SVM Security Compliance Requirements
Definitions. The following terms have the indicated definitions and meanings:
"Authorized Provider" means any agent, consultant, auditor, contractor, distributor, subcontractor, outsourcer or other third party, acting on behalf of Company (whether direct or indirect and at any tier) who has agreed, in writing, to comply with these InfoSec Compliance Requirements.
“Breach” means Data Breach and/or Security Breach collectively.
“Bridge” means to connect a host to multiple network segments.
“Card” means a credit card, debit card, charge card or stored value card bearing the service marks of any Card Organization.
“Cardholder” means the person to whom the Card has been issued.
“Cardholder Data” means all information provided by or about a Cardholder in the course of a transaction or obtained through the use of a Card or otherwise relating to a Card transactions (including, without limitation, name, address, PIN, CVV number, credit card account numbers, expiration dates, magnetic stripe data and any other similar information that identifies or could be used to identify the Cardholder or the related account).
“Card Organization” means a Card organization (e.g., Visa, MasterCard, JCB, American Express, Discover, etc), that promulgates operating rules and operates an interchange system for exchanging charges between SVM and the Payment Card Processor. In the case of debit cards, “Card Organizations” includes Debit Networks.
"Data Breach" means intrusion into a computer system where unauthorized access, disclosure, theft, modification, or destruction of SVM Sensitive Data is suspected.
“Debit Networks” means the telecommunications and processing system of shared electronic funds transfer networks.
“Event” means an occurrence where an information security policy or procedure may have been violated or a safeguard may have failed.
“Payment Card Processor” means an entity engaged by SVM to process Card transactions accepted by SVM
"Process, Processing, Processed" means any operation in relation to SVM Sensitive Data irrespective of the purposes and means applied including, without limitation, access, collection, retention, storage, transfer, disclosure, use, erasure, destruction, and any other operation.
"Security Breach" means any (a) unauthorized Processing of SVM Sensitive Data or (b) any act or omission that compromises or undermines the physical, technical, or organizational safeguards put in place by Company regarding Processing SVM Sensitive Data or otherwise put in place to comply with these InfoSec Compliance Requirements. For the avoidance of doubt, “unauthorized Processing” includes, but is not limited to: misuse, loss, destruction, compromise, or unauthorized access, collection, retention, storage, or transfer).
“SVM Sensitive Data” means data or information (regardless of form, e.g., electronic, paper copy, etc) which is
(A) personally identifiable information [including, but not limited to: (i) individual user passwords (including challenge/response answers, personal identification numbers (PIN) and any other access codes that correlate to a person); (ii) Social Security number; (iii) driver’s license number; (iv) state identification number; (v) date of birth; (vi) government or federal identification number; (vii) financial information (including, financial account number, credit card number or debit card number in combination with any required security code, access code, or PIN that would permit access to an individual’s account); (viii) health coverage ID number; (ix) biometric data (e.g., thumb print, retina scan, palm scan, etc.); (x) electronic handwritten signature); and (xi) precise location-based information;
(B) passwords other than individual user passwords [such passwords include application passwords, database passwords, and share account passwords (for example WebLogic console);
(C) session identifiers that represent or potentially represent an authenticated identity (e.g., a single sign-on cookie) used by systems that contain any data element considered SVM Sensitive Data;
(D) employee data including, but not limited to: (i) human resources data (e.g., performance reviews, records of disciplinary action, medical and health information, family information, insurance information, driving records, etc.); and, (ii) compensation data (e.g., salary, performance pay, stock options, etc.);
(E) corporate financial data that has not been released to the public;
(F) identified by SVM as “SVM Sensitive Data;”
(G) Cardholder Data; or,
(H) developed, derived, converted, translated, or otherwise created from any of the foregoing categories (including subsequent variables or data files), where such data remains in a state that identifies or could be used to identify SVM Sensitive Data).
For the avoidance of doubt: (i) SVM Sensitive Data includes any of the foregoing even when categorized under a different name (e.g., a person’s social security number is such person’s “DOT license number”); and (ii) derivations of any of the foregoing (e.g., Processed, Breached, etc.) are included in the defined term.
