Security Policy

 
 

Introduction

This policy document addresses all aspects of security concerning confidential company information and must be distributed to all company

employees. All employees must read this document in full and sign the acknowledgment form confirming they have read and fully understand this policy. The document will be reviewed and updated annually by management or as needed to incorporate newly developed security standards. Updated versions will be redistributed to all employees and contractors where applicable.

 

Information Security Policy

BIQI TRADING INC. handles sensitive information daily. Sensitive information requires adequate safeguards to protect account data, including cardholder data, cardholder privacy, and to ensure compliance with various regulations, as well as safeguarding the future of the organization.

 

BIQI TRADING INC. is committed to respecting the privacy of all its customers and to protecting any customer data from outside parties. To this end, management is committed to maintaining a secure environment for processing cardholder information to fulfill these commitments.

 

Employees handling sensitive cardholder data must ensure:

  • Handle company and account data in a manner consistent with their sensitivity and classification.
  • Limit personal use of BIQI TRADING INC. information and telecommunication systems to ensure it does not interfere with job performance.
  • BIQI TRADING INC. reserves the right to monitor, access, review, audit, copy, store, or delete any electronic communications, equipment, systems, and network traffic for any legitimate business purpose.
  • Do not use email, the internet, or other company resources to engage in any action that is offensive, threatening, discriminatory, defamatory, slanderous, pornographic, obscene, harassing, or illegal.
  • Do not disclose personnel information unless authorized.
  • Protect sensitive account data, including cardholder information.
  • Keep passwords and accounts secure.
  • Request approval from management before establishing any new software or hardware, third-party connections, etc.
  • Do not install unauthorized software or hardware, including modems and wireless access points, unless you have explicit management approval.
  • Always leave desks clear of sensitive cardholder data and lock computer screens when unattended.
  • Report information security incidents immediately to the individual responsible for incident response locally. Please find out who this is.
  • Attend security awareness training on an annual basis.

 

Each employee has a responsibility to ensure the company’s systems and data are protected from unauthorized access and improper use. If you are unclear about any of the policies detailed herein, you should seek advice and guidance from your line manager.

 

  1. Network Security

 A high-level network diagram of the network is maintained and reviewed on a yearly basis.  The network diagram provides a high level overview of the cardholder data environment (CDE), which at a minimum shows the connections in and out of the CDE.  Critical system components within the CDE, such as POI/POS devices, databases, eCommerce web servers, re-direction/iFrame servers, etc., and any other necessary payment components, as applicable should also be illustrated.

 

In addition, ASV should be performed and completed by a PCI SSC Approved Scanning Vendoron a quarterly basis (every 90-92 days), where applicable.  Evidence of these scans should be maintained for a period of 18 months. For eCommerce, the scans need to include the re-direction/iFrame servers at a minimum.

 

For standalone-dialup terminals

  • Secure: Physically secure and use secure dial-up connections.
  • Updated: Regularly update terminal software.
  • Trained: Train employees on proper use.
  • Monitored: Monitor use and investigate unusual activity.

 

For P2PE solutions

  • Validated: Use PCI-validated solutions.
  • Compliant: Ensure compliance with PCI P2PE standards.
  • Integrated: Properly integrate with payment infrastructure.
  • Maintained: Regularly update and maintain.
  • Documented: Maintain documentation.
  • Trained: Provide employee training.
  • Key Management: Implement secure key management.

 

eCommerce Using Redirection/iFrame

For eCommerce that use re-direction/iFrame to a hosted payment page: see Appendix D

 

  1. Acceptable Use Policy

Management’s intention for publishing an Acceptable Use Policy is not to impose restrictions that are contrary to BIQI TRADING INC.’s established culture of openness, trust, and integrity. Management is committed to protecting employees, partners, and BIQI TRADING INC. from illegal or damaging actions, whether knowingly or unknowingly by individuals.

 

BIQI TRADING INC. will maintain an approved list of technologies and devices, and personnel with access to such devices, as detailed in Appendix B.

 

Responsibilities

  • Employees are responsible for exercising good judgment regarding the reasonableness of personal use.
  • Employees should take all necessary steps to prevent unauthorized access to confidential data, including account data/cardholder data.
  • Keep passwords secure and do not share accounts. Authorized users are responsible for the security of their passwords and accounts.
  • All PCs, laptops, and workstations should be secured with a password-protected screensaver with the automatic activation feature.
  • All POS and POI/PIN entry devices should be appropriately protected and secured to prevent tampering or alteration.
  • The list of devices in Appendix B will be regularly updated when devices are modified, added, or decommissioned. A stocktake of devices will be regularly performed, and devices inspected to identify any potential tampering or substitution.
  • Users should be trained to identify any suspicious behavior where tampering or substitution may occur. Any suspicious behavior will be reported accordingly.
  • Information contained on portable computers is especially vulnerable; special care should be exercised.
  • Postings by employees from a Company email address to newsgroups should contain a disclaimer stating that the opinions expressed are strictly their own and not necessarily those of BIQI TRADING INC., unless posting is part of business duties.
  • Employees must use extreme caution when opening email attachments received from unknown senders, which may contain viruses, email bombs, Trojan horse code, or phishing attacks.

