Terms and conditions
Canterbury Taxis Ltd.
We are a registered Data Controller with the Information Commissioners Office. Registration Reference ZA064788
For more information on the security of your information please visit www.ico.org.uk
As a condition of use, we may record our calls for training and monitoring.
Terms and conditions
In using this website you are deemed to have read and agreed to the following terms and conditions:
The following terminology applies to these Terms and Conditions, Privacy Statement and Disclaimer Notice and any or all Agreements:
“Client”, “You” and “Your” refers to you, the person accessing this website and accepting the Company’s terms and conditions.
“The Company”, “Ourselves”, “We” and “Us”, refers to our Company. “Party”, “Parties”, or “Us”, refers to both the Client and ourselves, or either the Client or ourselves.
All terms refer to the offer,
and consideration of payment necessary to undertake the process of our assistance to the Client
In the most appropriate manner, whether by formal meetings of a fixed duration, or any other means, for the express purpose of meeting the Client’s needs
In respect of
of the Company’s stated services/products, in accordance with and subject to, prevailing English Law.
Any use of the above terminology or other words in the singular, plural, capitalization and/or he/she or they,
Are taken as interchangeable and therefore as referring to same.
We are committed to protecting your privacy.
Authorized employees within the company on a need to know basis only use any information collected from individual customers.
We constantly review our systems and data to ensure the best possible service to our customers.
Parliament has created specific offences for unauthorized actions against computer systems and data.
We will investigate any such actions with a view to prosecuting and/or taking civil proceedings to recover damages against those responsible.
We are registered under the Data Protection Act 1998 and as such, any information concerning the Client and their respective Client Records may be passed to third parties.
However, Client records are regarded as confidential and therefore will not be divulged to any third party, other than our manufacturer/supplier(s)
And if legally required to do so to the appropriate authorities.
Clients have the right to request sight of, and copies of any and all Client Records we keep, on the proviso that we are given reasonable notice of such a request.
Clients are requested to retain copies of any literature issued in relation to the provision of our services.
Where appropriate, we shall issue Client’s with appropriate written information, handouts or copies of records as part of an agreed contract, for the benefit of both parties.
We will not sell, share, or rent your personal information to any third party or use your e-mail address for unsolicited mail.
Any emails sent by this Company will only be in connection with the provision of agreed services and products.
Exclusions and Limitations
The information on this web site is provided on an “as is” basis. To the fullest extent permitted by law, this Company:
Excludes all representations and warranties relating to this website and its contents or which is or may be provided by any affiliates or any other third party,
Including in relation to any inaccuracies or omissions in this website and/or the Company’s literature;
Excludes all liability for damages arising out of or in connection with your use of this website.
This includes, without limitation, direct loss, loss of business or profits (whether or not the loss of such profits was foreseeable,
Arose in the normal course of things or you have advised this Company of the possibility of such potential loss),
Damage caused to your computer, computer software, systems and programs and the data thereon or any other direct or indirect, consequential and incidental damages.
This Company does not however exclude liability for death or personal injury caused by its negligence.
The above exclusions and limitations apply only to the extent permitted by law. None of your statutory rights as a consumer are affected.
Terms and conditions-Zcarsglobal Ltd Any electronic message, including attachments, is intended only for the use of the individual
Or company named above or to which it is addressed.
The information contained in the message shall be considered confidential and proprietary,
And may include confidential work product.
If you are not the intended recipient, please be aware that any unauthorized use,
Dissemination, distribution or copying of the message is strictly prohibited.
If you have received the email in error, please notify the sender by replying to the message and
Deleting the email immediately.
we are committed to providing a quality service in a manner that ensures a safe and healthy workplace for our employees
And minimizing our potential impact on the environment.
We will operate in compliance with all relevant environmental legislation and we will strive to use pollution prevention and environmental best practices in all we do.
We: -Integrate the consideration of environmental concerns and impacts into all of our decision making and activities,
Promote environmental awareness among our employees and encourage them to work in an environmentally responsible manner,
Train, educate and inform our employees about environmental issues that may affect their work,
Reduce waste through re-use and recycling and by purchasing recycled, recyclable or re-furbished products and materials where these alternatives are available, economical and suitable,
Promote efficient use of materials and resources throughout our facility including water, electricity, raw materials and other resources, particularly those that are non-renewable,
avoid unnecessary use of hazardous materials and products, seek substitutions when feasible, and take all reasonable steps to protect human health and the environment when such materials must be used, stored and disposed of,
Purchase and use environmentally responsible products accordingly,
Where required by legislation or where significant health, safety or environmental hazards exist, develop and maintain appropriate emergency and spill response programmes,
Communicate our environmental commitment to clients, customers and the public and encourage them to support it,
Strive to continually improve our environmental performance and minimize the social impact & damage of activities by periodically reviewing our environmental policy in light of our current and planned future activities.
Person responsible for policy:-
Mr Ian Brenchley Managing Director Canterbury Taxis Limited
Cash or Personal Cheque with Bankers Card, all major Credit/Debit Cards, Bankers Draft or BACS Transfer is all acceptable methods of payment.
