PCI Compliance

Payment Card Data Security Policy

KRAMER RESTORATION, LLC is committed to these security policies to protect information utilized by KRAMER RESTORATION, LLC in attaining its business goals. All employees are required to adhere to the policies described within this document.

Secure Network

KRAMER RESTORATION, LLC will configure their network to include a firewall at each Internet connection and between the internet-facing demilitarized zone (DMZ) containing the web server and the internal network zone that contains systems not directly involved in the payment process. Documentation will be maintained that details the use of all services, protocols, and ports allowed into the internal network zone. This list will include business justification for any traffic allowed in or out of the network. It will also include documentation of security features implemented for those protocols considered to be insecure. Examples of insecure services, protocols, or ports include but are not limited to FTP, Telnet, POP3, IMAP, and SNMP v1 and v2.

Firewall Configuration

KRAMER RESTORATION, LLC requires that all firewalls restrict connections between untrusted networks and any system in the cardholder data environment. All access to the internet must be through a firewall. Any direct connection to a vendor, processor, or service provider must also be through a firewall. Inbound and outbound traffic must be restricted by the firewalls to that which is necessary for the cardholder data environment. All other inbound and outbound traffic must be specifically denied. Firewall configuration must prohibit direct public access between the Internet and any system component in the cardholder data environment as follows: 

· Management authorization is required for all outbound traffic from the cardholder data environment to the Internet.

· Firewalls used to protect the cardholder data environment must implement stateful inspection. 

· Network techniques, (such as NAT or RFC 1918 addressing), must be used to prevent disclosure of private IP addresses and routing information to unauthorized parties.

All vendor-supplied defaults must be changed before installing any system on the network.

System Configuration Standards

KRAMER RESTORATION, LLC must insure that configuration standards for all systems address all known security vulnerabilities and are consistent with current industry-accepted system hardening standards. Configuration standards must be updated as new vulnerabilities are discovered. Configuration standards must be used when installing new systems. Configuration standards must include the following: 

· All vendor-supplied defaults passwords are changed. 

· All unnecessary default accounts are removed. 

· Only one primary function may be implemented per server to ensure that functions that require different security levels are not on the same server. 

· Only services, protocols, and daemons necessary for the function of the system are enabled. 

· System security parameters are configured to prevent misuse. 

· Unnecessary functionality, such as scripts, drivers, features, subsystems, file systems, and web servers must be removed. 

System administrators and any personnel responsible for configuring system components must be knowledgeable about common security parameter settings for those system components.

Non-console Administrative Access

Non-console administrative access must be encrypted using technologies such as SSH, VPN, or SSL/TLS. Encryption technologies must include: 

· Strong cryptography, and must be invoked before the administrator’s password is requested. 

· System services and parameter files must be configured to prevent the use of telnet and other insecure remote login commands. 

· Administrator access to web-based management interfaces. 

· Vendor documentation to verify that strong cryptography is in use for all non-console access.

Data from Payment Cards May Not be Stored

Sensitive authentication data must be securely deleted after authorization so that the data is unrecoverable. Payment systems must not store sensitive authentication data in any form after authorization. Sensitive authentication data is defined as the following: 

· The card verification code or value (three-digit or four-digit number printed on the front or back of a payment card) is not stored under any circumstance. 

· The personal identification number (PIN) for debit card transactions is not stored under any circumstance.

Transmission of Cardholder Data

KRAMER RESTORATION, LLC will use strong cryptography and security protocols (for example, SSL/TLS, IPSEC, SSH, etc.). during transmission over open, public networks. These controls will be implemented as follows: 

· Only trusted keys and certificates are accepted. 

·  The protocol in use only supports secure versions or configurations. 

· The encryption strength is appropriate for the encryption methodology in use. 

YOUR COMPANY NOW does not allow customers to send payment card information via email, instant messaging, or chat.

