CSI Security Terms and Policy

INFORMATION SECURITY POLICY
Company: Palapas Ventana
Date: October 20, 2025
Contact: contact@palapasventana.com

CONTENTS

  • Introduction
  • Information Security Policy
  • Acceptable Use Policy
  • Disciplinary Action
  • Compliance Policy
  • Information Security Procedures and Standards Policy
  • Protect Stored Data
  • Information Classification
  • Access to Sensitive Cardholder Data
  • Physical Security
  • Protect Data in Transit
  • Disposal of Stored Data
  • Security Awareness and Procedures
  • Network Security
  • System and Password Policy
  • Anti-Virus Policy
  • Patch Management Policy
  • Remote Access Policy
  • System Administration Access Policy
  • Vulnerability Management Policy
  • Configuration Standards
  • Change Control Process
  • Audit and Log Review
  • Secure Application Development
  • Penetration Testing Methodology
  • Incident Response Plan
  • Roles and Responsibilities
  • Third Party and Security of Cardholder Data
  • User Access Management
  • Access Control Policy
  • Wireless Policy
  • Encryption Policy
  • Appendix A – Agreement to Comply Form
  • Appendix B – List of Third Party Service Providers
  • Appendix E – POI Management Policy

INTRODUCTION
This Policy Document encompasses all aspects of security surrounding confidential company information and must be distributed to all company employees. All employees must read this document in its entirety and sign the form confirming they have read and understand this policy fully. This document will be reviewed and updated by Management on an annual basis or when relevant to include newly developed security standards into the policy and distribute it to all employees and contractors as applicable.

INFORMATION SECURITY POLICY
Palapas Ventana handles sensitive cardholder information daily. Sensitive information must have adequate safeguards in place to protect it, to protect cardholder privacy, to ensure compliance with various regulations and to guard the future of the organization.
Palapas Ventana commits to respecting the privacy of all its customers and to protecting any data about customers from outside parties. Management is committed to maintaining a secure environment in which to process cardholder information so that we can meet these promises.

Employees handling sensitive cardholder data should ensure:

  • Handle company and account data, including cardholder information, in a manner that fits with their sensitivity.
  • Limit personal use of company information and telecommunication systems and ensure it doesn’t interfere with job performance.
  • The Company reserves the right to monitor, access, review, audit, copy, store, or delete any electronic communications, equipment, systems and network traffic for any purpose.
  • Do not use email, internet and other company resources to engage in any action that is offensive, threatening, discriminatory, defamatory, slanderous, pornographic, obscene, harassing or illegal.
  • Do not disclose personnel information unless authorized.
  • Protect sensitive cardholder information.
  • Do not use email or other end-user messaging technologies (e.g., WhatsApp, Signal, Messenger) to share sensitive data including cardholder information.
  • Keep passwords and accounts secure.
  • Request approval from management prior to establishing any new software or hardware, third-party connections, etc.
  • Do not install unauthorized software or hardware, including modems and wireless access, unless you have explicit management approval.
  • Always leave desks clear of sensitive cardholder data and lock computer screens when unattended.
  • Information security incidents must be reported, without delay, to the individual responsible for incident response locally.
  • Everyone is responsible for ensuring company systems and data are protected from unauthorized access and improper use. Seek guidance from your line manager if unclear about any policy.

ACCEPTABLE USE POLICY
Management’s intent is not to impose restrictions contrary to Palapas Ventana’s culture of openness, trust and integrity. Management is committed to protecting employees, partners and the Company from illegal or damaging actions by individuals, whether knowingly or unknowingly. The Company will maintain an approved list of technologies and devices and personnel with access to such devices (see Appendix B).

Employees must:

  • Exercise good judgment regarding reasonableness of personal use.
  • Ensure they have appropriate credentials and are authenticated for use of technologies.
  • Take necessary steps to prevent unauthorized access to confidential/cardholder data.
  • Ensure technologies are used and set up in acceptable network locations.
  • Keep passwords secure; do not share accounts.
  • Use password-protected screensavers with automatic activation on all PCs/laptops/workstations.
  • Protect POS and PIN entry devices from tampering/alteration.
  • Exercise special care with portable computers.
  • Use a disclaimer when posting from a company email address to public forums unless posting is part of business duties.
  • Use extreme caution when opening email attachments from unknown senders (viruses/Trojans).