 

  1. Protect Stored Data

BIQI TRADING INC. and its employees are not to store cardholder data in the form of Primary Account Numbers (PAN) or sensitive authentication data in electronic format at all.

 

All sensitive account data, including cardholder data stored and handled in hard copy by BIQI TRADING INC. and its employees, must be securely protected against unauthorized use at all times. Any sensitive card data that is no longer required by BIQI TRADING INC. for business reasons must be discarded in a secure and irrecoverable manner.

 

If there is no specific need to see the full PAN, it must be masked when displayed, showing only the first six and last four numbers of the PAN, at most.

 

PANs that are not protected as stated above should not be sent to the outside network via end-user messaging technologies like email, chats, ICQ messenger, etc.

 

It is strictly prohibited to store:

  • The contents of the payment card magnetic stripe (track data) or chip equivalent track data on any media whatsoever.
  • The CVV2/CVC2/CAV2/CID (the 3 or 4-digit number on the signature panel on the reverse of the payment card) on any media whatsoever.
  • The PIN or the encrypted PIN block under any circumstance.

 

  1. Information Classification

Data and media containing data must always be labeled to indicate sensitivity level:

  • Confidential Data: Includes information assets for which there are legal requirements for preventing disclosure or financial penalties for disclosure, or data that would cause severe damage to BIQI TRADING INC. if disclosed or modified. Examples include account data and cardholder data.
  • Internal Use Data: Information that the data owner feels should be protected to prevent unauthorized disclosure.
  • Public Data: Information that may be freely disseminated.

 

  1. Access to Sensitive Cardholder Data

Access to sensitive cardholder data should be controlled and authorized. Job functions requiring access to cardholder data should be clearly defined.

 

  • Display of the account data/cardholder data should be restricted to the first 6 and last 4 digits of the primary account number (PAN).
  • Access to sensitive cardholder information such as PANs, personal information, and business data is restricted to employees with a legitimate need to view such information.
  • No other employees should have access to this confidential data unless they have a genuine business need.
  • If cardholder data is shared with a Service Provider (third-party), a list of such providers will be maintained (Appendix C).
  • BIQI TRADING INC. will ensure a written agreement is in place acknowledging that the Service Provider is responsible for the cardholder data they possess.
  • BIQI TRADING INC. will establish a process, including proper due diligence, before engaging with a third-party service provider (TPSP).
  • BIQI TRADING INC. will have a process in place to monitor the PCI DSS compliance status of the TPSP.
  • Responsibilities for ensuring the security of account data/cardholder data will be defined between BIQI TRADING INC. and a TPSP and documented in a responsibility matrix.

 

  1. Physical Security

Access to sensitive information in both hard and soft media formats must be physically restricted to prevent unauthorized individuals from obtaining sensitive data.

  • Media containing sensitive cardholder information must be handled and distributed securely by trusted individuals.
  • Visitors must always be escorted by a trusted employee when in areas holding sensitive cardholder information.
  • Procedures must be in place to help all personnel easily distinguish between employees and visitors, especially in areas where account data including cardholder data is accessible.
  • A list of devices including the Point of Interaction (POI) terminals that accept payment card data should be maintained, including make, model, location, and unique identifier.
  • The list should be updated when devices are added, removed, or relocated.
  • POS devices surfaces are periodically inspected to detect tampering or substitution.
  • Personnel using the devices should be trained and aware of handling the POI devices, verify the identity of any third-party personnel claiming to repair or run maintenance tasks on the devices, and report suspicious behavior or indications of tampering to appropriate personnel.
  • Strict control is maintained over the external or internal distribution of any media containing cardholder data, which must be approved by management.
  • Strict control is maintained over the storage and accessibility of media.
  • All computers that store sensitive cardholder data must have a password-protected screensaver enabled to prevent unauthorized use.