Our General Terms are payment in full within thirty days with prior agreement, upon acceptance of our invoicing terms unless specified this is our standard.
We reserve the right to vary these terms with 7 days’ notice from us in writing.
All goods remain the property of the Company until paid for in full.
Monies that remain outstanding by the due date will incur late payment interest at the rate of 5% above
The prevailing Bank of England’s base rate, on the outstanding balance until such time as the balance is paid in full and final settlement.
This amount will be calculated on a two week basis until full and final settlement is made.
We reserve the right to seek recovery of any monies remaining unpaid sixty days from the date of invoice via collection Agencies and
/or through the Small Claims Court in the event that the outstanding balance does not exceed £3000.
In such circumstances, you shall be liable for any and all additional administrative and/or court costs.
Returned cheques will incur a £25 charge to cover banking fees and administrative costs.
In an instance of a second Returned cheque, we reserve the right to terminate the arrangement and, if agreed to, we shall insist on future cash transactions only.
Consequently, all bookings and/or transactions and agreements entered into will cease with immediate effect until such time as any and all outstanding monies are recovered in full.
Minimum 24 hours’ notice of cancellation requied.
Notification for instance, in person, via email, mobile phone ‘text message’ and/or fax, or any other means will be accepted subject to confirmation in writing.
We reserve the right to levy a charge to cover any subsequent administrative expenses that may result from the Cancellation;
We also reserve the right to decide any specific amount of a refund in all cases.
Termination of Agreements and Refunds Policy
Both the Client and we have the right to terminate any Services Agreement for any reason,
Including the ending of services that are already under-way, by definition this means from point of dispatch.
For example in the case of dispatching a vehicle to or from the airport and the vehicle would
No longer be required then it would be chargeable from us dependent upon circumstances.
No refunds shall be offered, where a Service is deemed to have begun and is, for all intents and purposes, under-way.
Any monies that have been paid to us which constitute payment in respect of the provision of unused Services,
Shall be refunded solely where authorised by the company on a goodwill basis.
The term contract extends to the provision of services used or un-used that may have begun or dispatched by way of any verbal agreement or alternatively via internet booking.
For example, our services may have been booked and not paid for, however the cancellation may have happened during the arrival at the airport
Or en-route, we would reserve the right to be paid for the service booked or provisioned for in these circumstances.
In essence the Term contract is deemed to have begun at the point of a Confirmed booking either by our website telephone or by Email.
Therefore, solely at the discretion of the company shall any refund or liability for payment be given in all circumstances?
Unless otherwise stated, the services featured on this website are only available within the United Kingdom, or in relation to postings from the United Kingdom.
All advertising is intended solely for the United Kingdom market. You are solely responsible for evaluating the fitness for a particular purpose of any downloads,
Programs and text available through this site. Redistribution or republication of any part of this site or its content is prohibited,
Including such by framing or other similar or any other means, without the express written consent of the Company.
The Company does not warrant that the service from this site will be uninterrupted, timely or error free, although it is provided to the best ability.
By using this service you thereby indemnify this Company, its employees, agents and affiliates against any loss or damage, in whatever manner, howsoever caused.
We use IP addresses to analyse trends, administer the site, track user’s movement, and gather broad demographic information for aggregate use.
IP addresses are not linked to personally identifiable information. Additionally, for systems administration, detecting usage patterns and troubleshooting purposes,
Our web servers automatically log standard access information including browser type, access times/open mail, URL requested, and referral URL.
This information is not shared with third parties and is used only within this Company on a need-to-know basis.
Any individually identifiable information related to this data will never be used in any way different to that stated above without your explicit permission.
Cookies are used in some areas of our site to enable the functionality of this area and ease of use for those people visiting.
Links to this website
You may not create a link to any page of this website without our prior written consent.
If you do create a link to a page of this website you do so at your own risk and the exclusions and limitations set out above will apply to your use of this website by linking to it.
Links from this website
We do not monitor or review the content of other party’s websites which are linked to from this website.
Opinions expressed or material appearing on such websites is not necessarily shared or endorsed by us and should not be regarded as the publisher of such opinions or material.
Please be aware that we are not responsible for the privacy practices, or content, of these sites.
We encourage our users to be aware when they leave our site & to read the privacy statements of these sites.
You should evaluate the security and trustworthiness of any other site connected to this site or accessed through this site yourself,
Before disclosing any personal information to them.
This Company will not accept any responsibility for any loss or damage in whatever manner,
Howsoever caused, resulting from your disclosure to third parties of personal information.
COPYRIGHT NOTICE Copyright © 2016 Canterbury Taxis Ltd.
Ownership of copyright The copyright in this website and the material on this website.
