Mcardit Information Security Policy and Guidelines
Mcardit, LLC (Mcardit) is committed to protect the security and confidentiality of customer information, to protect against any foreseeable threats or hazards to the security or integrity of such information, and to protect against unauthorized access to or use of such information that would result in substantial harm or inconvenience to any customer. Mcardit will protect customer information against internal and external threats that could result in unauthorized disclosure, misuse, alteration, or destruction of customer information or customer information systems.
This Policy sets forth the principles of Mcardit in protecting the security and confidentiality of customer information, particularly nonpublic personal information, by establishing high standards of administrative, technical and physical safeguards. Mcardit will also seek to confirm that its Merchants have policies and procedures in place to protect the nonpublic personal information of the consumers for whom they process payments, whether debits or credits. Mcardit will obtain verification from its Merchants that their policies and procedures also address the security of nonpublic personal information.
This Policy applies to Mcardit, including all employees. All Mcardit employees will comply with both the specific details and the spirit of the Policy. This Policy is intended to assist all employees in understanding and carrying out this mandate. Additionally, this Policy applies to the following:
- Any organization or individual with whom Mcardit has a contractual or fiduciary relationship including Merchants.
- Information in all forms, including oral, written, image and electronic throughout its entire lifecycle.
- Physical and logical (non-physical) protection.
- All modes of information processing, including, but not limited to, manual methods, hardware and software networks, other devices and information disposal techniques.
- Information used by Mcardit which originates externally including, but not limited to, vendors, contractors, customers, regulators, other enterprises and the public domain.
- Mcardit’s information resources used by, shared by, or in the custody of others.
- Mcardit expects that Merchants for which it processes payments will provide no less a level of information security than that provided by Mcardit. Conversely, Mcardit will make every reasonable effort to apply the required level of customer privacy protection to customer resources in its custodianship. Agreements should address privacy and information security adequately prior to accepting information resources from Merchants.
Customer information, whether on paper or electronic form, is maintained when Mcardit or Merchant transmits or stores information. Information is transmitted when it moves from one person or place to another.
Examples of such include, but are not limited to:
- Business meetings;
- Telephone conversations;
- Written correspondence, including hand written notes;
- FAX transmissions;
- Voice mail;
- Information posted or submitted on or through the Internet or internal Intranet;
- Wires; or
- Automated Clearing House (ACH) transactions.
- Real-time Payment Network (RTP) transactions
Mcardit may store information maintained for current or historical reference. Examples of such include, but are not limited to:
- Cloud-hosted databases
- Computer and network hard drives;
- Hard copies of reports;
- Paper containing customer information;
- and Voicemail.
LEGAL AND REGULATORY FRAMEWORK
The Gramm-Leach-Bliley Act (GLBA) was enacted on November 12, 1999. In addition to reforming the financial services industry, the Act addressed concerns relating to consumer financial privacy. The Gramm-Leach-Bliley Act required the Federal Trade Commission (FTC) and other government agencies that regulate financial institutions to implement regulations to carry out the Act’s financial privacy provisions. The FTC is responsible for enforcing its Privacy of Consumer Financial Information Rule (Privacy Rule).
Many companies collect personal information from their customers, including names, addresses, and phone numbers; bank and credit card account numbers; income and credit histories; and tax identification numbers, etc. The Gramm Leach-Bliley Act (GLBA) requires companies defined under the law as “financial institutions” to ensure the security and confidentiality of this type of information. As part of its implementation of the GLBA, the Federal Trade Commission (FTC) issued the Safeguards Rule, which requires financial institutions under FTC jurisdiction to have measures in place to keep customer information secure.
The definition of “financial institution” includes many businesses that may not normally describe themselves that way. In fact, the Rule applies to all businesses, regardless of size, that are “significantly engaged” in providing financial products or services. This includes, for example, check-cashing businesses, payday lenders, mortgage brokers, nonbank lenders, personal property or real estate appraisers, professional tax preparers, and courier services. The Safeguards Rule also applies to companies like credit reporting agencies and ATM operators that receive information about the customers of other financial institutions. In addition to developing their own safeguards, companies covered by the Rule are responsible for taking steps to ensure that their affiliates and service providers safeguard customer information in their care.
The NACHA Operating Rules require that Third Party Payment Processors and non-consumer Originators (Merchants) establish, implement and update, as appropriate, policies, procedures and systems with respect to initiation, processing and storage of Protected Information throughout its lifecycle, including destruction.
