PCI DSS 4.0 Compliant Security Policy for Highway Safety Central
1. Introduction
Highway Safety Central is committed to maintaining the highest standards of security to protect payment card data. This policy outlines the security measures required to achieve PCI DSS compliance for our website.
2. Scope
This policy applies to all systems, applications, and processes involved in handling payment card data on our website.
3. Network Security Controls
3.1 Install and Maintain Network Security Controls
Clearly define processes for maintaining network security.
Configure and manage Network Security Controls (NSC).
Restrict access to the Cardholder Data Environment (CDE).
Control connections between all networks.
3.2 Apply Secure Configurations to System Components
Define processes for applying secure configurations.
Ensure all system components are securely configured and managed.
Securely configure all wireless environments.
4. Protecting Account Data in Storage and Transmission
4.1 Protect Stored Account Data
Define processes for protecting stored account data.
Minimize the amount of account data stored.
Remove sensitive account data (SAD) from storage after authorization.
Restrict view and copy access to primary account numbers (PAN).
Ensure PANs and related data are secure wherever they exist in storage.
Secure cryptographic keys used to protect account data.
Clearly define processes for managing keys securely.
4.2 Encrypt CHD for Transmission on Open Networks
Define processes for encrypting Cardholder Data (CHD) during transmission.
Use strong encryption protocols for data transmitted over open networks.
Implement secure encryption practices for all communication channels.
5. Web Application Security
Implement a web application firewall for all web applications exposed to the internet.
Maintain an inventory of all known scripts used on web pages to mitigate malicious scripts.
Document, track, and inventory all SSL and TLS certificates in use across public domains to strengthen their validity.
6. Incident Response and Monitoring
Establish an incident response plan for handling security incidents related to payment card data.
Monitor logs, alerts, and anomalies to detect and respond promptly to any security breaches.
7. Training and Awareness
Conduct regular security awareness training for employees handling payment card data.
Ensure all staff members understand their roles and responsibilities in maintaining PCI compliance.
8. Compliance Validation
Regularly assess and validate compliance with PCI DSS 4.0 requirements.
Engage third-party assessors for periodic audits and penetration testing.
9. Review and Updates
This policy is reviewed and updated annually or as needed to align with changes in PCI DSS requirements.