Information Security Policy

Policy brief & purpose

Our Information security policy helps our employees and customers understand our responsibilities under the Payment Card Industry Data Security Standard (PCI DSS) and demonstrate the measures we take to ensure the security and integrity of our software.

The PCI DSS is a set of security standards designed to ensure that all companies that accept, process, store or transmit credit card information maintain a secure environment.

The PCI DSS applies to any and all organisations, regardless of size or number of transactions, that accept, transmit or store any cardholder data.

As we do not accept, transmit or store any cardholder data we want to ensure that our employees and customers understand the measures we enforce to ensure that no card data is transmitted to or stored within our systems and demonstrate the measures we take to ensure the security and integrity of our software.

Our goal is to protect confidential, sensitive and personally identifiable data from breaches and safeguard our reputation and technological property.

Scope

This policy applies to all employees and customers who use our Agentivity software. This may be assigned to an individual or department.

Policy elements

This policy defines how we ensure that no card data is transmitted to or stored within Agentivity and the measures we take to:

  • Secure against the transmission of cardholder data in error

  • Build and maintain a secure network and systems

  • Maintain a vulnerability management program

  • Implement access control measures

  • Monitor and test our networks

  • Maintain information security procedures

Securing against the transmission of cardholder data in error

Cardholder data is any personally identifiable data associated with a person who has a credit or debit card. Cardholder data includes the primary account number along with any of the following data types:

  • cardholder name

  • expiration date

  • service code

We do not require cardholder data to provide our service, therefore Agentivity does not process, transmit or store any cardholder data.

Where any cardholder data is encountered in the data we process for our clients, Agentivity identifies and removes that information before any data is processed and transmitted to our hosting environment.

Access to data we need to process in order to provide the Agentivity service to our client, is managed with the Agency Global Distribution System, via a secure data connection using SSL.

Data encountered is evaluated, in process, against a LUHN method to determine if the data contains a credit card number. More information about this method is available here.

If true, Agentivity by default will mask the data with hash values, and only leave the last 4 numbers exposed, e.g: #### #### #### 1234

This allows us to advise our customers of exposed card data in their environment.

Alternatively, we offer the customer the choice of completely skipping the data (and not even mask it) and therefore not storing any reference to a card number being found in their data.

Building and maintaining a secure network and systems

We use a firewalled environment as provided by Blacknight Hosting Ireland, to control the transmission of data between Agentivity trusted internal networks and any untrusted external networks, as well as traffic between sensitive areas of the internal networks themselves to prevent any unauthorised access.

We do not use vendor-supplied defaults for system passwords or any other security parameters. Any vendor-supplied default settings are changed immediately, and all unnecessary default accounts are disabled or removed before any system is installed on our network. This applies to all default passwords, without exception, including but not limited to firewalls.

Maintaining a vulnerability management program

On all systems that would be commonly affected by malware we use antivirus software which detects, removes and protects against malware including but not limited to:

  • Viruses

  • Worms

  • Trojans

Our antivirus mechanisms are actively running and maintained at all times.

In the event they must be temporarily disabled this must be formally authorised for a specific purpose only.

For systems not commonly affected by malware, evolving malware threats are periodically evaluated to determine whether antivirus software is needed.

We use a risk-based process to identify security vulnerabilities and rank them according to their level of risk, implementing appropriate and relevant security patches within a month of their release in order to protect against compromising all data.

All our software applications including but not limited to Agentivity are developed securely, based on industry standards and/or best practices, and incorporate information security throughout their entire development lifecycle.

Implementing strong access control measures

We use documented systems and processes to limit access rights to critical data, based on the need to know and according to both our and our clients authorised personnel’s clearly defined job responsibilities. Our access control systems deny all access by default.

We identify and authenticate access to system components ensuring that system access is limited only to those people with the proper authorisation, and providing an audit trail that can be analysed following any incident.

Agentivity requires that all users must be assigned a unique ID, which should be managed according to our specific guidelines.

Any user that requires direct access to the Agentivity database or software hosting environment has to be connected to our hosting provider’s network via a Cisco VPN client.

We have also implemented two-factor authentication on our internal client administration solution.

Maintaining an information security policy and procedures

As part of our PCI policy and our responsibilities under relevant data protection regulations and legislation we maintain and disseminate further policies including an information security policy (included in this policy) and privacy notice. We review all policies and notices annually and updated according to the changing risk environment.

We use Data Protection Impact Assessments and a risk assessment process to identify potential threats or vulnerabilities. We have a formal incident and breach recording and notification procedure which outlines our policy for responding to and containing a system breach.

This policy will be reviewed annually, and on an ad-hoc basis against any changes to our systems or security measures and reissued accordingly.

Further information

If further information is required please contact info at agentivity.com