Legal Stuff - Terms and Conditions

License Agreement for Salon Precision Software

Sample-Copy.

1 Definitions and Interpretation

(1) In these terms and conditions:

• "Agreement" Means this agreement including the Schedule
• "Business Hours" Means the hours of 09.00 to 17.30 Monday to Friday excluding public holidays unless otherwise agreed in the Schedule
• "Charge" Means the amount specified in the schedule as such
• "Customer" Means the party to whom CDS LTD has agreed to provide the Service including its employees and agents
• "Equipment" Means the equipment listed in the Schedule
• "CDS LTD" Means Create Data Systems Limited - legal owner of Salon Precision brand and Products,
• "Force Majeure" Means act of God, war, riots, insurrection, governmental regulations, legal restrictions, embargoes, strikes, labour disputes, fire, floods, tempest, acts or omissions of other persons or any other cause or event outside of the control of CDS LTD howsoever caused or arising
• "Installation Address" Means the address so described in the Schedule
• "Response Period" Means the period so described in the Schedule
• "Schedule" Means the schedule specifying the level of Service and other details relating to the Agreement
• "Service" Means the Service to be supplied by CDS LTD to the Customer as described in the Schedule

(2) In these terms and conditions:

• (a) words denoting the singular include the plural and vice versa;
• (b) words denoting persons include natural persons bodies corporate unincorporated associations and partnerships;
• (c) reference to any statute or statutory provision includes amending legislation;
• (d) headings are inserted for convenience only and shall not affect the construction or interpretation of this Agreement

2 Agreement

(1) CDS LTD agrees to provide the Service to the Customer subject to these terms and conditions
(2) The Service shall commence on the date specified in the Schedule and shall continue subject to the provisions for early termination for a minimum period of eighteen months

3 Acceptance of Order

(1) The Customer’s order shall only be accepted by CDS LTD upon the service by CDS LTD of a written notice of acceptance signed by a director of CDS LTD or upon the commencement of the provision of the Service by CDS LTD
(2) CDS LTD reserves the right to refuse the Customer’s order
(3) Any quotations/proposals provided by CDS LTD are invitations to tender only and are not binding unless confirmed by CDS LTD in a notice of acceptance of the Customer’s order

4 Service

(1) Faults with the Equipment must be reported to CDS LTD by the Customer during Business Hours to the service centre of CDS LTD on the Service telephone number as notified to the Customer or such other telephone number as is notified to the Customer by CDS LTD
(2) CDS LTD shall during Business Hours respond to the fault within the Response Period following the report of the fault by the Customer The Customer shall upon reporting an Equipment fault provide magnetic media or other consumable which does not meet with CDS LTD specifications or which is defective

5 Force Majeure

(1) In the event of circumstances amounting to Force Majeure the obligations of CDS LTD shall be suspended for so long as such circumstances render performance impossible and the time for performance by CDS LTD shall be extended by a period equal to the duration of those circumstances
(2) CDS LTD shall not be liable to the Customer by reason of any delay in performance or non-performance of any of its obligations under this Agreement by reason of Force Majeure

6 Faulty Goods and Defects

Where any materials or goods supplied by a third party are faulty the liability of CDS LTD in respect of such faults will be limited to such amount (if any) as it may be able to recover from the third party

7 Terms of Payment

(1) Payment of the Charge must be made by the Customer within 28 days of the date of the invoice issued in respect thereof or within seven days from the commencement of the provision of the Service to the Customer whichever is the earlier without any discount deduction set off or rebate on any grounds
(2) The Charge includes all labour and replacement parts save as provided to the contrary under this Agreement
(3) Should the Customer fail to make payment as required by this Agreement or any other Agreement between the Customer and CDS LTD, CDS LTD may (without prejudice to its other rights) suspend the Service until such sum is received by CDS LTD and the Customer shall remain liable for any of the Charge relating to any period of suspension
(4) Where CDS LTD is unable to provide the Service or suspends the Service as a result of the Customer’s default, all time expenditure and material costs will be charged to the Customer at the current charging rate of CDS LTD from time to time in force
(5) CDS LTD reserves the right to charge interest on any sums due from the Customer to CDS LTD at the rate of five percent per annum over the base rate of the National Westminster Bank Plc from time to time in force from the due date until the date of actual payment