(including without limitation the text, computer code, artwork, photographs, images, music, audio material, video material and audio-visual material on this website)
is owned by Canterbury Taxis Ltd. or appointed officers and its licensors. Copyright license Canterbury Taxis Ltd. grants to you a worldwide non-exclusive royalty-free revocable license to:
view this website and the material on this website on a computer or mobile device via a web browser;
copy and store this website and the material on this website in your web browser cache memory;
and print pages from this website for your own [strictly personal and non-commercial only] use.
Canterbury Taxis Ltd. does not grant you any other rights in relation to this website or the material on this website.
In other words, all other rights are reserved.For the avoidance of doubt, you must not adapt, edit, change, transform, publish, republish, distribute, redistribute, broadcast, rebroadcast or show or play in public
this website or the material on this website (in any form or media) without Canterbury Taxis Ltd. prior written permission. Data mining The automated and/or systematic collection of data from this website is prohibited.
Permissions You may request permission to use the copyright materials on this website by writing to firstname.lastname@example.org.
Enforcement of copyright Canterbury Taxis Ltd. takes the protection of its copyright very seriously.If
Canterbury Taxis Ltd. discovers that you have used its copyright materials in contravention of the license above, Zcarsglobal Limited may bring legal proceedings against you
seeking monetary damages and an injunction to stop you using those materials. You could also be ordered to pay legal costs.
If you become aware of any use of Canterbury Taxis Ltd. copyright materials that contravenes or may contravene the license above, please report this by email email@example.com
Infringing material If you become aware of any material on the website that you believe infringes your or any other person’s copyright.
Canterbury Taxis Ltd.
We have several different e-mail addresses for different queries.
These, & other contact information, can be found on our Contact Us link on our website or via Company literature or via the Company’s stated telephone or mobile telephone numbers.
Please Note in the interests of training and monitoring to benefit our clients, we reserve the right to record our calls at any time.
We do not use this information apart form to assist in clarifying the basis on which any arrangement or booking may be made.
In addition to this we do not allow the information to be shared in any way at any time.
By using our service you accept this as being a condition of use.
This company is registered in England and Wales at 149-151 Mortimer Street Herne Bay, Kent.
Canterbury Taxis Ltd.
Neither party shall be liable to the other for any failure to perform any obligation under any Agreement which is due to an event beyond the control of such party
including but not limited to any Act of God, terrorism, war, Political insurgence, insurrection, riot, civil unrest, act of civil or military authority, uprising, earthquake,
Flood or any other natural or man-made eventuality outside of our control, which causes the termination of an agreement or contract entered into,
Nor which could have been reasonably foreseen. Any Party affected by such event shall forthwith inform the other Party of the same and shall use
All reasonable endeavours to comply with the terms and conditions of any Agreement contained herein.
Failure of either Party to insist upon strict performance of any provision of this or any Agreement or the failure of either Party to exercise any right or remedy to which it,
He or they are entitled hereunder shall not constitute a waiver thereof and shall not cause a diminution of the obligations under this or any Agreement.
No waiver of any of the provisions of this or any Agreement shall be effective unless it is expressly stated to be such and signed by both Parties.
the laws of England and Wales govern these terms and conditions. By accessing this website [and using our services/buying our products]
You consent to these terms and conditions and to the exclusive jurisdiction of the English courts in all disputes arising out of such access.
If any of these terms are deemed invalid or unenforceable for any reason (including, but not limited to the exclusions and limitations set out above),
Then the invalid or unenforceable provision will be severed from these terms and the remaining terms will continue to apply.
Failure of the Company to enforce any of the provisions set out in these Terms and Conditions and any Agreement, or failure to exercise any option to terminate,
Shall not be construed as waiver of such provisions and shall not affect the validity of these Terms and Conditions or of any Agreement or any part thereof,
Or the right thereafter to enforce each and every provision. These Terms and Conditions shall not be amended, modified,
Varied or supplemented except in writing and signed by duly authorized representatives of the Company.
Notification of Changes
The Company reserves the right to change these conditions from time to time as it sees fit and your continued use of the site will signify your acceptance
And on other key pages on our site. If there are any changes in how we use our site customers’ Personally Identifiable Information, notification by e-mail or
You are therefore advised to re-read this statement on a regular basis.
These terms and conditions form part of the Agreement between the Client and ourselves.
You’re accessing of this website and/or undertaking of a booking or Agreement indicates your understanding, agreement to and acceptance,
Of the Disclaimer Notice and the full Terms and Conditions contained herein. Your statutory Consumer Rights are unaffected.
Your Data our responsibilities.
Registration Number: ZA064788Date Registered: 10 July 2014 Registration Expires: 09 July 2016Data Controller: Canterbury taxis Ltd.