That NACHA Operating Rules define Protected Information as the non-public personal information, including financial information, of a natural person (consumer) used to create, or contained within, an ACH entry and any related addenda data. For the purpose of this Policy, Mcardit will define Protected Information as any non-public personal information of a consumer, including banking data.
Additionally, Mcardit, as part of the requirements for an annual ACH Rules Compliance Audit, must verify that it has established, implemented, and updated the data security policies, procedures, and systems required by the Rules.
The GLBA requires various federal and state regulatory agencies to promulgate regulations to enforce information security laws. To comply with the GBLA, Mcardit is responsible for ensuring that it and its Merchants implement commercially reasonable policies, procedures and systems to detect the occurrence of a data breach within their respective organizations. The policies and procedures should include escalation of any breach to appropriate personnel within the organization in a timely fashion, and in the case of Mcardit and its Merchants, prompt notice to the designated security contact at Mcardit’s bank.
If a data breach is known or suspected, Mcardit and its affected Merchant should immediately commence and diligently pursue an investigation of the circumstances to determine
- if a data breach has actually occurred,
- the scope of the data breach, including the type and amount of data affected,
- the risk that the affected data will be misused, and
- what steps are necessary to prevent further unauthorized access to Protected Information.
A “data breach” is defined as the loss, theft or unauthorized access of Protected Information by or from Mcardit or its Merchant, or any affiliate of the foregoing under circumstances indicating that the misuse of such information has occurred or is reasonably possible.
AUTHORITY AND OVERSIGHT
Mcardit has designated an Information Security and Privacy Program appropriate to its size and complexity and the nature and scope of its operations. The executive management should oversee efforts to develop, implement, and maintain an effective Information Security and Privacy Program and approve written information security policies and programs.
Mcardit has delegated the primary responsibility for compliance with this Policy to the Information Security Officer, [Information Security Officer], and to all full-time employees, part-time employees, temporary employees, contractual employees, and any person or entity performing any type of service for Mcardit.
The primary responsibility for enforcement of this Policy and its operating procedures rests with management, and all employees including Mcardit’s Merchants (as it relates to their customers).
This Policy, associated procedures and systems will be assessed on an annual basis to ensure that they continue to meet the objectives of this Policy. Certification of annual review will be maintained by the Information Security Officer. Merchants must do the same as these certifications may be required for the annual NACHA Rules Compliance Audit
Changes to this Policy require approval by Management of Mcardit. Changes in operating procedures, standards, guidelines and technologies, provided they are consistent with this Policy, may be authorized by the Information Security Officer.
No part of this Policy or its supporting operating procedures should be interpreted as contravening or superseding any other legal and regulatory requirements placed upon Mcardit. Protective measures should not impede other legally mandated processes such as records retention or subpoenas. Any conflicts should be submitted immediately to the Compliance Department for further evaluation and/or subsequent submission to Mcardit’s legal counsel.
Requests for exceptions to this Policy must be very specific and may only be granted on specific items, rather than to entire sections. Mcardit personnel should communicate their requests by submitting an internal memorandum to the Information Security Officer for consideration. Documentation of the reason for exceptions and approval of exceptions to this Policy must be maintained by the Information Security Officer.
Mcardit will review its Information Security and Privacy Program annually to determine compliance with this Policy and its ongoing commitment to enhancing security and protecting the confidentiality of customer information. This review will include results of risk assessments; risk management and control decisions; service provider arrangements; results of any testing; security breaches or violations; and management’s responses and recommendations for changes to the Information Security and Privacy Program. The review will be included in a report to Management.
Management will conduct a documented assessment of Mcardit’s information security risk and the controls Mcardit has in place to mitigate information security risk. Management will re- evaluate Mcardit’s information security risk periodically and no less frequently than annually. Without limiting the foregoing, Management will re-evaluate information security risk related to any materially different product, service, or new customer category (industry) before they are offered, and as necessary when significant new threats to information security are identified in the industry.
GUIDELINES TO IMPLEMENT AND MAINTAIN INFORMATION SECURITY
To implement its information security program, Mcardit has:
- Designated an Information Security Officer who maintains sufficient authority and independence from operational and sales functions to coordinate the program;
- Identified reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information and assess the sufficiency of any safeguards in place to control the risks;
- Designed and implemented safeguards to address the risks and monitor the effectiveness of these safeguards;
- Selected and retained service providers that are capable of maintaining appropriate safeguards for the information and require them, by contract, to implement and maintain such safeguards
The Safeguards Rule requires companies to assess and address the risks to customer information in all areas of their operation, including three areas that are particularly important to information security:
- Employee Management and Training;
- Information Systems; and
- Detecting and Managing System Failures.
