Trader’s Security Policy
1. The Purpose
The purpose of the security policy is to create control mechanisms to protect the information under the trader’s control and thereby ensure confidentiality, integrity and availability.
The policy aims to create information security protection mechanisms against internal and external threats, basic rules of behavior against crisis situations and intentional injuries.
2. Security Policy Entities
2.1. Security policy requirements apply to:
a) persons hired by the trader – hereinafter “Subjects”;
b) to all persons who may have access to information protected by the merchant.
2.2. Entities are obliged to comply with the requirements of the policy and take responsibility for the complete and thorough implementation of the standards and rules set for them.
3. Safety measures
3.1. The trader carries out continuous control over the information processing devices in order to ensure their correct and safe use.
3.2. The trader shall ensure the creation of documentation of the information processing systems, including the configurations of the technologies used. Information that contains data important for information security will be stored in a safe place and access to it will be restricted depending on the need to receive information.
3.3. Information carriers containing highly critical information based on information classification will be recorded and their use, storage and destruction will be subject to strict control.
3.4. Subjects are obliged to make sure before using any computer program that the use of the program will not lead to the spread of viruses and damage to the technical equipment, which would endanger the security of information.
3.5. The trader should continuously educate/train the subjects to avoid any mistakes related to information security.
3. Risk assessment and management
3.1. Risk assessment is the starting point before any safety management plan is developed. Risk assessment identifies existing and foreseeable security risks associated with the project / with operations.
3.2. The risk assessment will be reviewed annually or upon any significant safety-related incident. The risk assessment will also be revised in case of any changes in the relevant legislation.
During the risk assessment, the following issues should be taken into consideration:
3.3. Regularly conduct vulnerability assessments on the website and associated systems to identify potential security weaknesses or loopholes that could be exploited by attackers.
3.4. Ensure that payment service provider is compliant with the PCI DSS, which includes maintaining a secure network, protecting cardholder data, regularly monitoring and testing networks, and implementing strong access control measures.
3.5. Implement secure protocols, such as HTTPS, for transmitting cardholder data over the internet to protect against unauthorized interception or access.
3.6. Use strong encryption mechanisms (e.g., SSL/TLS) to encrypt sensitive data, including credit card information, both during transit and at rest, to prevent unauthorized access or data theft.
3.7. Implement strict access controls to restrict access to sensitive areas of the website, including the payment processing systems, to authorized personnel only. This includes strong password policies.
3.8. Ensure that all website software, including content management systems, and plugins, up to date with the latest security patches and updates to mitigate risks.
3.9. Use intrusion detection and prevention systems (IDS/IPS) to monitor network traffic and identify potential attacks or suspicious activities. Implement measures to block or mitigate these threats in real-time.
3.10. Ensure hostage of the website and associated databases on a secure and reputable hosting provider that implements robust security measures, such as firewalls, intrusion detection systems, and regular security audits.
3.11. Conduct periodic security audits by independent third-party assessors to evaluate the effectiveness of the security controls and identify any potential weaknesses or areas for improvement.
4. Responsibility
4.1. The trader is responsible for the security policy and the fulfillment of the requirements established by the security policy.
5. Other Provisions
5.1. The security policy is public and accessible to any consumer of the trader.