8 Charge Variation

(1) CDS LTD may from time to time vary modify or amend:

• (a) the Charge by giving three months notice in writing to the Customer such variation to take effect not before the first anniversary of the date of this Agreement. CDS LTD agrees not to increase the Charge by more than 15%
• (b) the terms of this Agreement where considered necessary by CDS LTD for the effective and/or efficient provision of the Service or where required by any competent authority

9 Termination

(1) This Agreement shall commence on the Start Date and shall continue until terminated by one party giving not less than three months notice in writing to the other party with such notice period not to expire until the 18th month following the Start Date to occur not less than 3 months after the giving of such notice.
(2) CDS LTD and the Customer may terminate this Agreement immediately if:

• (a) the other party is subject to a bankruptcy order (or are sequestrated in Scotland or adjudicated bankrupt in Northern Ireland) or becomes insolvent or makes any arrangement with or for the benefit of creditors of (if a partnership) ceases trading or is dissolved or (if a company) ceases trading or goes into compulsory or voluntary liquidation or a receiver administrative receiver or liquidator is appointed over its assets or is subject to an administration order;
• (b) it is discovered that the Customer has provided information to CDS LTD which is false or misleading;
• (c) CDS LTD or the Customer is in breach of any provision of this Agreement and (where such breach is remediable) fails to remedy that breach within fourteen days of a written notice from either party specifying the breach; CDS LTD or the Customer is in breach of any of its obligations under any other agreement between both parties

10 Work not included in the Service

(1) The following are excluded from the Service and are not included in the Charge:

• (a) work undertaken outside Business Hours and/or telephone support not expressly agreed
• (b) equipment not listed in the Schedule including material components concealed in the Equipment but which are not listed in the Schedule
• (c) application software or network/system operating firmware/software which does not form part of a CDS LTD On-Site Network support
• (d) accidental or deliberate damage misuse negligence or failure to observe the operating instructions of the manufacturer or the recommendations of CDS LTD
• (e) damage caused by physical or electrical stress or non normal use including damage to hard disks caused by the use of storage media not approved by CDS LTD
• (f) use of destructive or faulty software
• (g) causes arising from connections with equipment external to the Equipment or electrical work external to the Equipment
• (h) causes arising from the Customer moving altering or adjusting the Equipment
• (i) damage caused by any computer virus or by any similar invasive or subversive software
• (j) relocation of the Equipment by the Customer or by CDS LTD upon the request of the Customer from the Installation Address
• (k) supply of consumable items or accessories, OPC belts, laser drums, plasma portable screens and print heads
• (l) rental charges for replacement Equipment
• (m) replacement and magnetic media or selenium drum (except fixed and Winchester disks)

11 Customer’s Responsibilities

(1) The Customer at its own expense will care for and operate the Equipment in accordance with the manufacturers specifications and instructions and the directions of CDS LTD and will only use it for the purpose for which it was designed
(2) The Customer shall not alter attach anything to repair or adjust the Equipment or any part thereof without the prior written consent of CDS LTD other than to attach the terminals to use and allocate the serial port and cabling as required
(3) The Customer shall house the Equipment in suitable premises and under suitable conditions and will follow such directions on these matters as CDS LTD gives from time to time
(4) The Customer shall not use on the equipment any stationery magnetic media or other consumable which does not meet with CDS LTD specifications or which is defective
(5) The Customer shall ensure that:

• (a) the Equipment is operated in a skilful and proper manner by persons who are trained to a competent standard
• (b) no part of the Equipment is subjected to unusual physical or electrical stress accident neglect misuse or other damage

12 Liability

(1) Neither party excludes its liability for negligence causing death or personal injury (2) Neither party shall have any liability to the other in respect of this Agreement whether in contract tort or otherwise howsoever arising:

• (a) for any loss of revenue business contract anticipated savings or profits or;
• (b) any indirect special or consequential loss

13 Obsolete Parts

Where an itemised part of the Equipment becomes obsolete or if in the opinion of CDS LTD the cost of repair of the Equipment or itemised part of the Equipment is in excess of sixty-five percent of the cost to CDS LTD of replacing the Equipment or the cost of replacing an itemised part of the Equipment CDS LTD shall not be obliged to supply the service and shall have the right to refund to the Customer the Charge or a proportional part of the Charge and CDS LTD shall have no further liability or obligation to the Customer in connection therewith

14 Entire Agreement

(1) Each party acknowledges that in entering into this Agreement it does not do so on the basis of or rely on any representation warranty or other provision except as expressly provided in this Agreement and accordingly all conditions warranties or other terms implied by statute or common law are hereby excluded to the fullest extent permitted by law
(2) All descriptions and other information contained in sales literature, advertisements and estimates may include information received from the suppliers and agents of CDS LTD and CDS LTD cannot be held responsible for any inaccuracy in such information passed on in good faith

15 Intellectual Property

The Customer hereby acknowledges that CDS LTD has not been party to the preparation, specification or selection of any third party software used on the Equipment and the Customer is responsible for ensuring that the software complies with all specifications and such specifications are suited to the Customers intended purpose. It is the responsibility of the Customer to ensure that the terms of any licence required to operate the software are satisfactory to it.

In the case of Software development services, CDS LTD reserve all Intellectual Property rights in accordance with UK and International law. Any Software & Information Systems developed on behalf of the customer during the contract term is subject to licence agreement between CDS LTD and it’s customer and may only be distributed within accepted terms of the license.

16 Macintosh Software Emulator Disclaimer

Emulation Software is to be used at your own personal discretion – we do not advise or misadvise the use of such software.

Salon Precision and its owner/staff members/sponsors cannot be held liable or provide support for your use of a software emulator for the use of Salon Precision. Any and all damages done to your computer is entirely your responsibility, we cannot be held liable for it.

Privacy Policy for Salon Precision

By continuing to use www.salonprecision.com - you are agreeing to our terms of policy.

Privacy policy

The information we collect about you, our security agreement and your rights.

Create Data Systems Limited is committed to preserving your privacy. Please read the following privacy policy to understand how we use and protect the information obtained from those visiting and using any website owned by Create Data Systems and its Domains & Subdomains.

By using the facilities of our online Account Control Panel or Storage Area's you consent to the collection, retention and use of your personal information in accordance with the terms of this policy.

Information we collect

• - Personal details (such as your name, contact details and email address) which you provide by registering with us or submitting an enquiry via the website.
• - Your responses to surveys which we ask you to complete for research purposes.
• - How you use the website and any other information you post, email or otherwise send to us.

Payment privacy

"We do not store credit card details nor do we share customer details with any 3rd parties"

Cookies

Our website uses cookies to distinguish you from other users of the website. A cookie is a small file of letters and numbers that is stored on your device.

The cookies set may obtain information about you, your computer, your use of our website and your general internet usage.

IP addresses

We may collect information where available about your IP address, operating system and browser type. This is data about users' browsing actions and patterns. It is used to inform improvements to the website, for system administration, and to report aggregate information to third parties.

Security

We employ security measures to protect your information from access by unauthorised persons and against unlawful processing, accidental loss, destruction or damage.

Unfortunately, the transmission of information via the internet is never completely secure. Although we will do our best to protect your personal data, we cannot guarantee the security of your personal or other data transmitted to our website. Any transmission is at your own risk.

