Dr. Nina Savelle-Rocklin
Dr. Nina Savelle-Rocklin
The problem About The book Reviews Order now
← Back to home

Information Security Policy

Reviewed and updated annually

Introduction

Dr. Nina, Inc. requires all employees to review this security policy and sign an acknowledgment form. The policy is reviewed and updated annually by management to incorporate new security standards.

Core Commitment

Dr. Nina, Inc. handles sensitive cardholder information and commits to protecting customer data. Management maintains a secure environment for processing payment information.

Employee responsibilities

Employees handling sensitive data must:

  • Handle company and account data based on sensitivity classification
  • Limit personal use of company information systems
  • Avoid offensive, threatening, or illegal use of company resources
  • Protect cardholder information and secure passwords
  • Request management approval before installing new software or hardware
  • Clear desks of sensitive data and lock screens when unattended
  • Report security incidents immediately to the incident response officer
  • Attend annual security awareness training

1. Network Security

A high-level diagram of the cardholder data environment (CDE) is maintained and reviewed yearly. Approved Security Scanning Vendor (ASV) assessments occur quarterly, with evidence retained for 18 months.

2. Acceptable Use

  • Exercise good judgment regarding personal use of company systems
  • Prevent unauthorized access to confidential and cardholder data
  • Secure passwords; do not share accounts
  • Enable password-protected screensavers on all workstations
  • Protect POS and PIN-entry devices from tampering
  • Maintain an updated device inventory
  • Exercise caution with email attachments from unknown senders

3. Protecting Stored Data

Strictly prohibited:

  • Storing Primary Account Numbers (PAN) or sensitive authentication data electronically
  • Storing payment-card magnetic stripe (track) data on any media
  • Storing CVV2/CVC2/CAV2/CID numbers on any media
  • Storing PIN or encrypted PIN blocks

Requirements:

  • Mask PAN display to first 6 and last 4 digits maximum
  • Securely dispose of cardholder data no longer needed for business purposes
  • Do not transmit PANs via email, chat, or unsecured messaging

4. Information Classification

  • Confidential: legal or financial penalties for disclosure; includes account/cardholder data
  • Internal Use: information requiring protection from unauthorized disclosure
  • Public: information freely disseminated

5. Access to Sensitive Cardholder Data

  • Restrict display to first 6 and last 4 digits of PAN
  • Limit access to employees with legitimate business need
  • Maintain a list of third-party service providers with data access
  • Require written agreements with service providers acknowledging responsibility
  • Conduct due diligence before engaging third-party service providers
  • Monitor TPSP PCI DSS compliance status
  • Document security responsibilities between the organization and the TPSP

6. Physical Security

  • Restrict access to sensitive information in hard and soft media formats
  • Escort all visitors in areas containing cardholder information
  • Maintain procedures to distinguish employees from visitors
  • Maintain inventory of POI/POS devices with make, model, location, and serial number
  • Periodically inspect device surfaces for tampering
  • Train personnel on device handling and verification of third-party maintenance workers
  • Train personnel to report suspicious behavior
  • Maintain strict control over distribution, storage, and accessibility of media
  • Enable password-protected screensavers on computers storing cardholder data

7. Data in Transit

  • Never send cardholder data via email, instant chat, or end-user technologies
  • Require management authorization and strong encryption (AES, PGP, IPSEC) if business justification exists
  • Require management approval and logging for transportation of media containing cardholder data
  • Use only secure courier services and monitor shipment status until delivery

8. Disposal of Stored Data

  • Securely dispose of all data when no longer required
  • Implement automatic deletion processes for online data
  • Manually destroy hard copies through crosscut shredding, incineration, or pulping
  • Conduct quarterly review of non-electronic cardholder data disposal
  • Render electronic media unrecoverable through degaussing or military-grade secure deletion
  • Store materials awaiting destruction in lockable containers marked "To Be Shredded"

9. Security Awareness and Procedures

  • Review handling procedures and conduct periodic security awareness meetings
  • Distribute the security policy to all employees, with signed acknowledgment
  • Conduct background checks on employees handling sensitive information
  • Contractually obligate third parties to PCI/DSS compliance
  • Review company security policies annually

10. PCI Security Incident Response

A PCI Response Team — comprising the Information Security Officer, Merchant Services, CIO, Communications Director, Compliance Officer, Counsel, Collections & Merchant Services, and Risk Manager — investigates and contains any suspected compromise. Response procedures include isolating affected systems, analyzing logs, conducting forensic analysis, and notifying internal departments, law enforcement, and the relevant card brand within 24 hours per Visa, MasterCard, Discover, and American Express requirements.

11. Transfer of Sensitive Information

Third-party service providers must:

  • Provide an agreed Service Level Agreement
  • Comply with physical security and access-control policies
  • Adhere to PCI DSS security requirements
  • Acknowledge responsibility for cardholder data
  • Use data only for transaction completion, loyalty programs, fraud control, or legally required purposes
  • Maintain business-continuity provisions
  • Provide full cooperation for post-intrusion security reviews

12. User Access Management

  • Formal user registration begins with HR / line-manager notification
  • Unique user IDs are assigned for accountability
  • Standard access levels with authorization for additional services
  • Access mapped to job function and cardholder-data sensitivity
  • Written service requests specify name, job title, start date, and required services
  • Users receive access-rights documentation signed by IT
  • System access is immediately revoked upon employee departure
  • IT operations is notified of all personnel changes

13. Access Control

  • Generic/group IDs restricted except with sufficient compensating controls
  • Privileged rights (administrator, super-user, root) require joint authorization
  • Least-privilege and need-to-know principles apply
  • Access provided through unique Active Directory accounts
  • Authentication and authorization required for all IT-resource access

Passwords

  • Minimum 8 characters, complex, unique
  • Changed at first use, non-reusable
  • Rotated every 90 days

Contact

Questions about this policy? Email info@drninainc.com.

© 2026 Dr. Nina Savelle-Rocklin, Psy.D. · All rights reserved
Privacy Policy Cookie Policy Information Security Legal Disclaimer