 

  1. Protect Data in Transit

All sensitive cardholder data must be protected securely if it is to be transported physically or electronically:

  • Transmission Prohibition: Cardholder data (PAN, track data, etc.) must never be sent over the internet via email, instant chat, or any other end-user technologies.
  • Authorized Transmission: If there is a business justification to send cardholder data via email or by any other mode, it should be done after authorization and by using a strong encryption mechanism (e.g., AES encryption, PGP encryption, IPSEC, etc.).
  • Transportation of Media: The transportation of media containing sensitive cardholder data to another location must be authorized by management, logged, and inventoried before leaving the premises. Only secure courier services may be used for the transportation of such media. The status of the shipment should be monitored until it has been delivered to its new location.

 

  1. Disposal of Stored Data

All data must be securely disposed of when no longer required by BIQI TRADING INC., regardless of the media or application type on which it is stored:

  • Automatic Process: An automatic process must exist to permanently delete online data when no longer required.
  • Manual Destruction: All hard copies of cardholder data must be manually destroyed when no longer required for valid and justified business reasons. A quarterly process must be in place to confirm that all non-electronic cardholder data has been appropriately disposed of in a timely manner.
  • Destruction Procedures:
  1. Hardcopy materials are crosscut shredded, incinerated, or pulped.
  2. Electronic media must be rendered unrecoverable through degaussing, electronically wiped using military-grade secure deletion processes, or physically destroyed.
  3. If secure wipe programs are used, the process must define the industry-accepted standards followed for secure deletion.
  4. Cardholder information awaiting destruction must be held in lockable storage containers clearly marked “To Be Shredded,” with access to these containers restricted.

 

  1. Security Awareness and Procedures

The policies and procedures outlined below must be incorporated into company practice to maintain a high level of security awareness. The protection of sensitive data demands regular training of all employees and contractors:

  • Handling Procedures: Review handling procedures for sensitive information and hold periodic security awareness meetings to incorporate these procedures into day-to-day company practice.
  • Policy Acknowledgment: Distribute this security policy document to all company employees to read. It is required that all employees confirm that they understand the content of this security policy document by signing an acknowledgment form (see Appendix A).
  • Background Checks: All employees that handle sensitive information will undergo background checks (such as criminal and credit record checks, within the limits of the local law) before they commence their employment with BIQI TRADING INC.
  • Third-Party Compliance: All third parties with access to credit card account numbers are contractually obligated to comply with card association security standards (PCI/DSS).
  • Annual Review: Company security policies must be reviewed annually and updated as needed.

 

  1. Credit Card (PCI) Security Incident Response Plan

BIQI TRADING INC.’s PCI Security Incident Response Team (PCI Response Team) is comprised of the Information Security Officer and Merchant Services. The PCI security incident response plan is as follows:

  • Reporting: Each department must report an incident to the Information Security Officer (preferably) or to another member of the PCI Response Team.
  • Investigation: The PCI Response Team will investigate the incident and assist the potentially compromised department in limiting the exposure of cardholder data and mitigating the risks associated with the incident.
  • Resolution: The PCI Response Team will resolve the problem to the satisfaction of all parties involved, including reporting the incident and findings to the appropriate parties (credit card associations, credit card processors, etc.) as necessary.
  • Prevention: The PCI Response Team will determine if policies and processes need to be updated to avoid a similar incident in the future and whether additional safeguards are required.

 

Escalation Members (or Equivalent in Your Company)

  • First Level: Information Security Officer, Executive Project Director for Credit Collections and Merchant Services, Legal Counsel, Risk Manager, Director of BIQI TRADING INC. Communications.
  • Second Level: BIQI TRADING INC. President, Executive Cabinet, Internal Audit, Auxiliary members as needed.

 

External Contacts (as Needed)

  • Merchant Provider Card Brands
  • Internet Service Provider (if applicable)
  • Communication Carriers (local and long distance)
  • Business Partners
  • Insurance Carrier
  • External Response Team as applicable (CERT Coordination Center, etc.)
  • Law Enforcement Agencies as applicable in local jurisdiction

 

 

In Response to a Systems Compromise

  • Isolation: Ensure compromised system(s) are isolated on/from the network.
  • Analysis: Gather, review, and analyze logs and related information from various central and local safeguards and security controls.
  • Forensic Analysis: Conduct appropriate forensic analysis of the compromised system.
  • Contact: Contact internal and external departments and entities as appropriate.
  • Forensic and Log Analysis: Make forensic and log analysis available to appropriate law enforcement or card industry security personnel, as required.
  • Assistance: Assist law enforcement and card industry security personnel in investigative processes, including in prosecutions.