1. Application of InfoSec Compliance Requirements. These InfoSec Compliance Requirements apply to all SVM Sensitive Data which is: (A) Processed by Company; (B) provided by or on behalf of SVM and/or its Affiliates to Company; (C) learned or otherwise used by Company during or in connection with the performance of services; or, (D) otherwise collected or gathered from SVM or third parties in connection with the Services.
Notwithstanding any contrary terms or conditions in the MNDA or any agreements between Company and SVM, any exclusion in the MNDA or such agreements to the definition of Confidential Information shall not apply to SVM Sensitive Data.
2. Generally Applicable InfoSec Compliance Requirements. In all events, with respect to SVM Sensitive Data, Company shall:
(A) comply with ISO 27002:2005 (as may be updated from time to time), Information Technology – Security Techniques - code of Practice for Information Security Management (“ISO Security Standard”).
(B) logically and/or physically segregate SVM Sensitive Data from the data of any third party.
(C) encrypt SVM Sensitive Data if it is stored on laptops, mobile, or any other portable device with data storage capability (e.g., smartphone, tablet, USB drives, CD-ROMs, DVDs, backup tapes, etc.). Company shall comply with
NIST “Guideline For Implementing Cryptography In The Federal Government” (NIST Special Publication 800-21).
(D) unless a longer retention period is required by law, destroy all SVM Sensitive Data and copies thereof in a manner to ensure that no restoration of such data is possible upon the earlier of (i) termination of the Agreement in relation to which the SVM Sensitive Data was used; or, (ii) the purpose for which the SVM Sensitive Data is being used has been completed, and prior to disposal of any equipment on which SVM Sensitive Data has been stored or processed, Company shall comply with “NIST Guidelines for Media Sanitization (Draft SP 800-88)”.
(E) contact the SVM Information Security organization promptly (but in no event more than twenty-four (24) hours) after an actual or suspected Breach is discovered. Any such notification shall be sent to SVM by email with a read receipt to firstname.lastname@example.org with a copy to Company’s primary business contact within SVM.
(F) Process SVM Sensitive Data only in accordance with applicable laws, the terms of the applicable agreement between SVM and Company (including, these InfoSec Compliance Requirements), and on the basis of any authorized additional instructions from SVM and its authorized agents and subcontractors.
(G) not transfer, provide or otherwise disclose or make available SVM Sensitive Data to any third party, other than an Authorized Provider, unless required to by applicable law.
(H) not permit any third party, other than an Authorized Provider, to Process SVM Sensitive Data
(I) take prompt correction action(s) to mitigate and remedy a Breach and to prevent any future Breach.
(J) take prompt corrective action(s) to remedy a violation of (and to prevent any future violation of) any InfoSec Compliance Requirement.
(K) take prompt corrective action(s) to remediate any vulnerabilities or security concerns identified by SVM.
(L) implement corrective action(s) in a timeframe commensurate with the risk or as agreed upon with SVM.
(M) cooperate fully with SVM in facilitating investigation, mitigation, and remediation of a Breach. For avoidance of doubt, Company shall provide such access, information, and assistance as is necessary for SVM and/or its designees to complete SVM’s investigation of the Breach.
(N) not notify any third party of any Breach except as may be strictly required by applicable law, without first obtaining SVM’s prior written consent and incorporating in good faith any feedback that SVM may have as to the content and manner of executing the third party notification.
(O) promptly notify its primary SVM business contact of any complaint or inquiry received related to Processing of SVM Sensitive Data.