DISCIPLINARY ACTION
Violation of the standards, policies and procedures presented in this document may result in disciplinary action, including warnings up to termination of employment. Claims of ignorance, good intentions or poor judgment will not excuse non-compliance.

COMPLIANCE POLICY
This policy ensures Palapas Ventana conducts its business in full compliance with applicable laws and regulations, industry standards, accepted business practices, and internal standards.

  • Identify the data processed and the relevant laws, regulations and industry standards.
  • Document scope including assets, network diagrams, dataflow diagrams and data storage repositories.

INFORMATION SECURITY PROCEDURES AND STANDARDS POLICY
Maintain up-to-date documentation related to this policy and relevant laws/standards. Review and update when changes occur and annually for accuracy. Documents include procedures, standards, asset lists, network diagrams, and cardholder flow diagrams.

PROTECT STORED DATA
All sensitive cardholder data stored and handled by Palapas Ventana and its employees must be securely protected against unauthorized use at all times. Any sensitive card data no longer required must be discarded in a secure and irrecoverable manner.

  • Mask PAN when full PAN is not required.
  • PAN data not protected as above must not be sent via end-user messaging technologies (email, WhatsApp, Messenger, Signal, etc.).

Strictly prohibited to store:

  • Payment card magnetic stripe (track) data.
  • CVV2/CVC2/CAV2/CID (3–4 digit security code).
  • PIN or encrypted PIN block.

INFORMATION CLASSIFICATION
Label data and media to indicate sensitivity level.

  • Confidential: legally protected or would cause severe damage if disclosed (includes account data and cardholder data).
  • Internal Use: protected to prevent unauthorized disclosure.
  • Public: freely disseminated information.

ACCESS TO SENSITIVE CARDHOLDER DATA

  • Control and authorize all access to sensitive cardholder data; define roles requiring access.
  • Restrict display of PAN to at least first 6 and last 4 digits.
  • Restrict privileged user IDs to least privileges necessary.
  • Assign privileges by role (role-based access control).
  • Restrict access to PAN/personal/business data to legitimate need-to-know.
  • Maintain a list of Third Party Service Providers (TPSPs) that possess or can affect security of cardholder data (Appendix B).
  • Maintain written agreements acknowledging TPSP responsibility for the cardholder data they possess or can affect.
  • Establish due diligence before engaging TPSPs and monitor their PCI DSS compliance status.

PHYSICAL SECURITY

  • Physically restrict access to sensitive information in any format.
  • Ensure appropriate credentials and authentication for technology use.
  • Prevent unauthorized access to confidential/cardholder data.
  • Use technologies in acceptable network locations.
  • Maintain an inventory of devices that accept payment card data (make, model, location, serial/unique ID). Update on changes.
  • Periodically inspect POS (POI/terminal) surfaces for tampering/substitution.
  • Train personnel handling POS devices; verify identities of third-party repair/maintenance personnel.
  • Train personnel to report suspicious behavior and signs of tampering.
  • Define “visitor” and escort visitors in sensitive areas.
  • Keep passwords secure; do not share accounts.
  • Handle and distribute media containing sensitive cardholder information securely.
  • Distinguish employees vs. visitors in sensitive areas.
  • Disable public/visitor network jacks unless explicitly authorized.
  • Protect and secure all POS/PIN entry devices.
  • Management approval required for external/internal distribution of media containing cardholder data.
  • Maintain strict control over storage and accessibility of media.
  • Enable password-protected screensavers on computers storing sensitive cardholder data.

PROTECT DATA IN TRANSIT

  • Protect sensitive cardholder data during physical or electronic transport.
  • Never send cardholder data via email, instant chat, or any end-user technologies.
  • If business-justified and authorized, send cardholder data only using strong encryption (e.g., AES, PGP, IPsec; secure wireless).
  • Management must authorize, log, and inventory transport of media containing sensitive cardholder data; use secure couriers and monitor shipment status.

DISPOSAL OF STORED DATA

  • Securely dispose of data when no longer required, regardless of media/application.
  • Implement automated permanent deletion for online data when no longer required.
  • Manually destroy hard copies of cardholder data when no longer required; verify quarterly disposal.
  • Destroy hardcopy via crosscut shredding, incineration, or pulping.
  • Render electronic media unrecoverable (degauss, secure wipe using industry standards, or physical destruction).
  • Hold pending-destruction materials in locked containers labeled “To Be Shredded.”