149-151 Mortimer Street
This register entry describes, in very general terms, the personal data being processed by:Canterbury Taxis Ltd.Nature of work – TransportationDescription of processingThe following is a broad description of the way this organisation/data controller processes personal information. To understand how your own personal information is processed you may need to refer to any personal communications you have received, check any privacy notices the organisation has provided or contact the organisation to ask about your personal circumstances.Reasons/purposes for processing informationWe process personal information to enable us to provide a transport service to our customers, maintain our accounts and records, promote our services and manage and support our staff. We also process personal information using CCTV system to monitor and collect visual images for the purpose of security and the prevention and detection of crime.Type/classes of information processedWe process information relevant to the above reasons/purposes. This may include:
- personal details
- family details
- lifestyle and social circumstances
- education and employment details
- financial details
- goods and services
- visual images, personal appearance and behaviour
We also process sensitive classes of information that may include:
- racial and ethnic origin
- physical or mental health details
- trade union membership
- religious and similar beliefs
- criminal proceedings, outcomes and sentences
- offences and alleged offences
Who the information is processed aboutWe process personal information about:
- suppliers and service providers
- complainants, enquirers
- professional advisers and consultants
- individuals captured by CCTV images
- offenders and suspected offenders
Who the information may be shared withWe sometimes need to share the personal information we process with the individual themself and also with other organisations. Where this is necessary we are required to comply with all aspects of the Data Protection Act (DPA). What follows is a description of the types of organisations we may need to share some of the personal information we process with for one or more reasons.Where necessary or required we share information with:
- family, associates and representatives of the person whose personal information we are processing
- current, past or prospective employers
- suppliers and service providers
- business associates and professional advisers
- financial organisations
- persons making an enquiry or complaint
- educators and examining bodies
- employment and recruitment agencies
- credit reference agencies
- debt collection and tracing agencies
- central government
- police forces and security organisations
CCTV for crime prevention
CCTV is used for maintaining the security of property and premises and for preventing and investigating crime, it may also be used to monitor staff when carrying out work duties. For these reasons the information processed may include visual images, personal appearance and behaviours. This information may be about staff, customers and clients, offenders and suspected offenders, members of the public and those inside, entering or in the immediate vicinity of the area under surveillance. Where necessary or required this information is shared with the data subjects themselves, employees and agents, services providers, police forces, security organisations and persons making an enquiry.Transfers
It may sometimes be necessary to transfer personal information overseas. When this is needed information is only shared within the European Economic Area (EEA). Any transfers made will be in full compliance with all aspects of the data protection act.NewsNewsThis registration certifies that we are a Data Controller. More information can be seen by clicking Here
Please see our Information Security Policy below:
Information Security Policy
Canterbury Taxis Ltd.
Thursday 29 October 2015___________________
Information Security Policy …………………………………………………………………………………………………………………..
1. Network Security………………………………………………………………………………………………………………………….
2. Acceptable Use Policy …………………………………………………………………………………………………………………..
3. Protect Stored Data ……………………………………………………………………………………………………………………..
4. Information Classification ……………………………………………………………………………………………………………..
5. Access to the Sensitive Cardholder Data …………………………………………………………………………………………
6. Physical Security …………………………………………………………………………………………………………………………..
7. Protect Data in Transit ………………………………………………………………………………………………………………….
8. Disposal of Stored Data …………………………………………………………………………………………………………………
9. Security Awareness and Procedures ……………………………………………………………………………………………….
10. Credit Card (PCI) Security Incident Response Plan ………………………………………………………………………..
11. Transfer of Sensitive Information Policy …………………………………………………………………………………..
12. User Access Management ………………………………………………………………………………………………………
13. Access Control Policy …………………………………………………………………………………………………………….
This Policy document encompasses all aspects of security surrounding confidential company information and must be distributed to all company employees. All company employees must read this document in its entirety and sign the form confirming they have read and fully understand this policy. This document will be reviewed and updated by Management on an annual basis or when relevant to include newly developed security standards into the policy and re-distributed to all employees and contractors where applicable.
Information Security Policy
Taxis Ltd. The Company (FROM NOW
TO AS “THE COMPANY” handles sensitive cardholder information daily. Sensitive Information must have adequate safeguards in place to protect the cardholder data, cardholder privacy, and to ensure compliance with various regulations, along with guarding the future of the
. The Company commits to respecting the privacy of all its customers and to protecting any customer data from outside parties. To this
committed to maintaining a secure environment in which to process cardholder information so that we can meet these promises.
Employees handling sensitive cardholder data should ensure:
Handle Company and cardholder information in a manner that fits with their sensitivity and classification; Limit personal use of the Company information and telecommunication systems and ensure it doesn’t interfere with your job performance; The Company reserves the right to monitor, access, review, audit, copy, store, or delete any electronic communications, equipment, systems and network traffic for any purpose;
Do not use e-mail,
and other Company resources to engage in any action that is offensive, threatening, discriminatory, defamatory, slanderous, pornographic, obscene, harassing or illegal;
Do not disclose personnel information unless authorized;
Protect sensitive cardholder information;
Keep passwords and accounts secure;
Request approval from management prior to establishing any new software or hardware, third party connections, etc.;
Do not install unauthorized software or hardware, including modems and wireless access unless you have explicit management approval;
Always leave desks clear of sensitive cardholder data and lock computer screens when unattended;
Information security incidents must be reported, without delay, to the individual responsible for incident response locally – Please find out who this is.