Employee Management and Training
Mcardit maintains an information security training program, providing training to all personnel, including management, and those staff performing duties requiring monitoring merchants and processing merchant files. Training occurs upon hire and annually thereafter. The training program maintains the following components:
- Training and testing content must be risk focused and include regulatory requirements as well as related Mcardit policies and procedures; and
- Training and testing content must be kept current based on changes and new developments in technology, industry trends, data breach incidents or related Mcardit policies and procedures.
Information systems include network and software design, and information processing, storage, transmission, retrieval, and disposal. Here are some suggestions on maintaining security throughout the life cycle of customer information, from data entry to data disposal:
- Employee access to personal customer information is limited to those employees with business reasons to have access to such information. Also known as “access by least privilege”
- Only authorized personnel have access to physical locations containing customer/consumer information. Physical locations include, but are not limited to, buildings, computer facilities and record storage.
- Mcardit will ensure that banking information related to a payment it processes that is transmitted via an “unsecured electronic network” must, at all times from the point of data entry and through the transmission, be either encrypted or transmitted via a secure session, in either case using a commercially reasonable technology that provides a level of security that, at a minimum, is equivalent to TLS 1.2 asymmetric encryption technology. Additional technical details are contained within the Mcardit Encryption Policy documents
- Mcardit will ensure that banking information related to a payment it processes that is stored in an electronic database be encrypted while at rest, using SHA-256 encryption algorithms. Additional technical details are contained within the Mcardit Encryption Policy documents
- Banking information includes any payment transaction routing number, account number, PIN or other identification symbol.
- Dual control and segregation of duties are implemented as considered necessary by Management and closely monitored to determine the appropriate level of customer information accessibility.
- A contingency plan or business continuity plan is in effect to protect customer information against destruction, loss, or damage due to environmental hazards, such as fire and water damage, or technological failures.
- Mcardit will test key controls identified on the risk assessment and systems and procedures of the Information Security Program. The frequency and nature of such tests will be determined by Mcardit’s risk assessment. Tests will be conducted or reviewed by independent third parties or staff independent of those that develop or maintain the security programs.
- Mcardit will follow applicable regulatory guidelines to properly dispose of any consumer information that it maintains or otherwise possesses. “Consumer Information” includes “any record about an individual, whether in paper, electronic, or other form that is a consumer report or is derived from a consumer report and that is maintained or possessed by Mcardit.” This would also include information from a credit report that Mcardit obtained about an individual who applies for payment processing services, either individually or on behalf of an entity or an employee or prospective employee.
- Periodic testing will be performed to determine compliance with the security of customer information. This includes audits, control review, penetration tests, and vulnerability assessments. Both internal and external Information Technology-related risk assessments are performed and updated on an annual basis.
- Management, as well as key Mcardit employees, must be aware of Information Security requirements as a related part of the business continuity procedures, as outlined in Mcardit’s Business Continuity Plan (“BCP”). The BCP is designed to deal with levels of outages including the loss of key network components, loss of key personnel, or the loss of an entire facility. Additionally, as testing is a key element of the BCP, it is outlined and documented in the BCP. Ongoing training, both formal and informal, for staff is also an integral part of ongoing business continuity preparedness.
Detecting and Managing System Failures
Effective security management requires Mcardit to deter, detect, and defend against security breaches. That means taking reasonable steps to prevent attacks, quickly diagnosing a security incident, and having a plan in place for responding effectively. Mcardit shall implement the following procedures:
- All maintenance of Mcardit’s computer software is strictly controlled by the Information Security Officer and supervised by the Chief Operations Officer. The Information Security Officer monitors the continued usefulness of all systems (PC and network). Requests for changes to programs, modifications to network and software are made through written or verbal requests to the Information Security Officer.
- Mcardit places strong emphasis on implementing both preventative and detective controls. For instance, monitoring systems are in place to detect actual or attempted attacks on, or intrusions into, customer information systems. Monitoring tools identify vulnerabilities and, in real-time mode, detect possible intrusions from external and internal parties (e.g. hackers).
- Mcardit is responsible for detecting and responding to unauthorized individuals attempting to gain access to Mcardit’s electronic information systems. Mcardit policies and procedures should identify the specific actions to be taken when Mcardit suspects or detects that unauthorized individuals have gained access to Mcardit’s customer information systems, including appropriate reports to regulatory and law enforcement agencies.
26391 Crown Valley Parkway, Suite 240
Mission Viejo, CA 92691
v1.1 updated September 1, 2023