SECURITY AWARENESS AND PROCEDURES

  • Train employees/contractors regularly on handling sensitive information; hold awareness meetings.
  • Distribute policy document; require signed acknowledgement (Appendix A).
  • Conduct background checks (within legal limits) for employees handling sensitive information.
  • Contractually obligate third parties with access to credit card account numbers to comply with PCI DSS.
  • Review policies annually; include phishing awareness; update awareness training at least annually.

NETWORK SECURITY

  • Implement firewalls at each internet connection/DMZ and internal networks.
  • Maintain network diagram of inbound/outbound connections; review every 6 months.
  • Maintain firewall/router configuration documents, including services/protocols/ports with business justification.
  • Restrict connections between untrusted networks and CDE systems.
  • Implement stateful firewalls at internet ingress to the CDE; protect local segments (business/open networks).
  • Restrict all traffic to only what is required for the CDE.
  • Block inbound traffic by default; document explicit allow rules.
  • Authorize outbound traffic by management; document restrictions/whitelists.
  • Place firewalls between wireless networks and the CDE; quarantine wireless users into a DMZ with authentication and firewalling.
  • Authorize disclosure of private IPs to external entities.
  • Document topology of firewall environment; update with network changes.
  • Review firewall rules every six months; include cleanup rule.
  • No direct internet connections to the CDE; all traffic must traverse a firewall.

SYSTEM AND PASSWORD POLICY

  • Develop system configuration standards aligned to SANS/NIST/ISO; update as issues are identified.
  • Include security parameter settings; apply to new systems.
  • Change vendor default accounts/passwords at provisioning; disable unnecessary services/accounts.
  • Remove/disable unnecessary default accounts before installation on network.
  • Document and justify any insecure protocols/services in use.
  • Assign unique IDs to all users with access to cardholder data.
  • Require passwords for any access to company resources.
  • Deactivate/remove user IDs for terminated users immediately.
  • Lock out user ID after >5 unsuccessful attempts; locked accounts disabled for at least 30 minutes or until admin enables.
  • Change system/user passwords at least quarterly; maintain minimum password history of four; force change on first login.
  • Prohibit shared/generic admin accounts for administering systems.
  • Set non-default SNMP community strings; ensure they differ from interactive passwords.
  • Use encrypted non-console admin access (SSH/VPN/HTTPS); disable insecure remote logins (e.g., telnet).
  • Encrypt web-based admin interfaces with strong cryptography.

Password guidance (users):

  • Use 12+ characters.
  • Include mixed case, digits, and punctuation where possible.
  • Avoid personal info and dictionary words.
  • Physically secure workstations; use crypto to protect against network analysis; use strong protocols (e.g., Kerberos).

ANTI-VIRUS POLICY

  • Run latest company-approved antivirus on all machines with daily automatic updates and periodic scanning.
  • Antivirus must detect viruses, trojans, adware, spyware, worms, and rootkits.
  • Scan removable media before use.
  • Retain antivirus logs per legal/contractual requirements (minimum PCI DSS 10.7: 3 months online, 1 year offline).
  • Configure master installations for automatic updates and scans.
  • Prevent end users from modifying antivirus settings.
  • Do not open suspicious attachments; delete them from mailbox and trash; do not forward.
  • Check emails for phishing attempts.

PATCH MANAGEMENT POLICY

  • Ensure all workstations/servers/software/components have up-to-date security patches.
  • Enable automatic updates where possible.
  • Install security patches within one month of vendor release following the change control process.
  • Document exceptions.

REMOTE ACCESS POLICY

  • Employees, contractors, vendors, and agents with remote access must treat it with the same security as on-site access.
  • Enforce secure remote access with multi-factor authentication (one-time passwords or public/private keys with strong passphrases).
  • Enable vendor accounts only during required periods; disable/remove when no longer required.
  • Configure remote connections to disconnect automatically after 30 minutes of inactivity.
  • Monitor hosts connected via remote access.
  • Reconcile vendor/third-party remote accounts regularly; revoke if no business justification.

SYSTEM ADMINISTRATION ACCESS POLICY

  • Administrators with privileges to the CDE must ensure admin access meets the same security as console access.
  • Enforce MFA for administrative access (OTP or keys with strong passphrases).