3. Cardholder Data. In addition to, and without limiting, the other applicable requirements, in the event Company has any access to or use of Cardholder Data (as defined below), Company shall comply with the following:
(A) Cardholder Data Protection. Company shall implement, maintain and use such proper security control and measures as is necessary to ensure the secure Processing of Cardholder Data and to protect Cardholder Data from unauthorized Processing or other compromise. In all events, Company shall comply with the Card Organizations’ Payment Card Industry (“PCI”) Data Security Standard v. 2.0, or such later version or replacement standard required by PCI to maintain its certification (“PCI DSS”). In addition to PCI DSS, Company shall comply with such other programs, policies, procedures, obligations, duties, rules, regulations and requirements of the Card Organizations (now or in the future) regarding Cardholder Data (e.g., the Visa Cardholder Information Security Program, the MasterCard Site Data Protection Program, the American Express Data Security Operating Policy, etc) (collectively, “Card Organizations Rules”). Company acknowledges receipt and review of the Card Organization Rules and will review a Card Organization’s Rules at such Card Organization’s web site and at the Payment Card Industry web site: http://www.PCISecurityStandards.Org
(B) Breach of Cardholder Data. In the event any Breach affecting, directly or indirectly, Cardholder Data is suspected, alleged or confirmed, Company will notify SVM promptly (in all events, within twenty-four (24) hours) of such Event. Within forty-eight (48) hours of the Event, Company shall conduct an internal investigation to determine whether unauthorized Processing of Cardholder Data may have occurred and shall report the results of such investigation to SVM. If such investigation is inconclusive, or upon request by SVM or a Card Organization, Company, at Company’s sole expense, will engage a forensic investigator vendor, selected or approved by SVM and/or the Card Organizations, no later than forty-eight (48) hours following Company’s notice of the Event to SVM, to investigate the Event. Such forensic investigator shall conduct promptly an examination of Company’s systems, procedures and records, orally report and discuss the investigator’s initial findings to SVM, and thereafter issue a written report of its findings. For avoidance of doubt, Company shall provide such access, information, and assistance as is necessary for the forensic investigator, SVM and/or Card Organizations to complete the investigation of the Event. Company will not alter or destroy any records related to the Event. Under all circumstances, Company shall maintain complete and accurate documentation regarding Processing of Cardholder Data and the circumstances surrounding an Event. Company will provide to SVM information related to Company’s or any Card Organization’s investigation related to any unauthorized Processing of Cardholder Data including but not limited to forensic reports and systems audits.
(C) Compliance. Company will comply with Card Organizations’ registration requirements (including, but not limited to, site inspections, background investigations, provision of financial statements, etc) and reporting requirements. In addition, each year, and as otherwise requested by SVM, Company shall provide proof of compliance to PCI DSS by: (i) being published in Visa Global List of PCI | DSS Validated Service Providers; or (ii) providing SVM a copy of Company’s executive summary of either (a) its PCI DSS Report On Compliance (“ROC”) or (b) Self-Assessment Questionnaire (“SAQ”), whichever is applicable based on Company’s PCI vendor or merchant level, as determined by the Card Organizations.
4. Connectivity Requirements. In addition to, and without limiting, other applicable requirements, in the event Company is permitted remote access (e.g., VPN, direct connection, etc) to any internal SVM systems (including, hardware, software, data, servers, personal computer or control devices, software or other system), services, or networks (collectively, “SVM Systems”), Company shall:
(A) connect to SVM Systems only in the manner, for the period of time, and through the means authorized by SVM.
(B) not connect to, access or use (or attempt to do any of the foregoing) any SVM Systems without the prior authorization of SVM.
(C) not enable bridging. Bridging of any SVM network (e.g., SVM intranet, etc) and any other network is prohibited.
(D) use strong encryption access methods for network based command and control or monitoring activities.
(E) enforce one user per account and not share accounts
(F) not attempt to gain unauthorized access to any SVM Systems, infrastructure, or other user’s account.
(G) not store the PIN or password in the VPN client configuration when using two-factor authentication to the SVM network.
(H) not physically store hardware-based authenticators for remote access with the device used to connect to the SVM network.
(I) promptly report to the sponsoring manager or designee when a hardware or software based authenticator is lost, stolen, or otherwise potentially compromised.
(J) restrict duration of access to only such period as when access is required.
