the right to determine the suitability of such workstations to support applications operating with the eCommerce infrastructure.
For the applications it supports (support can include software design, development, testing, move to production, production problem trouble-shooting, and other support, as well as technical and other interaction with outside service providers such as application vendors and ASPs), Enterprise Systems & Applications is also responsible for coordinating communication and interaction among the background screening business client(s), any application vendor(s), contractors, or ASPs involved, and other groups to ensure a sufficient understanding of the business purpose, intended use(s), and structure of the application(s) for a secure implementation and operation.
IT Services Web Systems Administration is responsible for the secure configuration and management of all web servers within the eCommerce infrastructure. This includes obtaining, installing, and managing certificates used by web servers for encryption. Web Systems Administration works with the System Engineering and Administration, Database, and IT Security groups to proactively address security threats through maintenance activities and to respond to security threats if necessary.
System and data owners working with background screening operations are responsible for the application of this and related policies to the systems, data, and other information resources under their care or control.
Access to payment card customer information is restricted to those who have a need to know such information for business purposes. Access must be granted to individuals, not to roles, and all access must be able to be tracked by an element of identity that is unique to an individual. Access privileges must be revoked as soon as reasonably possible after a change in responsibilities or employment status of an individual warrants.
Neither payment card numbers nor data items prohibited from storage by the PCI DSS will be stored on background screening systems for any longer than necessary to complete the immediate transaction for which the data has been obtained. This prohibition includes storing such data in databases, log files, audit trails, backups, etc.
Cardholder information will only be stored on systems as long as a significant business or legal requirement exists for retaining such information. Processes will be established for each eCommerce application to periodically remove customer information which is no longer relevant to the business process for which it was acquired. Such “stale” data normally should not remain on a system for more than one month after the requirement for its existence no longer pertains.