VULNERABILITY MANAGEMENT POLICY

  • Assign vulnerability risk rankings (High, Medium, Low) using industry practices (e.g., CVSS).
  • Perform internal and external vulnerability scans at least quarterly and after significant changes.
  • Perform quarterly internal scans (internal staff or third party) with re-scans until passing results or all High vulnerabilities remediated (per PCI DSS 6.3.3).
  • Perform quarterly external scans by an ASV (PCI SSC-approved). Post-change scans may be internal; re-scan until passing.

CONFIGURATION STANDARDS

  • Systems that process, transmit, or store cardholder data must be configured per applicable standards maintained by system owners and Information Security.
  • All network device configurations must adhere to company standards before network placement; use a boilerplate baseline.
  • Certify systems against the standard before production.
  • Apply vendor/ISO updates within defined timeframes; document exceptions with review schedule, risk analysis, and update method.
  • Annually check configs against boilerplate; use config management where possible; otherwise perform quarterly audits and remediate discrepancies.

CHANGE CONTROL PROCESS

  • Manage changes via a formal documented process ensuring review, authorization, testing, controlled implementation, and status tracking.
  • Define management responsibilities, procedures, and integration with operational/app change control.
  • Log all change requests (approved or rejected) centrally; retain audit trail (request, authorization, outcome).
  • Prohibit single-person changes to production without approval by authorized personnel.
  • Perform risk assessments and impact assessments (including legal/standards compliance and cost).
  • Prioritize changes by benefits, urgency, effort, and operational impact.
  • Test changes in isolated representative environments; integrate with SDLC as applicable.
  • Use version control for software changes/updates; retain older versions per retention policy.
  • Approve changes based on acceptance criteria (authorized requester, impact assessed, tested).
  • Notify affected users; obtain user representative sign-off.
  • Treat major changes as projects; classify by development/implementation effort.
  • Document abort/recovery procedures and rollback plans.
  • Update documentation upon completion; archive/retain per policy.
  • Define and control emergency changes; monitor post-implementation and escalate deviations.

AUDIT AND LOG REVIEW
Scope: all logs for systems within the CDE, including:

  • Operating System logs (event/su)
  • Database audit logs
  • Firewalls and network switch logs
  • IDS logs
  • Antivirus logs
  • CCTV video recordings
  • File Integrity Monitoring (FIM) logs

Retention: Minimum 3 months online and 12 months offline.

Monitoring:

  • Use the company’s network monitoring system (define hostnames/software) controlled from the central console.
  • Access to logs is limited to personnel with job-related need.
  • Configure alerts to notify the responsible team via dashboard and email/SMS, with summaries of incidents.

Event coverage (examples):

  • Operating Systems: user account changes; failed/unauthorized logons; system file modifications; admin actions; audit trail access; creation/deletion of system-level objects.
  • Databases: failed logins; user/role changes; DB create/alter/drop; schema connections; DBA actions.
  • Firewalls: ACL violations; invalid authentications; privileged actions; configuration changes.
  • Switches: invalid authentications; privileged actions; configuration changes.
  • IDS: CVEs; generic attacks; DoS; reconnaissance; exploit attempts; auth failures; backdoor/stealth traffic.
  • FIM: system file modifications; admin actions; audit trail access; creation/deletion of system objects.

For confirmed suspicious events, record on “F17 – Log Review Form” and inform the designated role, capturing:

  • User identification
  • Event type
  • Date and time
  • Success or failure
  • Event origin (e.g., IP address)
  • Reference to affected data/system/resource

SECURE APPLICATION DEVELOPMENT
Purpose: guide developer decisions/actions in the SDLC to ensure software security (language/platform independent). Required for all development on company systems and trusted contractor sites processing company data.

Map security activities to SDLC phases:

  • Design: security requirements; architecture/design reviews; threat modeling.
  • Coding: secure coding best practices; static analysis.
  • Testing: vulnerability assessment; fuzzing.
  • Deployment: server configuration review; network configuration review.

Developer expectations:

  • Comply with Company secure coding standards; only validated code reaches production.
  • Ensure software is free from exploitable vulnerabilities and provides intended security functionality.
  • Address common risks: injection (e.g., SQL), buffer overflow, XSS, improper access control (insecure direct object reference, failure to restrict URL access, directory traversal), CSRF, broken authentication/session management, improper error handling.
  • Never trust incoming data; validate input; do not store sensitive data client-side.
  • Disable verbose error messages that leak information.
  • Use encapsulation/inheritance/polymorphism where appropriate; check boundaries/buffers.

