Cardholder Data Security Policy

From Wikimedia UK
Jump to navigation Jump to search
Comment This policy was adopted by the Board on 9 February 2013. It is part of a series of IT Security Policy.

It is absolutely critical that all relevant staff and trusteed volunteers actively protect customer cardholder information from thieves and hackers. This is a legal requirement, and a business requirement, and must not be ignored. This policy describes what staff and volunteers should do, and what they should not do.

All personnel who have access to cardholder data are required to have read and signed a copy of this document (See | Appendix) and follow its directions at all times. Failure to do so will result in disciplinary or legal action as warranted.

Guiding Principals

  • That staff and volunteers understand the sensitivity of cardholder data
  • That staff and volunteers understand the requirements of data protection and privacy legislation in dealing with cardholder data
  • That Wikimedia UK maintains high standard of confidentiality and information security through enacting this policy
  • That this policy applies everywhere (to all computers, to all people, etc.) but apply particularly to any computers, devices or records involved with cardholder information such as account numbers, names, and so on.

Computers and Software

  • No computers are to be used to store cardholder data (such as credit card numbers or information read off a card's magnetic stripe).

Information and Records Stored On Computers and Devices

  • Don't record, copy, or store cardholder information (such as account numbers) on any computer, thumb-drive, CD, DVD, etc. This includes magnetic stripe information, and other information like the three-digit numbers printed on the signature panel of cards.
  • It is allowed to record the last 4 digits ONLY of an account number.
  • Never, under any circumstances, record, copy, or store cardholder PINs anywhere.
  • Do not record, copy, or store the three-digit number printed on the signature panel of any card.

Physical copies of Records (Paper Records, Thumbdrives, CD, DVDs, etc.)

  • Cardholder data shall be stored only if strictly necessary, and only for as long as necessary. Data that is prohibited by other parts of this security policy must not be stored at all.
  • Any paper records of cardholder data, and all thumbdrives, CDs, DVDs, etc, holding cardholder data are to be treated like cash. They must be kept in a locked area and access to them must be tightly restricted.
  • Paper records or electronic records of cardholder information must not be removed from the secure area without formal approval by the Office and Development Manager and an formal record made on the appropriate log on the Office Wiki. This included removal during a working day to be read in the Wikimedia UK Office in presence with a member of staff with management permissions.
  • Never share cardholder records with anyone outside Wikimedia UK, or with anyone inside Wikimedia UK who does not have management approval to use those records.
  • Paper records of cardholder data, and thumbdrives, CD, DVDs, etc, holding cardholder data must not be thrown out or re-used for other purposes. When you are finished with them, they must be destroyed via shredding, using a company or machine approved of by management.
  • Paper records or thumbdrives, CD, DVDs, etc, of cardholder data are to be destroyed via shredding after five years, using a company or machine approved of by management.

Transmitting Information and Records

  • Cardholder information must never be sent outside the work network (particularly over the web or via email.)
  • Emails that are sent to the dedicated Fundraising@ email address can include card holder information. As such the Fundraising Manager will take responsibility for archiving and storing on a pen-drive emails for the preceding quarter on a quarterly basis, the deleting from the inbox archive.
  • Any member of staff or trusted volunteer who accesses this inbox should sign this document and their name be added to the appropriate permissions log on the office wiki.

Physical Security

  • All visitors should be in the presence of a staff member when in the office, unless they have Chief Executive approval to work in the office alone.
  • Paper records or electronic records of cardholder information must be kept in a locked drawer, which should must be locked unless someone with formal Chief Executive approval is in the room at the time.
  • Physical access to paper records with cardholder information on them is restricted to those who have formal management approval.
  • If anyone is seen (staff-member or not) accessing Wikimedia UK records who does not have approval, you are required to report it to the Chief Executive immediately.

Policies and Procedures

  • References to supporting documentation will be hosted on the Office Wiki, rather than the UK Wiki to avoid the identities of individuals with comprehensive access being publicly available. This will be as follows:
  1. Access control list
  2. Checklist for annual security audit
  3. Access control approval guidelines
  • In the event of suspicious behavior, or a security problem, the Office and Development manager should be informed immediately. The Office ad Development manager is required to put in place a formal incident management plan, as outlined in the 'Data breach Policy'
  • An security review will conducted in September annually to check that the terms of this policy are complied with and update the policy to ensure continuing accuracy and relevance.
  • A process to brief and train new members of staff on security issues pertaining to personal data must be included in the induction process for new members of staff or trusted volunteers.
  • This policy should be read in conjunction with the Donor Privacy Policy and Financial Proceedures policy for the context of how Wikimedia UK deals with non-cardholder data (such as donor names or addresses)

Appendix

Notes

This document, and the requirements described in it, helps the WMUK in several important ways:

  1. By reducing the chance that Wikimedia UK will be damaged by hackers or thieves.
  2. By helping Wikimedia UK comply with an industry standard called the Payment Card Industry Data Security Standard (PCI DSS). Failure to do so can result in large fines.
  3. By reducing the chance that member or donor information will be stolen, and so reducing the chance that Wikimedia UK will be subject to legal proceedings.

Policy Signitories

Name Role Status Date signed
Jon Davies Staff - Chief Executive Current - -
Richard Symonds Staff - Office and Development Manager Current - -
Stevie Benton Staff - Communications Organiser Current - -
Daria Cybulska Staff - Programme Manager Current - -
Katherine Bavage Staff - Fundraising Manager Current - -
Hasina Khatun Staff - Intern Current - -
Chris Keating Trustee - Chair Current - -
Doug Taylor Trustee - Vice Chair Current - -
Mike Peel Trustee - Secretary Current - -
John Byrne Trustee - Treasurer Current - -
Ashley Van Haeften Trustee - Ordinary member Current - -
Saad Choudry Trustee - Ordinary member Current - -