This page is our PCI Charter, detailing how Cardholder Data (CHD) and the associated management of PCI DSS compliance is handled at Commify.
Preserving: This means that management, all full time or part time staff subcontractors, project consultants and any external parties have, and will be made aware of, their responsibilities (which are defined in their job descriptions or contracts and within the PCI DSS Roles and Responsibilities document) to preserve information security; to protect cardholder data; to report security breaches and to act in accordance with the requirements of the ISMS. All staff will receive information security awareness training and more specialised staff will receive appropriately specialised information security training.
Availability: This means that information and associated assets should be accessible to authorised users when required and therefore physically secure. The computer network must be resilient and Commify must be able to detect and respond rapidly to incidents (such as viruses and other malware) that threaten cardholder data or the continued availability of assets, systems and information.
Confidentiality: This involves ensuring that information, including cardholder data is only accessible to those authorised to access it and therefore to preventing both deliberate and accidental unauthorised access to Commify’s information and proprietary knowledge and its systems including its network(s), website(s), and e-commerce systems.
Integrity: This involves safeguarding the accuracy and completeness of information and processing methods, and therefore requires preventing deliberate or accidental; partial or complete; destruction or unauthorised modification of either physical assets or electronic data, other than as required in documented procedures for the protection of individual information or cardholder data.
The Senior Management of Commify are committed to preserving the confidentiality, integrity and availability of all the physical and electronic information assets throughout the organisation in order to comply with the PCI DSS. Information and information security requirements (specifically those within the PCI DSS) will continue to be aligned with Commify’s goals and the PCI DSS compliance programme. This programme is intended to enable continued compliance and for reducing information-related risks to acceptable levels. Commify’s current strategic business plan and risk management framework provide the context for identifying, assessing, evaluating and controlling information-related risks, including those related to cardholder data, through the establishment and maintenance of an ISMS. The Risk Assessment, Statement of Applicability and Risk Treatment Plan identify how information-related risks are controlled.
Scope of PCI DSS Compliance
Compliance with PCI DSS is mandatory for ALL merchants who accept card payments. The Senior Management shall assign responsibility for the protection of cardholder data and a PCI DSS compliance program which shall also determine the scope of compliance within Commify.
We have confirmed that we do not transmit, store or record cardholder data within our own environment. We have established that we have a potential impact on the card payment journey as part of our PCI DSS obligations through the creation and presentation of a website link to a downstream PCI compliant partner’s own PCI environment. It is the integrity and security of the creation and presentation of this website link to end users for which we are directly responsible. Our security and controls are focused on the link and its relationship to the card payment journey.
Each element of the PCI DSS compliance programme at Commify should make reference to key stakeholders. For a complete list of stakeholders and their level of involvement in any given process, refer to the PCI Roles and responsibilities matrix.
Objectives of the PCI Compliance Programme
The key objectives of the PCI DSS Compliance programme in Commify are:
To define activities for maintaining and monitoring overall PCI DSS compliance, including business-as-usual activities
Completion of annual PCI DSS assessments
To ensure continuous validation of PCI DSS requirements
To determine the potential impact of strategic business decisions on PCI DSS Compliance
Accountability for PCI DSS Compliance
Each aspect of the PCI DSS compliance programme and each implementation objective has accountability assigned.
Senior Management shall meet at least once a year to discuss the state of PCI DSS compliance within Commify and review the PCI DSS Compliance Programme to ensure its continued effectiveness. Any person with assigned responsibilities within the PCI DSS Compliance Programme must communicate with Senior Management regarding the status of it at least annually.
Risks will be managed according to best practice. This will involve the identification of likely risks, planning to avoid them and planning to mitigate any damage should they arise. Unforeseen risks will be responded to in a timely fashion, with all mitigation documented and assessed.