(K) not use any SVM System in any way that (i) is illegal; (ii) is abusive; (iii) is harmful to or interferes with other SVM’s network or systems, or the network or systems of any other entity, or the use thereof; (iii) infringes, misappropriates or otherwise violates the intellectual property, privacy or other proprietary rights of any party, including SVM; (v) creates a security risk or vulnerability; or, (vi) attempts to do any of the foregoing.
5. Requirements Related to Testing and/or Development Services. In addition to, and without limiting other applicable requirements, in the event Company provides any development or testing services, prior to providing such services to SVM:
(A) Company’s (including, its subcontractors at any tier) developers shall have completed successfully secure code training based on the Open Web Application Security Project (OWASP). Certification of completion of such training shall be provided to SVM upon its request.
(B) Company’s (including, its subcontractors at any tier) shall have successfully completed training in Security Testing practices to ensure that testing performed by Company meets PCI DSS. Certification of completion of such training shall be provided to SVM upon its request.
6. Certification Requirements. Company shall:
(A) comply with both the general certification requirements set forth in this Section and any those other applicable certification requirement(s) set forth elsewhere in these InfoSec Compliance Requirements or Company’s agreement(s) with SVM.
(B) provide certification of compliance with the applicable InfoSec Compliance Requirements by either obtaining such certification from an independent information security service company or through an annual self-assessment and certification, as approved by SVM.
(C) provide SVM with a copy of Company's applicable security standards, policies, procedures, and guidelines upon request of SVM.
(D) Company shall provide written certification to SVM that SVM Sensitive Data has been destroyed in accordance with these requirements.
These certifications shall be sent to: (i) the contact listed in the notices provision of the agreement in relation to which the SVM Sensitive Data is used; and, (ii) the following [to be provided]:
7. Audit Rights
(A) Company shall, upon reasonable notice, allow its data processing facilities, procedures and documentation to be inspected by SVM, Card Organizations and Payment Card Processor (or designee of any them) in order to ascertain compliance with applicable law, these InfoSec Compliance Requirements, the MNDA and any agreements between SVM and Company.
(B) Company shall fully cooperate with such audit requests by providing access to relevant knowledgeable personnel, physical premises, documentation, infrastructure and application software.
(C) In addition, upon notice, SVM, Card Organization, Payment Card Processor (or designee of any of them) may conduct remote electronic scans for Company’s systems, similar to those conducted under PCI DSS, to confirm compliance with the requirements of these InfoSec Requirements (including, without limitation, Card Organization Rules and PCI DSS). Company shall promptly cooperate to allow such scans.
(D) In all events, the results of audits and scans, including but not limited to any written reports, shall be made available to SVM and, notwithstanding any contrary confidentiality, use or disclosure restrictions in any agreement between Company and SVM, SVM may make such results available, as applicable, to Card Organizations and Payment Card Processor.
8. Non-Compliance. Company’s failure to comply with any InfoSec Compliance Requirement (including, without limitation, failure to implement any corrective action(s) within the required timeframe) is a material breach of Company’s agreement(s) with SVM. Without limiting any other right or remedy that SVM may have, SVM reserves the right to terminate, for default/breach, those agreement(s) affected (directly or indirectly) by such non-compliance.
9. Authorized Providers. As used in these InfoSec Compliance Requirements, the term “Company” includes “Authorized Providers” when Company utilizes an Authorized Provider to Process SVM Sensitive Data. Company shall cause Authorized Providers to comply with these InfoSec Compliance Requirements, including, but not limited to, providing the required certifications, reports, information, assistance, and access. Company is solely responsible and liable for each Authorized Provider’s compliance with, and breach of, these InfoSec Compliance Requirements. For the avoidance of doubt, unless and until a third party has agreed, in writing, to comply with these InfoSec Compliance requirements, such third party is not an “Authorized Provider.”
10. Delegation by SVM. SVM may delegate to a third party any right (e.g., inspection, audit, enforcement etc.) granted to SVM under these InfoSec Compliance requirements. Company shall provide such access, information, data, and cooperation to such third party as Company is required to provide SVM under these InfoSec Compliance requirements.