PCI DSS Compliance Policy

Last Updated: January 16, 2025

Overview

Dev 2 Dev Portal LLC maintains compliance with the Payment Card Industry Data Security Standard (PCI DSS) for all systems and processes involving payment card data.

Scope

Protected Data

1. Cardholder data
2. Primary Account Numbers (PAN)
3. Sensitive authentication data
4. Track data
5. Security codes
6. PIN/PIN blocks

Covered Systems

1. Payment processing
2. Data storage
3. Transmission systems
4. Security controls
5. Access points
6. Connected systems

Security Requirements

Network Security

1. Firewall configuration
2. System hardening
3. Network segmentation
4. Access controls
5. Monitoring systems
6. Security testing

Cardholder Data Protection

1. Data encryption
2. Key management
3. Storage security
4. Transmission security
5. Access controls
6. Data disposal

Vulnerability Management

1. Security updates
2. Patch management
3. System hardening
4. Configuration standards
5. Security testing
6. Risk assessment

Access Control

User Management

1. Access rights
2. Authentication requirements
3. Authorization controls
4. Role assignments
5. Access review
6. Documentation

System Access

1. Authentication methods
2. Access restrictions
3. Session management
4. Remote access
5. Third-party access
6. Monitoring

Network Protection

Architecture

1. Network segmentation
2. Security zones
3. Access points
4. Control placement
5. Monitoring points
6. Documentation

Controls

1. Firewall rules
2. Router configuration
3. Switch security
4. Wireless security
5. Remote access
6. Third-party connections

Data Protection

Encryption Requirements

1. Transmission encryption
2. Storage encryption
3. Key management
4. Algorithm standards
5. Implementation requirements
6. Verification procedures

Data Management

1. Data inventory
2. Classification
3. Storage requirements
4. Retention periods
5. Disposal procedures
6. Documentation

Monitoring Requirements

System Monitoring

1. Activity logging
2. Access monitoring
3. Security events
4. System changes
5. User actions
6. Regular review

Alert Management

1. Alert generation
2. Response procedures
3. Investigation requirements
4. Documentation
5. Follow-up actions
6. Review process

Incident Response

Response Procedures

1. Detection requirements
2. Initial response
3. Investigation process
4. Containment measures
5. Recovery procedures
6. Documentation

Communication

1. Internal notification
2. External reporting
3. Card brands
4. Law enforcement
5. Documentation
6. Follow-up

Testing Requirements

Security Testing

1. Vulnerability scanning
2. Penetration testing
3. Security assessments
4. Configuration review
5. Control testing
6. Documentation

Regular Assessment

1. Quarterly scans
2. Annual assessment
3. Control testing
4. Process review
5. Documentation
6. Updates

Documentation Requirements

Policy Documentation

1. Written policies
2. Procedures
3. Standards
4. Guidelines
5. Reviews
6. Updates

Operational Records

1. Activity logs
2. Change records
3. Access logs
4. Incident reports
5. Test results
6. Compliance verification

Training Requirements

Security Training

1. PCI awareness
2. Security procedures
3. Incident response
4. Data handling
5. Documentation
6. Verification

Role-specific Training

1. Technical staff
2. Development team
3. Support personnel
4. Management
5. Documentation
6. Verification

Third-Party Management

Service Providers

1. Due diligence
2. Contract requirements
3. Compliance verification
4. Monitoring
5. Regular review
6. Documentation

Compliance Verification

1. Initial assessment
2. Regular review
3. Documentation
4. Monitoring
5. Reporting
6. Updates

Contact Information

For PCI DSS-related matters:

1. Security Team: pci@dev2dev.com
2. Phone: +1 (509) 481-5437
3. Address: 816 W Francis Ave, Ste #125, Spokane, WA 99205

[Download PDF Version] [Contact Security Team]

This PCI DSS Compliance Policy is effective as of January 16, 2025