We each have a responsibility for ensuring our company’s systems and data are protected from unauthorized access and improper use. If you are unclear about any of the policies detailed herein you should seek advice and guidance from your line manager.
1. Network Security
A high-level network diagram of the network is maintained and reviewed on a yearly basis. The network diagram provides a high-level overview of the cardholder data environment (CDE), which at a minimum shows the connections in and out of the CDE. Critical system components within the CDE, such as POS devices, databases, web servers, etc., and any other necessary payment components, as applicable should also be illustrated.
In addition, ASV should be performed and completed by a PCI SSC Approved Scanning Vendor, where applicable. Evidence of these scans should be maintained for a period of 18 months.
2. Acceptable Use Policy
Management’s intentions for publishing an Acceptable Use Policy are not to impose restrictions that are contrary to the Company’s established culture of openness, trust and integrity. Management is committed to protecting the employees, partners and the Company from illegal or damaging actions, either knowingly or unknowingly by individuals. The Company will maintain an approved list of technologies and devices and personnel with access to such devices as detailed in Appendix B.
Employees are responsible for exercising good judgment regarding the reasonableness of personal use.
Employees should take all necessary steps to prevent unauthorized access to confidential data which includes card holder data.
Keep passwords secure and do not share accounts. Authorized users are responsible for the security of their passwords and accounts.
All PCs, laptops and workstations should be secured with a password-protected screensaver with the automatic activation feature.
All POS and PIN entry devices should be appropriately protected and secured so they cannot be tampered or altered.
The List of Devices in Appendix B will be regularly updated when devices are modified, added or decommissioned. A stocktake of devices will be regularly performed and devices inspected to identify any potential tampering or substitution of devices.
Users should be trained in the ability to identify any suspicious behaviour where any tampering or substitution may be performed. Any suspicious behaviour will be reported accordingly.
Information contained on portable computers is especially vulnerable, special care should be exercised.
Postings by employees from a Company email address to newsgroups should contain a disclaimer stating that the opinions expressed are strictly their own and not necessarily those of the Company, unless posting is in the course of business duties.
Employees must use extreme caution when opening e-mail attachments received from unknown senders, which may contain viruses, e-mail bombs, or Trojan horse code.
3. Protect Stored Data
All sensitive cardholder data stored and handled by the Company and its employees must be securely protected against unauthorised use at all times. Any sensitive card data that is no longer required by the Company for business reasons must be discarded in a secure and irrecoverable manner.
If there is no specific need to see the full PAN (Permanent Account Number), it has to be masked when displayed.
PAN’S which are not protected as stated above should not be sent to the outside network via end user messaging technologies like chats, ICQ messenger etc.,
It is strictly prohibited to store:
1. The contents of the payment card magnetic stripe (track data) on any media whatsoever.
2. The CVV/CVC (the 3 or 4 digit number on the signature panel on the reverse of the payment card) on any media whatsoever.
3. The PIN or the encrypted PIN Block under any circumstance.
4. Information Classification
Data and media containing data must always be labelled to indicate sensitivity level.
Confidential data might include information assets for which there are legal requirements for preventing disclosure or financial penalties for disclosure, or data that would cause severe damage to the Company if disclosed or modified. Confidential data includes cardholder data.
Internal Use data might include information that the data owner feels should be protected to prevent unauthorized disclosure.
Public data is information that may be freely disseminated.
5. Access to the Sensitive Cardholder Data
All Access to sensitive cardholder should be controlled and authorised. Any job functions that require access to cardholder data should be clearly defined.
Any display of the card holder should be restricted at a minimum to the first 6 and the last 4 digits of the cardholder data.
Access to sensitive cardholder information such as PAN’s, personal information and business data is restricted to employees that have a legitimate need to view such information.
No other employees should have access to this confidential data unless they have a genuine business need.
If cardholder data is shared with a Service Provider (3rd party) then a list of such Service Providers will be maintained as detailed in Appendix C. The Company will ensure a written agreement that includes an acknowledgement is in place that the Service Provider will be responsible for the for the cardholder data that the Service Provider possess. The Company will ensure that a there is an established process, including proper due diligence is in place, before engaging with a Service provider.
The Company will have a process in place to monitor the PCI DSS compliance status of the Service provider.
6. Physical Security
Access to sensitive information in both hard and soft media format must be physically restricted to prevent unauthorised individuals from obtaining sensitive data.
Media is defined as any printed or handwritten paper, received faxes, floppy disks, back-up tapes, computer hard drive, etc.
Media containing sensitive cardholder information must be handled and distributed in a secure manner by trusted individuals.
Visitors must always be escorted by a trusted employee when in areas that hold sensitive cardholder information.
Procedures must be in place to help all personnel easily distinguish between employees and visitors, especially in areas where cardholder data is accessible. “Employee” refers to full-time and part-time employees, temporary employees and personnel, and consultants who are “resident” on Company sites. A “visitor” is defined as a vendor, guest of an employee, service personnel, or anyone who needs to physically enter the premises for a short duration, usually not more than one day.
