Vision and Philosophy
Security Statement & PCI Compliance Policy
Mylo Writes utilizes customer data to deliver products and services to our customers. Accordingly, all customer information to include cardholder data as well as other sensitive customer and company information, will be protected by all staff, contractors, partners and services providers in accordance with well-defined policies and procedures.
Vendors, partners and other third parties will be required to comply with the same standards established for our staff. All vendors storing or otherwise accessing our customers’ card holder data must provide proof of PCI DSS Compliance. Stripe is PCI DSS Compliant and has already provided certification of its PCI DSS Compliance to us.
Sanctions for Policy Violation
Failure to comply with Security policies and guidelines may result in disciplinary action by Mylo Writes depending upon the type and severity of the violation, whether it causes any liability or loss to the company, and/or the presence of any repeated violation(s). Each situation will be judged on a case-by-case basis by the Company in its sole discretion. Sanctions may include termination of employment and/or referral for criminal or civil prosecution, warnings, or
additional security awareness training. There is no requirement for advance notices, written or verbal warnings, or probationary periods.
Information Classification, Storage and Destruction
All Mylo Writes information is categorized into two main classifications: Public and Confidential.
Public information, such as advertising and marketing materials, is information that has been declared public knowledge by someone with the authority to do so, and can freely be given to anyone without any possible damage to the Company.
Confidential comprises all other information such as sales data, customer addresses, employee files, etc, that should not be made available outside the company. A subset of Confidential information, is “Critical Confidential” information, that should be restricted to “need to know” access only, such as trade secrets, financial, technical, and personnel information, and other information integral to the success of the company. Customer sales authorizations containing credit card numbers and cvv2 codes or bank account numbers (PANs), and PANs provided to employees in the course of entering a telephone transaction, fall into the “Critical Confidential” information category.
Company personnel are encouraged to use common sense judgment in securing Confidential information to the proper extent. “Critical Confidential” information will be stored in a limited access area (i.e. locked file drawer or safe), and only those employees with a “Need to know” will be provided access to that information. If an employee is uncertain of the sensitivity of a particular piece of information, he/she will contact their manager for a determination.
Under no circumstances is a CVV2 code stored by the Company, even in paper format. If provided on a paper authorization form, after the transaction is successfully processed, it is to be redacted on all stored documents. Stripe is a certified PCI compliant partner and has been engaged by the Company to protect your privacy and confidential information.
When “Critical Confidential” information in paper form need no longer be stored for any operational or regulatory reason, it will be disposed of via cross-cut shredding or incineration. Any shredding bins that store “Critical Confidential” information prior to destruction will be kept locked at all times. Any digital information in the “Critical Confidential” category, whether on tape, CD/DVD, or located on a computer hard drive, will be completely erased and rendered unreadable by commercially reasonable methods. As Mylo Writes has contracted with a third party for all storage of PANs, none will be stored by the company in digital form. When feasible, non-critical “Confidential” information should be disposed of in the same manner.
Payment Processing System
Mylo Writes utilizes a web-based SaaS system provided by Stripe, a PCI DSS Certified payment processing service provider, for all payment processing functions. All credit card and ACH transactions, whether authorized over the phone, in writing via mail, or online are transmitted, processed and stored via the Stripe Solution system. Telephone and online transactions are directly entered into the system. Mailed transactions are entered into the system, and the paper authorization form is then stored in a secure locked cabinet or safe for only as long as required by business operational needs. In no circumstances are PANs stored electronically for any reason— secure storage is completely relegated to the Stripe system.
Mylo Writes management has access to the Stripe system for processing payments and reporting—but never have access to un-encrypted credit card or bank account numbers. Each user is granted system access permissions based on the minimum functionality required to perform job responsibilities.
During the course of performing their job responsibilities, telephone sales representatives will have access to full credit card numbers, billing addresses, and CVV2 codes. Telephone operators are expressly directed to enter this information directly into the Stripe system—and are never to record any PANs or CVV2s on paper, nor to repeat or otherwise transmit this information to any third parties.
