Security and General Privacy Policies
At Matrix Payment Systems, payment security and customer information is always a high priority.
We maintain strict controls over payment processing in our own transactions. In order to assist our merchant customers to do the same, we have a complete department, our Compliance Resource Center, to assist you in PCI DSS Compliance as well as other important and developing technologies.
Security and confidentiality of your personal information is one of our highest priorities. We will never request that you provide, update or verify via email your personal or account information, including passwords, Social Security Number and PIN(s). If you receive such an email request, please email us at email@example.com immediately. Learn more about how to protect your personal information.
Overview of PCI DSS (Payment Card Industry Data Security Standard) Policies
This policy is intended to relay the importance of security and protecting cardholder data.
This policy applies to all employees and systems of Matrix Payment Systems, Inc.
Policies to Protect and Manage Cardholder Data
The importance of protecting cardholder data is paramount. Allowing data theft or destruction, inadvertently sharing confidential information, infecting system networks with viruses, misuse of company resources, allowing the theft of company property, and allowing the compromise of private or confidential company or client information are all very real examples of what might result from a security compromise.
1.0 A firewall is established and maintained between your cardholder data and anybody other than those who have explicit permission.
2.0 All default logins and passwords should be changed when installing any software.
3.0 Strong cryptography and security protocols, such as SSH, TLS or IPSEC, are to be used to safeguard sensitive cardholder data during transmission over open, public networks.
4.0 All sending of unencrypted Primary Account Numbers by end-user messaging technologies (i.e., email, instant messaging, and chat) are strictly prohibited. If a PAN must be sent by end-user messaging, only email is allowed and the PAN will be encrypted using WinZip. The WinZip password will be communicated to the end user by means other than end user messaging (phone or fax is allowed).
5.0 Ensure that you are using anti-virus software on all systems.
6.0 Keep your software up to date with vendor supplied patches in a timely manner and maintain all software applications securely and according to industry best practices, regularly test, validate and monitor your software applications.
7.0 Access to system components and cardholder data is limited to only those authorized individuals whose job require such access or have a need-to-know. This authority is granted by senior management and reviewed annually.
8.0 All paper that contains cardholder data is to be identified and physically secured in a locked drawer. No electronic cardholder data will ever be stored.
9.0 Strict control is to be maintained over the internal or external distribution of any kind of media that contains cardholder data
- Media is classified and clearly marked as confidential
- Media is sent by secured courier or other delivery method that can be accurately tracked
- Management approval is to be obtained prior to moving any and all media containing cardholder data from a secured area.
10.0 Strict control must be maintained over the storage and accessibility of media that contains cardholder data.
11.0 Media containing cardholder data is to be destroyed when it is no longer needed for business or legal reasons.
- Paper materials are to be shredded, incinerated, or pulped so that cardholder data cannot be reconstructed.
- The general rule is that media containing cardholder date will be destroyed when over 180 days old. Exceptions to the rule must be approved by senior management.
Policy Maintenance and Employee/Contractor Awareness
1.0 Review of this policy will be conducted on an annual basis or as changes to the environment occur
2.0 Usage of employee-facing technologies such as remote access, wireless, electronic media, internet, PDA’s and wireless will adhere to the following:
- No unauthorized equipment can be brought in or set up in [Merchant Name] facility. This includes, but is not limited to modems, computers, or wireless devices.
- Wireless devices must be set up securely by establishing secure accounts/passwords, disabling SSID broadcasts, and using the highest available encryption for the device.
3.0 One or more employees will be designated with security responsibility.
4.0 Incident response documents will be created, reviewed by all employees, and will be updated on an annual basis.
5.0 These security policies will be formally reviewed annually with all employees/contractors.
6.0 A list of Service Providers must be maintained. This list will be updated and reviewed by senior management when necessary but at every 180 days.
7.0 A written Agreement that includes an acknowledgement that the service providers are responsible for the security of cardholder data the service provider posses is required from each Service Provider.
8.0 Due diligence is to be performed prior to the engagement of Service Providers. Procedures performed will include when possible:
- A visit to the Service Providers physical offices to discuss security practices and procedure with their management and staff.
- A written statement acknowledging their responsibilities to securely process, handle and transmit cardholder data.
- Written proof that the Service Provider is PCI compliant.
- Request reliable industry references.
9.0 A program is to be maintained to monitor Service Providers’ PCI DSS compliance status. On an annual basis a request for a new compliance certificate will be requested.
This Website collects some Personal Data from its Users.
Data Controller and Owner
Larry Davis – Fox Tracks, Inc. – 6100 McColl Drive – Savage, MN 55378
Owner contact email: firstname.lastname@example.org
Types of Data collected
Among the types of Personal Data that this Website collects, by itself or through third parties, there are: Cookies, Usage data, first name, last name, phone number, company name, address and email address.
Mode and place of processing the Data
Methods of processing
The Data Controller processes the Data of Users in a proper manner and shall take appropriate security measures to prevent unauthorized access, disclosure, modification, or unauthorized destruction of the Data. The Data processing is carried out using computers and/or IT enabled tools, following organizational procedures and modes strictly related to the purposes indicated. In addition to the Data Controller, in some cases, the Data may be accessible to certain types of persons in charge, involved with the operation of the site (administration, sales, marketing, legal, system administration) or external parties (such as third party technical service providers, mail carriers, hosting providers, IT companies, communications agencies) appointed, if necessary, as Data Processors by the Owner. The updated list of these parties may be requested from the Data Controller at any time.
The Data is processed at the Data Controller’s operating offices and in any other places where the parties involved with the processing are located. For further information, please contact the Data Controller.
The Data is kept for the time necessary to provide the service requested by the User, or stated by the purposes outlined in this document, and the User can always request that the Data Controller suspend or remove the data.
The use of the collected Data
The Data concerning the User is collected to allow the Owner to provide its services, as well as for the following purposes: Analytics, Contacting the User and Managing contacts and sending messages.
The Personal Data used for each purpose is outlined in the specific sections of this document.
Detailed information on the processing of Personal Data
Personal Data is collected for the following purposes and using the following services:
Additional information about Data collection and processing
The User’s Personal Data may be used for legal purposes by the Data Controller, in Court or in the stages leading to possible legal action arising from improper use of this Application or the related services. The User declares to be aware that the Data Controller may be required to reveal personal data upon request of public authorities.
Additional information about User’s Personal Data
System logs and maintenance
For operation and maintenance purposes, this Website and any third party services may collect files that record interaction with this Website (System logs) or use for this purpose other Personal Data (such as IP Address).
Information not contained in this policy
More details concerning the collection or processing of Personal Data may be requested from the Data Controller at any time. Please see the contact information at the beginning of this document.
The rights of Users
Users have the right, at any time, to know whether their Personal Data has been stored and can consult the Data Controller to learn about their contents and origin, to verify their accuracy or to ask for them to be supplemented, cancelled, updated or corrected, or for their transformation into anonymous format or to block any data held in violation of the law, as well as to oppose their treatment for any and all legitimate reasons. Requests should be sent to the Data Controller at the contact information set out above.