A list of devices that accept payment card data should be maintained.
The list should include make, model and location of the device.
The list should have the serial number or a unique identifier of the device
The list should be updated when devices are added, removed or relocated
POS devices surfaces are periodically inspected to detect tampering or substitution.
Personnel using the devices should be trained and aware of handling the POS devices
Personnel using the devices should verify the identity of and=y third party personnel claiming to repair or run maintenance tasks on the devices, install new devices or replace devices.
Personnel using the devices should be trained to report suspicious behaviour and indications of tampering of the devices to the appropriate personnel. The Company sites. A “visitor” is defined as a vendor, guest of an employee, service personnel, or anyone who needs to enter the premises for a short duration, usually not more than one day.
Strict control is maintained over the external or internal distribution of any media containing card holder data and has to be approved by management
Strict control is maintained over the storage and accessibility of media
All computer that store sensitive cardholder data must have a password protected screensaver enabled to prevent unauthorised use.
7. Protect Data in Transit
All sensitive cardholder data must be protected securely if it is to be transported physically or electronically.
Card holder data (PAN, track data, etc.) must never be sent over the internet via email, instant chat or any other end user technologies.
If there is a business justification to send cardholder data via email or by any other mode then it should be done after authorization and by using a strong encryption mechanism (i.e. – AES encryption, PGP encryption, IPSEC, etc.).
The transportation of media containing sensitive cardholder data to another location must be authorised by management, logged and inventoried before leaving the premises. Only secure courier services may be used for the transportation of such media. The status of the shipment should be monitored until it has been delivered to its new location.
8. Disposal of Stored Data
All data must be securely disposed of when no longer required by the Company, regardless of the media or application type on which it is stored.
An automatic process must exist to permanently delete on-line data, when no longer required.
All hard copies of cardholder data must be manually destroyed when no longer required for valid and justified business reasons. A quarterly process must be in place to confirm that all non-electronic cardholder data has been appropriately disposed of in a timely manner. The Company will have procedures for the destruction of hardcopy (paper) materials. These will require that all hardcopy materials are crosscut shredded, incinerated or pulped so they cannot be reconstructed. The Company will have documented procedures for the destruction of electronic media. These will require:
o All cardholder data on electronic media must be rendered unrecoverable when deleted e.g. through degaussing or electronically wiped using military grade secure deletion processes or the physical destruction of the media;
o If secure wipe programs are used, the process must define the industry accepted standards followed for secure deletion.
All cardholder information awaiting destruction must be held in lockable storage containers clearly marked “To Be Shredded” – access to these containers must be restricted.
9. Security Awareness and Procedures
The policies and procedures outlined below must be incorporated into company practice to maintain a high level of security awareness. The protection of sensitive data demands regular training of all employees and contractors.
Review handling procedures for sensitive information and hold periodic security awareness meetings to incorporate these procedures into day to day company practice.
Distribute this security policy document to all company employees to read. It is required that all employees confirm that they understand the content of this security policy document by signing an acknowledgement form (see Appendix A).
All employees that handle sensitive information will undergo background checks (such as criminal and credit record checks, within the limits of the local law) before they commence their employment with the Company.
All third parties with access to credit card account numbers are contractually obligated to comply with card association security standards (PCI/DSS).
Company security policies must be reviewed annually and updated as needed.
10. Credit Card (PCI) Security Incident Response Plan
The Company PCI Security Incident Response Team (PCI Response Team) is comprised of the Information Security Officer and Merchant Services. The Company PCI security incident response plan is as follows:
1. Each department must report an incident to the Information Security Officer (preferably) or to another member of the PCI Response Team.
2. That member of the team receiving the report will advise the PCI Response Team of the incident.
3. The PCI Response Team will investigate the incident and assist the potentially compromised department in limiting the exposure of cardholder data and in mitigating the risks associated with the incident.
4. The PCI Response Team will resolve the problem to the satisfaction of all parties involved, including reporting the incident and findings to the appropriate parties (credit card associations, credit card processors, etc.) as necessary.
5. The PCI Response Team will determine if policies and processes need to be updated to avoid a similar incident in the future, and whether additional safeguards are required in the environment where the incident occurred, or for the institution.
The Company PCI Security Incident Response Team (or equivalent in your
Information Security Officer
Collections & Merchant Services
Information Security PCI Incident Response Procedures:
A department that reasonably believes it may have an account
or a breach of cardholder information or of systems related to the PCI environment in general, must inform the Company PCI Incident Response Team. After being notified of a compromise, the PCI Response Team, along with other designated staff, will implement the PCI Incident Response Plan to assist and augment departments’ response plans.
Incident Response Notification
Escalation Members (or equivalent in your company):
Escalation – First Level:
Information Security Officer
In response to a systems compromise, the PCI Response Team and designees will:
1. Ensure compromised system/s is isolated on/from the network.
2. Gather, review and analyze the logs and related information from various central and local safeguards and security controls
3. Conduct appropriate forensic analysis of
4. Contact internal and external departments and entities as appropriate.
5. Make forensic and log analysis available to appropriate law enforcement or card industry security personnel, as required.