PENETRATION TESTING METHODOLOGY

  • List risks inherent to penetration testing and corresponding mitigations (e.g., controlled scans; notify/monitor; throttle traffic).
  • Identify key project staff (Technical PM, CISO, CIO, Communications Head, Website Owner).
  • Perform external tests remotely; internal tests onsite with network/building access arranged.
  • If segmentation limits PCI DSS scope, test segmentation.
  • Use audit team equipment; require network connectivity to target segments.
  • Immediately escalate any incidents during testing to incident management.
  • Test scope: all systems/applications in or protecting the CDE; list in-scope and excluded systems/apps.
  • Follow OSSTMM; test network/system/application layers; cover PCI DSS v4 concerns.
  • Collect evidence for findings (screenshots, tool output, photos, documents).
  • Produce report with: Introduction; Executive Summary; Methodology; Identified Vulnerabilities; Recommendations; Conclusions; Evidence.

INCIDENT RESPONSE PLAN
Definition: security incident is any incident (accidental, intentional, or deliberate) relating to communications or information processing systems.

  • Test the IR plan annually; distribute to relevant staff; ensure understanding.
  • Employees must report security-related issues to the Security Officer.

PCI Incident Response Flow:
1) Department reports incident to the Information Security Officer or PCI Response Team member.
2) Recipient informs PCI Response Team.
3) Team investigates, limits exposure, mitigates risks.
4) Team resolves the problem, reporting to relevant parties (card brands, processors) as necessary.
5) Team evaluates and updates policies/processes and safeguards to prevent recurrence.
6) Unauthorized wireless AP/device findings are escalated immediately to Security Officer for removal.
7) Departments suspecting a breach must inform the PCI Incident Response Team, which implements the plan.

Escalation Members (customize):

  • First Level: Information Security Officer; Controller; Executive Project Director (Collections & Merchant Services); Legal Counsel; Risk Manager; Communications Director.
  • Second Level: Company President; Executive Cabinet; Internal Audit; Auxiliary members as needed.
  • External Contacts (as needed): Merchant Provider; Card Brands; ISP(s); Communication Carriers; Business Partners; Insurance Carrier; External Response Team (e.g., CERT); Law Enforcement.

Card Brand Notifications (abbreviated):

  • VISA: shut down affected systems; alert stakeholders; provide compromised accounts within 24 hours; submit incident report within 14 days.
  • MasterCard: notify Compromised Account Team within 24 hours; send written statement; provide accounts; engage acceptable data security firm within 72 hours; weekly status until closure.
  • Discover: notify within 24 hours; prepare statement; list compromised accounts; follow additional requirements.
  • American Express: notify within 24 hours; prepare statement; list compromised accounts; follow additional requirements.

In an incident:

  • Isolate compromised systems.
  • Gather/review/analyze logs and safeguards.
  • Conduct forensics of compromised systems.
  • Contact internal/external departments/entities as appropriate.
  • Provide forensics/log analysis to law enforcement/card security personnel as required.
  • Assist investigations and prosecutions.

ROLES AND RESPONSIBILITIES
Chief Security Officer (or equivalent):

  • Oversee information security; create/distribute policies/procedures; ensure controls are maintained.
  • Perform risk analysis; monitor/analyze alerts; manage incident response/escalation.
  • Maintain security awareness program and communications.
  • Manage vulnerability management and penetration testing program.
  • Maintain list of service providers and due diligence/PCI verification processes.

Information Technology Office (or equivalent):

  • Maintain daily administrative/technical operational security procedures (e.g., account maintenance, log review).

Network Administrators:

  • Maintain firewalls/routers; review rulesets every six months; ensure secure configurations.

System and Application Administrators:

  • Monitor/analyze security alerts; administer user accounts/authentication; monitor/control access to data; ensure systems/devices are securely configured.

Human Resources (or equivalent):

  • Track participation in security awareness program at hire and annually; collect written acknowledgments.

General Counsel (or equivalent):

  • Ensure TPSP contracts require PCI DSS and acknowledge CHD security responsibility.

THIRD PARTY AND SECURITY OF CARDHOLDER DATA
All third-party companies providing critical services must provide an agreed SLA and comply with Physical Security and Access Control Policy.
Third parties that can affect the security of cardholder information must:

  • Adhere to PCI DSS security requirements.
  • Acknowledge responsibility for securing cardholder data.
  • Use cardholder data only for transaction completion, loyalty, fraud control, or as required by law.
  • Maintain business continuity provisions.
  • Cooperate and provide access for security reviews after intrusions.
  • Provide a responsibility matrix defining owned/shared requirements.

