Information Security Policy
– Bluehost and Authorize.net Passwords must be 8 in length and contain capital letters, a special character and a number. Passwords should not be written down or shared.
– No documents containing any element of cardholder data or customer bank account information are stored at GiftRocker.
– The storage of CVV2 code or PIN data in any format/method is prohibited.
– Access to corporate systems of GiftRocker will be given to employees based strictly on job function.
– Upon dismissal, an employee’s access to all operations and data storage will be immediately revoked.
Employees are to be made aware of GiftRocker’s security policy and cardholder information practices upon hire and at least once a year thereafter. Employees will formally acknowledge the policy in writing.
If applicable, all third party service providers that GiftRocker uses to store, process, or transmit cardholder data on behalf of GiftRocker are PCI compliant and are contractually bound to secure cardholder data.
GiftRocker has an incident response plan, as set forth by PCI DSS requirements, in the event of a physical or electronic theft of cardholder data. The plan is tested annually.
Upon discovery of a cardholder breach, GiftRocker will immediately contact NPC Compliance at 1.800.376.3399, ext. 2737, or NPC Risk at 1.800.667.9624, to report the incident.
A designated Security Administrator has been assigned to ensure that the policy and the security practices of GiftRocker are enforced and updated, as needed.
Suppliers
GiftRocker employs two service providers: Bluehost for hosting and Authorize.net as a payment gateway. Bluehost supports PCI Compliance as mentioned here. Authorize.net is a level 1 compliant partner as mentioned here.
PCI Compliance
GiftRocker is PCI Compliance as a merchant that does not store, process or transmit cardholder data. The self-assessment questionnaire A (SAQ-A), was completed on the following dates by the following GiftRocker employee:
7-21-2011 by Alex Robertson