6. Assist law enforcement and card industry security personnel in investigative processes, including in prosecutions.
The credit card companies have individually specific requirements that the Response Team must address in reporting suspected or confirmed breaches of cardholder data. See below for these requirements.
Incident Response notifications to various card schemes
1. In the event of a suspected security breach, alert the information security officer or your line manager immediately.
2. The security officer will carry out an initial investigation of the suspected security breach.
3. Upon confirmation that a security breach has occurred, the security officer will alert management and begin informing all relevant parties that may be affected by the compromise.
If the data security compromise involves credit card account numbers, implement the following procedure:
Shut down any systems or processes involved in the breach to limit the extent, and prevent further exposure.
Alert all affected parties and authorities such as the Merchant Bank (your Bank), Visa Fraud Control, and the law enforcement.
Provide details of all compromised or potentially compromised card numbers to Visa Fraud Control within 24 hrs.
For more Information visit: http://usa.visa.com/business/accepting_visa/ops_risk_management/cisp_if_ compromised.html
Visa Incident Report Template
This report must be provided to VISA within 14 days after initial report of
to VISA. The following report content and standards must be followed when completing the incident report.
report must be securely distributed to VISA and Merchant Bank. Visa will classify the report as “VISA Secret”*.
I. Executive Summary
a. Include overview of the incident
b. Include RISK Level(High, Medium, Low)
c. Determine if compromise has been contained
III. Initial Analysis
IV. Investigative Procedures
a. Include forensic tools used during investigation
a. Number of accounts at risk, identify those stores and compromised
b. Type of account information at risk
c. Identify ALL systems analyzed. Include the following:
Domain Name System (DNS) names
Internet Protocol (IP) addresses
Operating System (OS) version
Function of system(s)
d. Identify ALL compromised systems. Include the following:
Function of System(s)
e. Timeframe of compromise
f. Any data exported by intruder
g. Establish how and source of compromise
h. Check all potential database locations to ensure that no CVV2, Track 1 or Track 2 data is stored anywhere, whether encrypted or unencrypted (e.g., duplicate or backup tables or databases, databases used in development, stage or testing environments, data on software engineers’ machines, etc.)
i. If applicable, review VisaNet endpoint security and determine risk
VI. Compromised Entity Action
VIII. Contact(s) at entity and security assessor performing investigation
*This classification applies to the most sensitive business information, which is intended for use within VISA. Its unauthorized disclosure could seriously and adversely impact VISA, its employees, member banks, business partners, and/or the Brand.
I. Within 24 hours of an account compromise event, notify the MasterCard Compromised Account Team via phone at 1-636-722-4100.
II. Provide a detailed written statement of fact about the account compromise (including the contributing circumstances) via secured e-mail to firstname.lastname@example.org.
III. Provide the MasterCard Merchant Fraud Control Department with a complete list of all known compromised account numbers.
IV. Within 72 hours of knowledge of a suspected account compromise, engage the services of a data security firm acceptable to MasterCard to assess the vulnerability of the compromised data and related systems (such as a detailed forensics evaluation).
V. Provide weekly written status reports to MasterCard, addressing open questions and issues until the audit
complete to the satisfaction of MasterCard.
VI. Promptly furnish updated lists of potential or known compromised account numbers, additional documentation, and other information that MasterCard may request.
VII. Provide finding of all audits and investigations to the MasterCard Merchant Fraud Control department within the required time frame and continue to address any outstanding exposure or recommendation until resolved to the satisfaction of MasterCard.
Once MasterCard obtains the details of the account data compromise and the list of compromised account numbers, MasterCard will:
1. Identify the issuers of the accounts that were suspected to have been compromised and group all known accounts under the respective parent member IDs.
2. Distribute the account number data to its respective issuers.
Employees of the company will be expected to report to the security officer for any security related issues. The role of the security officer is to effectively communicate all security policies and procedures to employees within the company and contractors. In addition to this, the security officer will oversee the scheduling of security training sessions, monitor and enforce the security policies outlined in both this document and at the training sessions and finally, oversee the implantation of
the incident response
in the event of a sensitive data compromise.
Discover Card Steps
I. Within 24 hours of an account compromise event, notify Discover Fraud Prevention at (800) 347-3102
II. Prepare a detailed written statement of fact about the account compromise including the contributing circumstances
III. Prepare a list of all known compromised account numbers
IV. Obtain additional specific requirements from Discover Card
American Express Steps
I. Within 24 hours of an account compromise event, notify American Express Merchant Services at (800) 528-5200 in the U.S.
II. Prepare a detailed written statement of fact about the account compromise including the contributing circumstances
III. Prepare a list of all known compromised account numbers Obtain additional specific requirements from American Express
11. Transfer of Sensitive Information Policy
All third-party companies providing critical services to the Company must provide an agreed Service Level Agreement.
