This document describes J.Hèbert Companies’ policies and practices for managing its secure platform for company hosted eCommerce, specifically payment card transactions, and the data related to eCommerce. This policy is intended to comply with the requirements of the Payment Card Industry Data Security Standard (“PCI DSS”). The PCI DSS is included by reference herein; however, J.Hèbert Companies will be the sole determinant of how store requirements will be applied within J.Hèbert Companies operations. This document will be annually reviewed and updated as appropriate to maintain compliance with the PCI DSS.
For the purposes of this document, the eCommerce infrastructure consists of the computing resources (i.e., servers, storage, network and storage switches, firewalls, physical racks containing these, and related software) that process, transmit, or store payment card data, or can directly access such resources. Servers that are part of the eCommerce infrastructure and any systems that can otherwise directly access computing resources that contain payment cardholder data must be registered as regulated computers.
Roles and Responsibilities
company personnel who access information resources that transmit, process, or store payment card data are responsible for the application of this and related policies. In the case of contractors who require such access, it is the responsibility of the J.Hèbert Companies group overseeing the contractor activity to ensure that the contractor is informed of and abides by the relevant IT policies and procedures.
J.Hèbert Companies is responsible for identifying network security threats, coordinating threat response, and directing forensic analysis. J.Hèbert Companies maintains any firewalls, access control systems, and security event and information management systems used by J.Hèbert Companies to support eCommerce. J.Hèbert Companies will be responsible for coordinating external network scans and any penetration testing of the eCommerce infrastructure.
J.Hèbert Companies Data Center Systems Engineering And Administration
J.Hèbert Companies is responsible for the installation and maintenance of the server, storage, and database platforms which support the eCommerce infrastructure as well as those used by eCommerce applications. Systems and database administrators work with the webmaster to proactively address security threats through maintenance activities and to respond to security threats if necessary.
J.Hèbert Companies Data Center Operations
J.Hèbert Companies is responsible for the physical security of the J.Hèbert Companies eCommerce environment, the maintenance of the data center environment and power, and the coordination of routine “production” processes within J.Hèbert Companies.
J.Hèbert Companies Data Networking
J.Hèbert Companies is responsible for the management of the network media layers of the eCommerce infrastructure, including the physical network components and functions such as network switching and routing.
J.Hèbert Companies Desktop Support
J.Hèbert Companies is responsible for the installation, maintenance, and security configuration of many workstations used by eCommerce application staff. Workstations not supported by J.Hèbert Companies must meet the standards of the PCI DSS and J.Hèbert Companies reserves the right to determine the suitability of such workstations to support applications operating with the J.Hèbert Companies eCommerce infrastructure.
J.Hèbert Companies Enterprise Systems & Applications
For the applications it supports (support can include software design, development, testing, move to production, production problem trouble-shooting, and other support, as well as technical and other interaction with outside service providers such as application vendors and ASPs), J.Hèbert Companies is also responsible for coordinating communication and interaction among the company business client(s), any application vendor(s), contractors, or ASPs involved, and other J.Hèbert Companies groups to ensure a sufficient understanding of the business purpose, intended use(s), and structure of the application(s) for a secure implementation and operation.
J.Hèbert Companies Web Systems Administration
J.Hèbert Companies is responsible for the secure configuration and management of all web servers within the eCommerce infrastructure. This includes obtaining, installing, and managing certificates used by web servers for encryption.
System and Data Owners
System and data owners working with J.Hèbert Companies are responsible for the application of this and related policies to the systems, data, and other information resources under their care or control.
Access to payment card customer information is restricted to those who have a need to know such information for business purposes. Access must be granted to individuals, not to roles, and all access must be able to be tracked by an element of identity that is unique to an individual. Access privileges must be revoked as soon as reasonably possible after a change in responsibilities or employment status of an individual warrants.
Cardholder Data Retention and Disposal
Neither payment card numbers nor data items prohibited from storage by J.Hèbert Companies will be stored on company systems for any longer than necessary to complete the immediate transaction for which the data has been obtained. This prohibition includes storing such data in databases, log files, audit trails, backups, etc.
Cardholder information will only be stored on systems as long as a significant business or legal requirement exists for retaining such information. Processes will be established for each eCommerce application to periodically remove customer information which is no longer relevant to the business process for which it was acquired. Such “stale” data normally should not remain on a system for more than one month after the requirement for its existence no longer pertains.
All company personnel with responsibilities that require, or could reasonably require, them to access eCommerce computing resources or data in support of the eCommerce infrastructure or eCommerce applications are required to annually review this policy and indicate their compliance with it.