Most of our customers pay for their meals with either a debit card, or a credit card. Because there are bad people out there (not at Hamra, just out there) the credit card companies got together and created a policy that we must follow in order to stay in the good graces of the credit card companies. We do this to be in compliance, but more so we do this so our customers know we are keeping their information safe. Read below for the legal policy:
What is PCI Compliance? The Payment Card Industry Data Security Standard (PCI DSS) is a set of requirements designed to ensure that ALL companies that process, store or transmit credit card information maintain a secure environment. Essentially any merchant that has a Merchant ID (MID).
The Payment Card Industry Security Standards Council (PCI SSC) was launched on September 7, 2006 to manage the ongoing evolution of the Payment Card Industry(PCI) security standards with focus on improving payment account security throughout the transaction process. The PCI DSS is administered and managed by the PCI SSC
(www.pcisecuritystandards.org), an independent body that was created by the major payment card brands (Visa, MasterCard, American Express, Discover and JCB.).
It is important to note, the payment brands and acquirers are responsible for enforcing compliance, not the PCI council.
Security Policies
Applies to all who have access to BOH and register operators
Physical Security
- Video cameras will be installed to monitor equipment access and stored for a minimum of 30 days
- Nametags or company logoed apparel must be word by all employees, in accordance with the franchise uniform policy
- Visitors must either have an appointment or have required credentials as supplied by a government agency or approved third party vendor (ex. Health inspector, Steritech, etc.)
- Visitors must be escorted at all times they are not in public areas
- Paper shredders must be available at all of the units. Personal information and other secure data should be shredded when discarded.
The following should be used as guidelines for accessing sensitive data:
DO:
- Maintain personal safety and privacy while accessing the Internet, and use caution not to reveal personal information that could lead to identity theft
- Use appropriate and polite language while online and through electronic communication
DO NOT:
- Send, receive, view or access any material that is obscene, defamatory or intended to annoy, harass or intimidate another person
- Send email that is unsolicited, unrelated to business activities, for personal gain or contains confidential information without suitable encryption
- Send, reveal or publicize confidential or proprietary information, including sensitive information, outside of the company without prior permission
- Download any software or electronic files without prior permission and approved virus protection
- Reveal or share passwords or allow someone else to use your account, including family members when working from home
- Attempt to circumvent the authentication or security of any system, including impersonating another user or system, or testing the security of a system
- Corrupt or destroy another user’s data or violate the privacy of anotheruser online
- Disturb or disrupt any other user or system, including propagating viruses 0r malicious programs, using sustained high volumes of resources, or performing any sort of denial of service
Education
- All employees will be trained on information security issues
- Refresher training will take place on an annual basis
End User
- All users must be aware of their personal contribution to the security of the information housed by the equipment at Hamra Enterprises and its affiliates
- Embrace the “security is everyone’s responsibility” philosophy
Human Rsources/Training
- HR and Training is to work with IT to ensure the initial and annual training of PCI Compliance
- Develop sanctions and discipline as it is related to the security of information
- Notify IT as employees with access are terminate.
Physical Access
- Access to the wireless network equipment will be limited to authorized personnel
****Any violations to the above bullet points will result in disciplinary action, up to and including termination****
I have read the Information Security Policy and understand the policies contained in it. I have access to a copy of
the policy and have had the opportunity to ask questions and discuss the policy with my Supervisor or another representative of the Company. I agree to conform to the policies and will take all reasonable precautions to assure that Hamra Enterprises internal and customer information will not be disclosed to unauthorized persons. I agree to promptly report all violations or suspected violations of information security policies to the IT Project Coordinator.
At the end of my employment or contract with Hamra Enterprises, I agree to return to Hamra Enterprises any records of information to which I have had access as a result of my position with Hamra Enterprises. I understand that I am not authorized to use this information for my own purposes, nor am I at liberty to provide this information to third parties without the express written consent of the CIO. I understand that non compliance will be cause for disciplinary action up to and including dismissal from Hamra Enterprises, and perhaps criminal and/or civil penalties.