 

 

Incident Response Notifications to Various Card Schemes

VISA Steps:

  • Shut down any systems or processes involved in the breach to limit the extent and prevent further exposure.
  • Alert all affected parties and authorities such as the Merchant Bank (your Bank), Visa Fraud Control, and law enforcement.
  • Provide details of all compromised or potentially compromised card numbers to Visa Fraud Control within 24 hours.
  • For more information, visit: Visa’s Website

 

Visa Incident Report Template

  • Executive Summary: Include overview of the incident, RISK Level (High, Medium, Low), and determine if the compromise has been contained.
  • Background, Initial Analysis, Investigative Procedures: Include forensic tools used during the investigation.
  • Findings: Number of accounts at risk, identify those stores and compromised, type of account information at risk, and identify all systems analyzed.
  • Compromised Entity Action: Recommendations and contacts at the entity and security assessor performing the investigation.

 

*This classification applies to the most sensitive business information, which is intended for use within VISA. Its unauthorized disclosure could seriously and adversely impact VISA, its employees, member banks, business partners, and/or the Brand.

 

MasterCard Steps

  • Immediate Notification: Within 24 hours of an account compromise event, notify the MasterCard Compromised Account Team via phone at 1-636-722-4100.
  • Detailed Statement: Provide a detailed written statement of fact about the account compromise (including the contributing circumstances) via secured email to service@biqitrading.com.
  • Account Numbers List: Provide the MasterCard Merchant Fraud Control Department with a complete list of all known compromised account numbers.
  • Data Security Assessment: Within 72 hours of knowledge of a suspected account compromise, engage the services of a data security firm acceptable to MasterCard to assess the vulnerability of the compromised data and related systems (such as a detailed forensics evaluation).
  • Weekly Status Reports: Provide weekly written status reports to MasterCard, addressing open questions and issues until the audit is complete to the satisfaction of MasterCard.
  • Updated Information: Promptly furnish updated lists of potential or known compromised account numbers, additional documentation, and other information that MasterCard may request.
  • Audit Findings: Provide findings of all audits and investigations to the MasterCard Merchant Fraud Control Department within the required timeframe and continue to address any outstanding exposure or recommendation until resolved to the satisfaction of MasterCard.

 

MasterCard Actions

  • Issuer Identification: Once MasterCard obtains the details of the account data compromise and the list of compromised account numbers, MasterCard will identify the issuers of the accounts that were suspected to have been compromised and group all known accounts under the respective parent member IDs.
  • Distribution of Account Numbers: Distribute the account number data to its respective issuers.
  • Security Officer Role
  • Reporting: Employees of BIQI TRADING INC. will be expected to report to the security officer for any security-related issues.
  • Communication: The role of the security officer is to effectively communicate all security policies and procedures to employees within BIQI TRADING INC. and contractors.
  • Training Sessions: Oversee the scheduling of security training sessions.
  • Policy Enforcement: Monitor and enforce the security policies outlined in both this document and at the training sessions.
  • Incident Response: Oversee the implementation of the incident response plan in the event of a sensitive data compromise.

 

Discover Card Steps

  • Immediate Notification: Within 24 hours of an account compromise event, notify Discover Fraud Prevention at (800) 347-3102.
  • Detailed Statement: Prepare a detailed written statement of fact about the account compromise including the contributing circumstances.
  • Account Numbers List: Prepare a list of all known compromised account numbers.
  • Additional Requirements: Obtain additional specific requirements from Discover Card.

 

American Express Steps

  • Immediate Notification: Within 24 hours of an account compromise event, notify American Express Merchant Services at (800) 528-5200 in the U.S.
  • Detailed Statement: Prepare a detailed written statement of fact about the account compromise including the contributing circumstances.
  • Account Numbers List: Prepare a list of all known compromised account numbers.
  • Additional Requirements: Obtain additional specific requirements from American Express.

 

 

  1. Transfer of Sensitive Information Policy

All third-party companies providing critical services to BIQI TRADING INC. must:

  • Service Level Agreement: Provide an agreed Service Level Agreement.
  • Physical Security Compliance: Comply with BIQI TRADING INC.’s Physical Security and Access Control Policy.
  • PCI DSS Compliance: Adhere to the PCI DSS security requirements.
  • Data Responsibility: Acknowledge their responsibility for securing the Cardholder data.
  • Data Usage: Acknowledge that the Cardholder data must only be used for assisting the completion of a transaction, supporting a loyalty program, providing a fraud control service, or for uses specifically required by law.
  • Business Continuity: Have appropriate provisions for business continuity in the event of a major disruption, disaster, or failure.
  • Security Review: Provide full cooperation and access to conduct a thorough security review after a security intrusion by a Payment Card industry representative, or a Payment Card industry approved third party.