USER ACCESS MANAGEMENT

  • Control access via a formal user registration process initiated by HR or a line manager.
  • Assign unique user IDs; group IDs only when suitable.
  • Provide standard access; grant additional services upon authorization.
  • Determine access level by job function relative to cardholder data.
  • New user request must include requester, newcomer’s role/workgroup, start date, services required.
  • Provide user a copy of access rights; obtain signed acknowledgment after induction.
  • Provisioned by IT only after proper procedures; revoke all logons immediately upon termination; HR/line managers notify IT.

ACCESS CONTROL POLICY

  • Protect interests of all users by providing a safe, secure, accessible environment.
  • Provide necessary information for employees to carry out responsibilities effectively.
  • Avoid generic/group IDs except by exception with compensating controls.
  • Restrict and control privileged rights; authorize jointly by system owner and IT; avoid blanket team privileges.
  • Apply least privilege and need-to-know.
  • Maintain security of data at its classification level even if technical controls fail.
  • Store data appropriately on digital media/devices according to classification.
  • Report non-compliance to the CISO.
  • Provide access through a unique AD account and complex password; no access without authentication/authorization.
  • Manage password issuance/strength/rotation via formal process and AD GPO.
  • Limit access to Confidential/Restricted/Protected data to authorized persons per data owner.
  • Require written requests to grant/change/revoke access.
  • Require users to abide by policies, standards, and acceptable use guidelines.
  • Authorize remote access via IT Services in accordance with Remote Access and Information Security Policies.
  • Control access methods via logon rights, NTFS, privileges, firewall, IIS auth, SQL rights, isolated networks, etc.
  • Conduct periodic formal access reviews with system/data owners; log and sign off reviews.

WIRELESS POLICY

  • Prohibit installation/use of wireless devices/networks connecting to company networks unless approved.
  • Run quarterly tests to discover wireless access points (e.g., NetStumbler, Kismet).
  • Ensure devices that support wireless remain disabled/decommissioned unless authorized.
  • Immediately stop/cease/shut down/remove offending devices upon policy violations.
    If wireless is approved:
  • Change default SNMP strings, passwords, passphrases, encryption keys, and vendor defaults; update upon staff changes.
  • Keep firmware updated per vendor schedule; require strong encryption (IEEE 802.11i) for auth/transmission.
  • Change any other security-related vendor defaults; maintain inventory of authorized APs with business justification.

ENCRYPTION POLICY

  • Render Cardholder Data unreadable when stored using strong encryption (e.g., AES-256, Triple DES 168-bit) with proper key management.
  • Rotate keys annually.
  • Protect Data Encryption Keys (DEKs) in a Secure Cryptographic Device or by encrypting with a Key Encryption Key (KEK).
  • Do not store DEK with KEK.
  • Enforce separation of duties and split knowledge for key handling.

APPENDIX A – AGREEMENT TO COMPLY FORM
Employee Name (printed): ____________
Department: ____________
Employee Signature: ____________
Date: ____________

Agreement:
I agree to take all reasonable precautions to ensure that internal information, or information entrusted to Palapas Ventana by third parties, will not be disclosed to unauthorized persons. At the end of my employment or contract, I will return all information to which I have had access. I understand I am not authorized to use sensitive information for my own purposes or provide it to third parties without express written consent of the designated information owner.
I have access to the Information Security Policies, have read and understand them, and understand how they impact my job. As a condition of continued employment, I agree to abide by these policies. Non-compliance may result in disciplinary action up to dismissal, and criminal/civil penalties. I will promptly report all violations or suspected violations of information security policies to the Security Officer.

APPENDIX B – LIST OF THIRD PARTY SERVICE PROVIDERS (TPSPs)
Provider | Service | Data Access (Y/N) | PCI Status/Attestation Date | Responsibility Matrix Ref
(complete and maintain current list)

APPENDIX E – POI MANAGEMENT POLICY
Where Palapas Ventana utilizes POIs, the following apply:

POI Device Inventory and Management:

  • Maintain up-to-date inventory of all POI devices (make, model, location, serial number).
  • Establish procedures for securely adding, relocating, and decommissioning POI devices.

END OF POLICY

icon

Leave a Reply

Your email address will not be published. Required fields are marked *

Share