Keep data and processing secure
Only authorized staff should have access to data or information processing facilities. You need to:
- Use encryption – for data maintained on databases or files accessible via the internet.
- Manage your users - identify the individual users of information processing facilities, then assign each person a unique User Identification and password sequence. You need to make sure that each user ID is traceable to the individual who logs on.
- Make sure users understand the system - hold each individual accountable for all activity performed under his or her user ID.
- Reset passwords and settings – don’t use vendor-supplied passwords and other security parameters.
- Put user ID processes in place – set procedures for suspending and revoking user IDs. You should update user IDs every month.
- Block users – who leave the business or department.
- Set up an audit trail – using the user ID system to track access to data.
- Limit sharing - if you use information-sharing systems, such as corporate electronic bulletin boards, you must not use these to share cardholder information. You can only share this information for the specific purpose of processing an order. Only the people helping to process an order should have access to the information.