 

  1. User Access Management
  • User Registration: Access to BIQI TRADING INC. is controlled through a formal user registration process beginning with a formal notification from HR or from a line manager.
  • Unique User ID: Each user is identified by a unique user ID so that users can be linked to and made responsible for their actions.
  • Standard Access Level: There is a standard level of access; other services can be accessed when specifically authorized by HR/line management.
  • Access Rights: The job function of the user decides the level of access the employee has to cardholder data.
  • Request for Service: A request for service must be made in writing (email or hard copy) by the newcomer’s line manager or by HR. The request must include:
  1. Name of person making request.
  2. Job title of the newcomer and workgroup.
  3. Start date.
  • Services required (default services are: MS Outlook, MS Office, and Internet access).
  • Access Confirmation: Each user will be given a copy of their new user form to provide a written statement of their access rights, signed by an IT representative after their induction procedure.
  • System Access: Access to all BIQI TRADING INC. systems is provided by IT and can only be started after proper procedures are completed.
  • Termination of Access: As soon as an individual leaves BIQI TRADING INC. employment, all his/her system logons must be immediately revoked and the account must be disabled and removed.
  • Employee Termination Process: As part of the employee termination process, HR (or line managers in the case of contractors) will inform IT operations of all leavers and their date of leaving.

 

  1. Access Control Policy

Purpose

The Access Control policy is in place to protect the interests of all users of BIQI TRADING INC.’s computer systems by providing a safe, secure, and readily accessible environment in which to work. This policy ensures that users have the necessary information to carry out their responsibilities effectively and efficiently.

 

Scope

This policy applies to all employees and other users of BIQI TRADING INC. computer systems.

 

 

Principles

  • Least Privilege and Need-to-Know: Access rights will be accorded based on the principle of least privilege and need-to-know.
  • Generic or Group IDs: Generic or group IDs shall not normally be permitted, but may be granted under exceptional circumstances if sufficient other controls on access are in place.
  • Privilege Rights Allocation: The allocation of privilege rights (e.g., local administrator, domain administrator, super-user, root access) shall be restricted and controlled, and authorization provided jointly by the system owner and IT Services.
  • Technical Teams Controls: Technical teams shall guard against issuing privilege rights to entire teams to prevent loss of confidentiality.

 

Access Control Mechanisms

  • Unique Active Directory Account: Access to BIQI TRADING INC. IT resources and services will be given through the provision of a unique Active Directory account and complex password.
  • Authentication and Authorization: No access to any BIQI TRADING INC. IT resources and services will be provided without prior authentication and authorization of a user’s BIQI TRADING INC. Windows Active Directory account.
  • Password Management:
  1. Length: 8 characters.
  2. Complexity: Complex.
  3. Uniqueness: Unique and must be changed at first use.
  4. Reusability: Not reusable.
  5. Expiration: Change every 90 days.
  • Password Control: Password issuing, strength requirements, changing, and control will be managed through formal processes. Password length, complexity, and expiration times will be controlled through Windows Active Directory Group Policy Objects.

 

Data Access

  • Access to Confidential, Restricted, and Protected Information: Access to Confidential, Restricted, and Protected information will be limited to authorized persons whose job responsibilities require it, as determined by the data owner or their designated representative. Requests for access permission to be granted, changed, or revoked must be made in writing.
  • Data Classification: Access to data is controlled according to the data classification levels described in the Information Security Management Policy.

 

User Responsibilities

  • Data Security: Every user should attempt to maintain the security of data at its classified level even if technical security mechanisms fail or are absent.
  • Information Security: Users are expected to become familiar with and abide by BIQI TRADING INC. policies, standards, and guidelines for appropriate and acceptable usage of the networks and systems.
  • Remote Access: Access for remote users shall be subject to authorization by IT Services and be provided in accordance with the Remote Access Policy and the Information Security Policy. No uncontrolled external access shall be permitted to any network device or networked system.

 

Access Control Methods

  • Logon Access Rights: Logon access rights will be controlled.
  • Windows Share and NTFS Permissions: Windows share and NTFS permissions will be applied.
  • User Account Privileges: User account privileges will be enforced.
  • Server and Workstation Access Rights: Server and workstation access rights will be enforced.
  • Firewall Permissions: Firewall permissions will be applied.
  • IIS Intranet/Extranet Authentication Rights: IIS intranet/extranet authentication rights will be enforced.
  • SQL Database Rights: SQL database rights will be enforced.
  • Isolated Networks: Isolated networks will be used where necessary.

 

Regular Reviews

  • Formal Process: A formal process shall be conducted at regular intervals by system owners and data owners in conjunction with IT Services to review users’ access rights.
  • Review Documentation: The review shall be logged, and IT Services shall sign off the review to give authority for users’ continued access rights.