Anti-Virus Protection

Anti-virus protection capable of detecting, removing, and protecting against all known types of malicious software must be installed on all systems. All anti-virus programs must be kept current through automatic updates, be actively running, be configured to run periodic scans, and be capable of as well as configured to generate audit logs. Anti-virus logs must also be retained as required under PCI requirement 10.7. KRAMER RESTORATION, LLC requires that anti-virus mechanisms must be actively running and unable to be altered or removed by users.

Risk and Vulnerability

KRAMER RESTORATION, LLC will establish a process to identify security vulnerabilities, using reputable outside sources for security vulnerability information, and assign a risk ranking (for example, as “high,” “medium,” or “low”) to newly discovered security vulnerabilities. Risk rankings must be based on industry best practice, as well as potential impact. Criteria for ranking vulnerabilities may include the CVSS base score, the classification by the vendor, or the type of systems affected. Risk rankings must identify all vulnerabilities considered to be a “high risk” to the environment. In addition to the risk ranking, vulnerabilities may be considered “critical” if they pose an imminent threat to the environment, impact critical systems, and/or would result in a potential compromise if not addressed. Examples of critical systems may include security systems, public-facing devices and systems, databases, and other systems that store, process, or transmit cardholder data. Critical security patches must be installed within one month of release. Non-critical vendor-supplied security patches must be installed as soon as possible, generally within 90 days. KRAMER RESTORATION, LLC will enforce change control procedures for the implementation of security patches and software modifications. These procedures must include documented evidence of the following for each software change: 

· Documentation of impact. 

· Documented change approval by authorized parties. 

· Functionality testing to verify that the change does not adversely impact the security of the system. 

· Back-out procedures.

Limit Access to Cardholder Data 

Access to KRAMER RESTORATION, LLC’s cardholder system components and data is limited to only those individuals who require access in order to perform their job functions. User IDs must be restricted to the least privileges necessary to perform job responsibilities. Privileges must be assigned to individuals based on position and responsibilities.

Secure Access to Systems 

The following must be followed for all user accounts that have access to the system or any systems that are part of the payment processing environment: 

· All users must be assigned a unique ID. 

· Access for all terminated users must be revoked immediately. 

· Remote access for vendors will only be active when needed. All remote access accounts used by vendors will be monitored when in use. 

· Failed attempts to access the system will result in the user ID being locked after not more than six failed attempts. 

· Locked user IDs will remain locked for at least 30 minutes, or until an administrator enable the user ID. 

· All users must be issued their own, unique, user ID and password. 

· No group or shared IDs are to be used. 

In addition to assigning a unique ID for each user, at least one of the following methods must be used to authenticate all users: 

· A password or passphrase. 

· A token device or smart card. 

· A biometric. 

Strong cryptography must be used during transmission and storage on all system components. Passwords/phrases must meet the following requirements: 

· Contain at least seven characters. 

· Contain both numeric and alphabetic characters. 

User passwords/passphrases must be changed at least every 90 days. Users may not use a password/phrase that is the same as any of the last four passwords/phrases he or she has used. Initial passwords/phrases must be changed when used for the first time. Two-factor authentication must be incorporated for remote access to the network by employees, administrators, and outside third parties.

Restrict Physical Access to Cardholder Data 

Appropriate facility entry controls must be used to monitor physical access to systems in the cardholder data environment. Hard copy materials containing confidential or sensitive information (examples of which include paper receipts, paper reports, faxes, etc.) are subject to the following storage guidelines: All media must be kept physically secured. Strict control must be maintained over the internal or external distribution of any kind of media containing cardholder data. These controls include: 

· Media must be classified appropriately so the sensitivity of the data can be determined. 

· If media is moved off site, it must be sent by a secure carrier or other delivery method that can be accurately tracked. 

· Management approval must be obtained prior to moving the media off site. 

Strict control must be maintained over the storage and accessibility of media containing cardholder data at all times. 

All media containing cardholder data must be destroyed when no longer needed for business or legal reasons. 