Mylo Writes employees will be granted access to sensitive company data and any archived authorizations or reports containing card data or other confidential customer information on a “need to know” basis. Access to payment processing systems and other company applications is only granted on the basis of the minimum level required to perform assigned job responsibilities.
Key Access Control Provisions
Users will only be given sufficient rights to all systems to enable them to perform their job function. User rights will be kept to a minimum at all times.
A payment processing system Administrator will be responsible for issuing user accounts, provisioning user account permissions and processing limits, and monitoring system usage
Access to the Stripe payment processing system will be by individual username and password
Usernames and passwords must not be shared by users, passwords must be at least 8 alphanumeric characters and should not be written down
Passwords will expire every 90 days and must be unique over any 360 day period
User accounts will be locked after 5 consecutive failed logins
Any paper receipts, reports, or other documents containing cardholder data will be secured in a locked file drawer or safe, with access granted on a limited and documented basis. All documents containing cardholder data will be checked-out and checked-in by an authorized manager.
- A payment processing system Administrator will be notified of all employees leaving the company and immediately revoke access to all systems and storage facilities.
Mylo Writes has implemented Heroku anti-virus protection for the purpose of computer virus, worm and Trojan Horse prevention, detection and cleanup. In order to ensure the security of our computing environment, the following will be adhered to (and enforced) by all employees using Mylo Writes computers or systems:
All computers accessing company systems, and/or utilizing the Stripe payment processing system, must use the approved anti-virus/anti-phishing protection software and configuration.
The virus/phishing protection software must not be disabled or bypassed.
The settings and automatic update frequency for the virus/phishing protection software must not be altered in a manner that will reduce its effectiveness.
Employees will NEVER open any files or macros attached to an email from an unknown, suspicious or untrustworthy source.
Employees will never download files from unknown or suspicious sources.
Employees will never complete forms accessed via links embedded in an email from an unknown, suspicious or untrustworthy source.
Mylo Writes is committed to protecting its employees, partners and the company from illegal or damaging actions by individuals, either knowingly or unknowingly. All computer related systems and equipment including but not limited to computer equipment, software, e-mail accounts, and web browsers are the property of Mylo Writes. All customer data obtained during the course of performing job responsibilities is the property of Mylo Writes. These systems and data are to be used for business purposes in serving the interests of the company, and our customers in the course of normal operations. Effective security is a team effort involving the participation and support of every Mylo Writes employee and affiliate who deals with information and/or information systems. We do our best to insure that every employee knows these guidelines, and will conduct their activities accordingly. We affirmatively limit our liability with respect to employee violations of these terms to $100 per occurrence.
Key Acceptable Use Policy Provisions
Users should be aware that the data they create via the Website remains the property of the Company. There is no expectation of privacy or guarantee of confidentiality of information stored on or accessed via any network, computer, or electronic device belonging to Mylo Writes.
All vendors, such as Stripe, that will have access to “Critical Confidential” information, including customer Credit Card numbers and Bank Account numbers must be covered by a formal contract that includes the following guarantees:
Service providers must comply with all PCI DSS requirements, and maintain and provide proof of PCI DSS certification as a service provider.
Service providers must acknowledge responsibility for security of the cardholder data they possess, including but not limited to:
Protect card holder data as specified by the PCI DSS,if processing or storing payment card data on behalf of Mylo Writes.
Report any known or suspect compromise of that data to the company as soon as possible.
Allow for audits by VISA/MasterCard/AmericanExpress/Discover or VISA/MasterCard/American Express/Discover-approved entities in the event of a cardholder data compromise.
Ensure continued security of card holder data retained during and after contract terminations.
As part of the Vendor Management program, Mylo Writes will perform due diligence on each Vendor prior to signing any contract to confirm that the above guarantees have been adequately met.
On at least a yearly basis, Mylo Writes will review all vendors that have access to “Critical Confidential” information to ensure that:
- PCI DSS compliance certification is up-to-date
- Other procedures are in place to protect confidential information and to continue to adequately protect customers and are being properly executed.
- Make any changes necessary to policies and procedures