PRIVACY AND SECURITY POLICY
Vision and Philosophy
At Doctors Network, securing our customers’ personal data is one of our company’s highest priorities. We understand that every time a customer provides us with credit card and bank account information, or other sensitive personally identifying information, they trust that we will protect it—and this policy is designed to ensure that this trust is not misplaced. The foundation of our information security program is a set of strong policies that are in balance with business operational needs.
Doctors Network utilizes customer data to deliver products and services to our customers. Accordingly, all customer information, cardholder data, as well as other sensitive customer and company information, will be protected by all staff, contractors, partners and service providers in accordance with well-defined policies and procedures.
Doctors Network operates on the security principle: “That which is not explicitly allowed is explicitly denied.” Attempts by anyone to access, monitor, use, or share information that is not explicitly allowed them by our security program will be considered a security violation. Further, access to sensitive information will be permitted on a “need to know” basis, such that employees have access to only those data and systems required to perform their assigned jobs. We will deploy systems, processes, policies, and training, to protect our mission, critical data assets, and customer privacy. Most importantly, we will monitor and enforce compliance to our policies.
Vendors, partners, and other third parties will be required to comply with the same standards established for Doctors Network staff. All vendors storing, or otherwise accessing, our customer's cardholder data must provide proof of PCI DSS Compliance.
Sanctions for Policy Violation
Failure to comply with Security policies and guidelines may result in disciplinary action by Doctors Network, depending upon the type and severity of the violation, whether it causes liability or loss to the company, and/or the presence of any repeated violation(s). Each situation will be judged on a case-by-case basis. Sanctions may include termination of employment, and/or referral for criminal or civil prosecution, warnings, or additional security awareness training. There is no requirement for advanced notice, written or verbal warning, or probationary periods.
Information Classification, Storage, and Destruction
All Doctors Network information is categorized into two main classifications:Public andConfidential.
Publicinformation, such as advertising and marketing materials, is information that has been declared public knowledge by someone with the authority to do so, and can freely be given to anyone without any possible damage to Doctors Network.
Confidentialinformation comprises all other information, such as sales data, customer addresses, employee files, etc., that should not be made available outside the company. A subset of confidential information is “Critical Confidential” information, which should be restricted to “need to know” access only, such as trade secrets, financial, technical, and personnel information, and other information integral to the success of the company. Customer sales authorizations containing credit card numbers and CVV2 codes or bank account numbers (PANs), and PANs provided to employees in the course of entering a telephone transaction, fall into the Critical Confidential information category.
Doctors Network personnel are encouraged to use common sense judgment in securing Confidential information to the proper extent. As such, Critical Confidential information shall be stored in a limited access area (i.e. locked file drawer or safe), and only those employees determined “need to know” will be provided access to that information. If an employee is uncertain of the sensitivity of a particular piece of information, he/she should contact their manager
Under no circumstancesis a CVV2 code to be stored, even in paper format. If provided on a paper authorization form, after the transaction is successfully processed, it is to be redacted on all stored documents.
When Critical Confidential information in paper form need no longer be stored for any operational or regulatory reason, it must be disposed of via cross-cut, shredding, or incineration. Any shredding bins that store Critical Confidential information prior to destruction will be kept locked at all times. Any digital information in the Critical Confidential category, whether on tape, CD/DVD, or located on a computer hard drive, will be completely erased and rendered unreadable by commercially acceptable methods. (As Doctors Network has contracted with a third party for all storage of PANs, none will be stored by the company in digital form.) When feasible, non-critical Confidential information should be disposed of in the same manner.
Payment Processing System
Doctors Network utilizes a web-based SaaS system provided by PaySimple, a PCI DSS Certified payment processing service provider, for all payment processing functions. All credit card and ACH transactions, whether authorized over the phone, in writing via mail, or online, are transmitted, processed, and stored via the PaySimple Solution system. Telephone and online transactions are directly entered into the system. Mailed transactions are entered into the system, and the paper authorization form is then stored in a secure locked cabinet or safe for only as long as required by business operational needs.Under no circumstancesare PANs stored electronically for any reason—secure storage is completely delegated to the PaySimple system.
Doctors Network employees have access to the PaySimple system for processing payments and reporting—but never have access to unencrypted credit card or bank account numbers. Each User is granted system access permissions based on the minimum functionality required to perform job responsibilities.
During the course of performing their job responsibilities, telephone sales representatives will have access to full credit card numbers, billing addresses, and CVV2 codes. Telephone operators are expressly directed to enter this information directly into the PaySimple system—and are never to record any PANs or CVV2s on paper, or to repeat or otherwise transmit this information to any third parties.
Doctors Network employees will be granted access to sensitive company data and any archived authorizations or reports containing card data, or other confidential customer information, on a “need to know” basis. Access to payment processing systems and other company applications will also be granted on the basis of the minimum level required to perform assigned job responsibilities.
Key Access Control Provisions
- Users will only be given sufficient rights to all systems to enable them to perform their job function. Users’ rights will be kept to a minimum at all times.
- A payment processing system Administrator will be responsible for issuing user accounts, provisioning user account permissions and processing limits, and monitoring system usage.