All media must be destroyed by shredding, incineration or pulping so that cardholder data cannot be reconstructed. 

Containers with information waiting to be destroyed must be locked and kept in a secure area to prevent access to the contents by unauthorized personnel.

Audit Trails 

KRAMER RESTORATION, LLC will create automated audit trails in order to link access to all system components to an individual user. The automated audit trails will capture detail sufficient to reconstruct the following events:

· All actions taken by any individual user with root or administrative privileges. 

· All failed logins. 

· Any use of, and changes to, identification and authentication mechanisms—including but not limited to the creation of new accounts and elevation of privileges—and all changes, additions, or deletions to accounts with root or administrative privileges. 

KRAMER RESTORATION, LLC’s log generating and collecting solution will capture the following data elements for the above events: 

· User identification. 

· Type of event. 

· Date and time.

·  Success or failure indication. 

· Origination of event. 

· Identity or name of affected data, system component, or resource. 

KRAMER RESTORATION, LLC’s systems administrators will perform a daily review of the audit logs. This review may be manual or automated but must monitor and evaluate the following: 

· All security events. 

· Logs of all system components that store, process, or transmit cardholder data. 

· Logs of all critical system components.

· Logs of all system components and servers that perform security functions. Logs of all other system components must be reviewed periodically. 

System administrators will follow up on exceptions and anomalies identified during the review process. KRAMER RESTORATION, LLC must retain audit trail history for at least one year, with a minimum of three months immediately available for analysis.

Vulnerability Scanning 

KRAMER RESTORATION, LLC will perform external vulnerability scanning on all systems at least quarterly, and after any changes in the network. Penetration testing must be performed by a qualified individual, and include: 

· Coverage for the entire CDE perimeter and critical systems. 

· Testing from both inside and outside the network. 

· Testing to validate any segmentation and scope-reduction controls. 

· Application-layer penetration tests 

· Network-layer penetration tests to include components as well as operating systems. 

· Review and consideration of threats and vulnerabilities experienced in the last 12 months. 

· Retention of penetration testing results and remediation activities results. 

Perform external penetration testing at least annually and after any significant infrastructure or application upgrade or modification. When exploitable vulnerabilities are found during penetration testing, the vulnerabilities must be corrected and testing then repeated to verify the corrections were effective. For all in-scope systems for which it is technically possible, KRAMER RESTORATION, LLC will deploy a change-detection mechanism to alert personnel to unauthorized modification of critical system files, configuration files, or content files; and configure the software to perform critical file comparisons at least weekly.

Security Policy

KRAMER RESTORATION, LLC shall establish, publish, maintain, and distribute a security policy that addresses how the company will protect cardholder data. This policy will be reviewed at least annually, and will be updated as needed to reflect changes to processing methods and systems. KRAMER RESTORATION, LLC shall establish policies for using mobile and remote technologies (for example, remote-access, wireless devices, removable electronic media, laptops, tablets, personal data/digital assistants (PDAs), email, and internet usage). These policies must include the following: 

· Identify personnel authorized to permit usage of the technologies. 

· Require explicit authorization to use such technologies. 

· Define acceptable uses of the technologies. KRAMER RESTORATION, LLC’s policies and procedures must clearly define information security responsibilities for all employees and contractors.

Service Providers

KRAMER RESTORATION, LLC will follow the process below to manage all service providers engaged by KRAMER RESTORATION, LLC to accept and process payment cards on behalf of KRAMER RESTORATION, LLC. 

· Maintain a list of service providers 

· Maintain a written agreement that includes an acknowledgment that the service providers are responsible for the security of the cardholder data the service providers possess 

· Perform proper due diligence prior to engaging a service provider 

· Monitor service providers’ PCI DSS compliance status at least annually. 

· Maintain information about which PCI DSS requirements are managed by each service provider, and which are managed by KRAMER RESTORATION, LLC in order to ensure all requirements are met.