Establishing Guidelines for Information Protection
The purpose of this Information Security Policy is to establish guidelines and procedures to protect the information assets of Emerald Collectibles, and to ensure compliance with relevant industry standards, including the Payment Card Industry Data Security Standard (PCI DSS).
This policy outlines personnel responsibilities and defines the security controls required to maintain the confidentiality, integrity, and availability of our data, systems, and ecommerce environment.
Compliance is mandatory for all employees, contractors, and approved third-party vendors.
This policy applies to all departments within Emerald Collectibles, including Operations, Customer Support, Fulfillment, and Sales & Marketing.
All employees, contractors, and third-party vendors accessing company systems or data must adhere to this policy.
This policy covers all data handled by Emerald Collectibles, including but not limited to:
Cardholder Data (CHD): Primary Account Number (PAN), cardholder name, expiration date, service code.
Sensitive Authentication Data (SAD): Full magnetic stripe data, CVV/CVC codes, PIN data.
Note: Emerald Collectibles does not store SAD.
Customer Personal Information: Name, email, shipping/billing address, phone numbers, order history.
Other Confidential Data: Login data, ecommerce platform credentials (WooCommerce), cloud storage files, internal operational data.
Key information assets include all systems, networks, ecommerce tools, hosting environments, payment gateways, and data storage systems that process, transmit, or store cardholder data or sensitive customer information.
Emerald Collectibles aims to:
Fully comply with applicable PCI DSS requirements.
Ensure confidentiality, integrity, and availability of information assets.
Protect customer data from unauthorized access, disclosure, alteration, or destruction.
Protect systems and networks from security threats and vulnerabilities.
Continually improve security posture through assessments and updates.
Emerald Collectibles works with third-party partners that may impact the security of cardholder data. The following policies apply:
A formal onboarding process with due diligence is required before engaging any TPSP.
An updated list of all TPSPs is maintained and reviewed annually.
Written agreements defining security and PCI DSS responsibilities are required.
TPSP PCI compliance status is monitored annually.
A shared responsibility matrix identifies which PCI DSS requirements are handled by Emerald Collectibles, the TPSP, or jointly.
Emerald Collectibles classifies data as follows:
Confidential: Cardholder data, customer personal information, credentials, internal operational data.
Internal Use Only: Non-public business documentation and internal processes.
Public: Information intended for public distribution such as marketing materials.
Employees are responsible for properly handling data according to classification.
The designated ISO for Emerald Collectibles is Maria Thompson.
Responsibilities include:
Overseeing implementation and enforcement of this policy.
Ensuring appropriate controls are in place.
Conducting risk assessments.
Guiding employees on security best practices.
Responding to suspected or confirmed security incidents (24/7 availability).
Employees are responsible for:
Following all security policies.
Safeguarding information assets.
Reporting any incidents or vulnerabilities immediately to the ISO.
Participating in required security training.
Access to Emerald Collectibles systems follows the principle of least privilege:
Company systems are accessed only from approved devices.
Multi-factor authentication (MFA) is required for all remote access.
VPN is required for access outside the office or secure environments.
Access rights are reviewed at least every six months.
Inactive accounts are removed or disabled within 90 days.
Access for terminated users is revoked immediately.
New accounts and privilege changes require ISO approval.
Authentication requirements include:
Strong authentication factors.
Clear procedures for changing compromised credentials.
Clear instructions for incident reporting.
Logical authentication factors (tokens, certificates) are assigned individually and never shared.
Password Rules:
Minimum length: 12 characters (8 if system limitations apply).
Must include numeric and alphabetic characters.
Cannot reuse any of the last four passwords.
Passwords/passphrases are changed periodically based on risk analysis.
Passwords must maintain complexity appropriate for their usage.
Immediate credential update required if compromise is suspected.
Emerald Collectibles office and storage facilities use access-controlled entry and surveillance. Visitors must sign in and be escorted.
All system and ecommerce platform changes (including WooCommerce updates, plugin changes, and server configurations) follow a documented change management process and are tested before deployment.
A documented configuration policy ensures all systems are hardened and protected against known vulnerabilities. Updates and changes are approved and tracked.
All customer data, including cardholder data, is transmitted using strong encryption (SSL/TLS).
Only secure protocol versions are permitted.
Annual review ensures protocols remain current.
Industry-standard anti-malware is installed, monitored, and cannot be disabled by users.
Weekly scans (or more frequently if dictated by risk analysis).
Audit logs retained for at least 12 months.
Emerald Collectibles maintains a documented Incident Response Plan (IRP).
All incidents are logged, investigated, and resolved.
IRP is tested annually.
Regular backups, redundancy strategies, and defined responsibilities ensure continued operation.
Non-compliance may result in disciplinary action, up to termination.
Employees must report violations to the ISO or their supervisor.
A documented logging and monitoring policy ensures all access to critical system components and cardholder data is logged and reviewed.
Automated tools review critical logs daily.
Includes all systems storing, processing, or transmitting cardholder data.
Non-critical logs reviewed according to risk analysis.
All anomalies are documented, investigated, and remediated promptly.
This policy is reviewed annually or whenever business or regulatory changes occur.
Updates are communicated to all employees, who must comply.
CDE — Cardholder Data Environment
CHD — Cardholder Data
ISO — Information Security Officer
IRP — Incident Response Plan
MFA — Multi-Factor Authentication
PCI DSS — Payment Card Industry Data Security Standard
SAD — Sensitive Authentication Data
SSL/TLS — Secure Sockets Layer / Transport Layer Security
TPSP — Third-Party Service Provider
VPN — Virtual Private Network