- Access to the PaySimple payment processing system will be by individual username and password.
- Usernames and passwords must not be shared by Users, passwords must be at least 8 alphanumeric characters, and should not be written down.
- Passwords will expire every 90 days and must be unique over any 360-day period.
- User accounts will be locked after 5 consecutive failed logins.
- Any paper receipts, reports, or other documents containing cardholder data will be secured in a locked file drawer or safe with access granted on a limited and documented basis. All documents containing cardholder data must be checked-out and checked-in by an authorized manager.
- A payment processing system Administrator will be notified of all employees leaving the company and immediately revoke access to all systems and storage facilities.
Doctors Network has implemented McAfee and AVG for the purpose of computer virus, worm, and Trojan Horse prevention, detection, and cleanup. In order to ensure the security of our computing environment, the following must be adhered to by all employees using Doctors Network computers or systems:
- All computers accessing company systems, and/or utilizing the PaySimple payment processing system, must use the approved anti-virus/anti-phishing protection software and configuration.
- The virus/phishing protection software must not be disabled or bypassed.
- The settings and automatic update frequency for the virus/phishing protection software must not be altered in any manner that will reduce its effectiveness.
- Employees should NEVER open ANY files or macros attached to an email from an unknown, suspicious, or untrustworthy source.
- Employees should NEVER download files from unknown or suspicious sources.
- Employees should NEVER complete ANY forms accessed via links embedded in an email from an unknown, suspicious, or untrustworthy source.
Doctors Network is committed to protecting its employees, partners, and the company from illegal or damaging actions by individuals, either knowingly or unknowingly. All computer related systems and equipment including, but not limited to, computer equipment, software, e-mail accounts, and web browsers, are the property of Doctors Network. All customer data obtained during the course of performing job responsibilities is the property of Doctors Network.
These systems and data are to beused only for business purposesin serving the interests of the company and our customers in the course of normal operations. Effective security is a team effort involving the participation and support of every Doctors Network employee and affiliate who deals with information and/or information systems. It is the responsibility of every employee to know these guidelines and to conduct their activities accordingly.
Key Acceptable Use Policy Provisions
- Users should be aware that the data they create on the corporate systems remains the property of Doctors Network. There is no expectation of privacy or guarantee of confidentiality of information stored on or accessed via any network, computer, or electronic device belonging to Doctors Network.
- Authorized Users are responsible for the security of their passwords and accounts. Passwords and accounts should not be shared. PaySimple payment processing system passwords are changed every 90 days.
- Employees must use extreme caution when opening e-mail attachments received from unknown senders, which may contain viruses, e-mail bombs, Trojan horse code, or other malware.
- Under no circumstance is an employee of Doctors Network authorized to engage in any activity that is illegal under local, state, federal, or international law while utilizing Doctors Network-owned resources.
- The following activities are strictly prohibited, with no exceptions:
- Effecting security breaches or disruptions of network communication. Security breaches include, but are not limited to, accessing data of which the employee is not an intended recipient, or logging into a server or account that the employee is not expressly authorized to access, unless these duties are within the scope of regular duties. For purposes of this section, "disruption" includes, but is not limited to, network sniffing, pinged floods, packet spoofing, denial of service, and forged routing information for malicious purposes.
- Executing any form of network monitoring which will intercept data not intended for the employee's host, unless this activity is a part of the employee's normal job/duty.
- Circumventing User authentication or security of any host, network or account.
- Providing information about, or lists of, Doctors Network employees to parties outside Doctors Network.
- Providing information about or lists of Doctors Network customers including, but not limited to, PANs and other sensitive customer information, to any external party or unauthorized internal party.
All vendors that will have access to Critical Confidential information, including customer Credit Card numbers and Bank Account numbers, must be covered by a formal contract that includes the following guarantees:
- Service providers must comply with all PCI DSS requirements, and maintain and provide proof of PCI DSS certification as a service provider.
- Service providers must acknowledge responsibility for security of the cardholder data they possess, including but not limited to:
- Protecting cardholder data as specified by the PCI DSS, if processing or storing payment card data on behalf of Doctors Network.
- Reporting any known or suspected compromise of said data to the company as soon as possible.
- Allowing for audits by VISA/MasterCard/American Express/Discover, or VISA/MasterCard/American Express/Discover-approved entities, in the event of a cardholder data compromise.
- Ensuring continued security of cardholder data retained during and after contract terminations.
As part of the Vendor Management program, Doctors Network will perform due diligence on each Vendor prior to signing any contract to confirm that the above guarantees have been adequately met.
Doctors Network will maintain an up-to-date list of all service providers with access to Critical Confidential information. At a minimum, this list will include the service provider’s name, key contact information, the type of Doctors Network confidential information to which the service provider has access, and the type of PCI responsibilities allocated to the vendor. (See Appendix A for the Service Provider List format.)
On at least a yearly basis, Doctors Network will review the Service Provider List, and all vendors that have access to Critical Confidential information, to ensure that:
- PCI DSS compliance certification is up-to-date
- Other procedures in place to protect confidential information continue to adequately protect customers and are being properly executed
- To make any changes necessary to policies and procedures