All third-party companies providing hosting facilities must comply with the Company’s Physical Security and Access Control Policy.
All third-party companies which have access to Card Holder information must
1. Adhere to the PCI DSS security requirements.
2. Acknowledge their responsibility for securing the Card Holder data.
3. Acknowledge that the Card Holder data must only be used for assisting the completion of a transaction, supporting a loyalty program, providing a fraud control service or for uses specifically required by law.
4. Have appropriate provisions for business continuity in the event of a major disruption, disaster or failure.
5. Provide full cooperation and access to conduct a thorough security review after a security intrusion by a Payment Card industry representative, or a Payment Card industry approved third
12. User Access Management
Access to Company is controlled through a formal user registration process beginning with a formal notification from HR or from a line manager.
Each user is identified by a unique user ID so that users can be linked to and made responsible for their actions. The use of group IDs is only permitted where they are suitable for the work carried out.
There is a standard level of access; other services can be accessed when specifically authorized by HR/line management.
The job function of the user decides the level of access the employee has to cardholder data
A request for service must be made in writing (email or hard copy) by the newcomer’s line manager or by HR. The request is free format, but must state:
Name of person making request;
Job title of the newcomers and workgroup;
Services required (default services are: MS Outlook, MS Office and Internet access).
Each user will be given a copy of their new user form to provide a written statement of their access rights, signed by an IT representative after their induction procedure. The user signs the form indicating that they understand the conditions of access. Access to all the Company systems is provided by IT and can only be started after proper procedures are completed.
As soon as an individual leaves the Company employment, all his/her system logons must be immediately revoked.
As part of the employee termination process HR (or line managers in the case of contractors) will inform IT operations of all leavers and their date of leaving.
13. Access Control Policy
Access Control systems are in place to protect the interests of all users of the Company computer systems by providing a safe, secure and readily accessible environment in which to work. The Company will provide all employees and other users with the information they need to carry out their responsibilities in an as effective and efficient manner as possible.
Generic or group IDs shall not normally be permitted, but may be granted under exceptional circumstances if sufficient other controls on access are in place.
The allocation of privilege rights (e.g. local administrator, domain administrator, super-user, root access) shall be restricted and controlled, and authorization provided jointly by the system owner and IT Services. Technical teams shall guard against issuing privilege rights to entire teams to prevent loss of confidentiality.
Access rights will be accorded following the principles of least privilege and need to know.
Every user should attempt to maintain the security of data at its classified level even if technical security mechanisms fail or are absent.
Users electing to place information on digital media or storage devices or maintaining a separate database must only do so where such an action is in accord with the data’s classification. Users are obligated to report instances of non-compliance to the Company CISO. Access to the Company IT resources and services will be given through the provision of a unique Active Directory account and complex password. No access to any the Company IT resources and services will be provided without prior authentication and authorization of a user’s the Company Windows Active Directory account.
Password issuing, strength requirements, changing and control will be managed through formal processes. Password length, complexity and expiration times will be controlled through Windows Active Directory Group Policy Objects.
Access to Confidential, Restricted and Protected information will be limited to authorised persons whose job responsibilities require it, as determined by the data owner or their designated representative. Requests for access permission to be granted, changed or revoked must be made in writing. Users are expected to become familiar with and abide by the Company policies, standards and guidelines for appropriate and acceptable usage of the networks and systems.
Access for remote users shall be subject to authorization by IT Services and be provided in accordance with the Remote Access Policy and the Information Security Policy. No uncontrolled external access shall be permitted to any network device or networked system.
Access to data is variously and appropriately controlled according to the data classification levels described in the Information Security Management Policy.
Access control methods include logon access rights, Windows share and NTFS permissions, user account privileges, server and workstation access rights, firewall permissions, IIS intranet/extranet authentication rights, SQL database rights, isolated networks and other methods as necessary.
A formal process shall be conducted at regular intervals by system owners and data owners in conjunction with IT Services to review users’ access rights. The review shall be logged and IT Services shall sign off the review to give authority for users’ continued access rights.
Appendix A – Agreement to Comply Form – Agreement to Comply With Information Security Policies
Employee Name (printed)
I agree to take all reasonable precautions to assure that company internal
or information that has been entrusted to the company by third parties such as customers, will not be disclosed to
persons. At the end of my employment or contract with the company, I agree to return all information to which I have had access as a result of my position. I understand that I am not
to use sensitive information for my own purposes, nor am I at liberty to provide this information to third parties without the express written consent of the internal manager who is the designated information owner.
I have access to a copy of the Information Security Policies, I have read and understand these policies, and I understand how it impacts my job. As a condition of continued employment, I agree to abide by the policies and other requirements found in the company security policy. I understand that non-compliance will be cause for disciplinary action up to and including dismissal, and perhaps criminal and/or civil penalties.
I also agree to promptly report all violations or suspected violations of information security policies to the designated security officer.
Thursday 29 October 2016_