Once we have received your information, we will use strict procedures and security features to prevent unauthorised access.

Your rights

You have the right to ask for a copy of the information held by us in our records in return for which we charge a small fee of £10.00.

If any information held by us is incorrect, you have the right to ask for this to be corrected and updated. Please help us keep our records updated by informing us of any changes to your email address and other contact details.

You have the right to ask us not to process your personal data for marketing purposes. We will usually inform you (before collecting your personal data) if we intend to use your personal data for such purposes or if we intend to disclose your information to any third party for such purposes.

You can exercise your right to prevent such processing by checking certain boxes on the forms we use to collect your personal data. You can also exercise the right at any time by contacting the Records Management Section.

Third party websites

The website may, from time to time, contain links to and from the websites of third parties. If you follow a link to any of these websites, please note that these websites have their own privacy policies and that we do not accept any responsibility or liability for these policies.

Please check these policies before you submit any personal data to these third party websites.

Changes to our privacy policy

We may amend this policy from time to time. If we make any substantial changes we will notify you by posting a prominent notice on the website.

Make an enquiry

If you have any queries concerning the information we hold about you or this privacy policy, or any questions on our use of your information then please contact Create Data Systems.

Payment Flow and Delivery Policy

By purchasing from Salon Precision & Create Data Systems - you are agreeing to our Payment and Delivery policy.

1 Payment

We accept debit/credit card, BACS, paypal, and cheque upon agreement of credit terms and contract acceptance for support.

Paper and electronic invoices are given upon payment. Where the product is a support contract - invoices are presented monthly in advance and subject to credit terms agreed in the contract.

Payments must be made in full and fully cleared before your items are dispatched where product purchase is for Software or Hardware.

All units purchased on Friday will be not be dispatched till the following Monday, Except for digital products which will be made upon purchase.

2 Subscriptions / Contracts

Costs for Hardware Leasing, Starter, Premium, Premium Plus Packages charged monthly in advance or in accordance with agreed contracts will be deducted from your account in which you will be invoiced electronically or by paper, unless otherwise cancelled. Pricing will not be increased within first year of contract, there after we reserve the right to review contract charges annually - any increases will not exceed 15%. If you would like to cancel, you must read details of your contract length depending on subscription type and hardware leasing. For further information or questions regarding your subscription or products - please do not hesitate to contact us at info@salonprecision.com, we will endeavour to contact you as soon as possible and resolve any issues you may have.

All sunbscriptions/Contract will be signed up using FuturePay our reoccuring payment service. All customers are able to cancel this by simple contacting a member of our team. Payment frequency is 'Per Calendar Month' (PCM).

With all subscriptions/contracts it will be stated clearly how long your terms of payment is for and when you are eligable to upgrade/end

3 Delivery

(i) Digital Products

Upon receipt of authorised payment and payment clearance confirmation - customers will recieve an email containing license details and login details to access their online Control Panel. The software download link can be accessed from the Control Panel.

(ii) EPOS / Computer Equipment (Hardware)

Equipment components or complete packages are dispatched within 7 days of confirmation on cleared payments.

Installation and Setup can be completed by our support team, subject to agreement on purchase. Please refer to the support team prior to purchase by calling the contact number provided on this site.

Cancellation & Refund Policy

1 Cancellation Policy

Create Data Systems Limited believes in helping its customers as far as possible, and has therefore a liberal cancellation policy. Under this policy:

• Cancellations will be considered only if the request is made within 72 hours of placing an order. However, the cancellation request will not be entertained if the orders have been communicated to the vendors/merchants and they have initiated the process of shipping them.
• There is no cancellation of orders placed under the Same Day Delivery category.
• In case you feel that the product received is not as shown on the site or as per your expectations, you must bring it to the notice of our customer service team within 24 hours of receiving the product. The Customer Service Team after looking into your complaint will take an appropriate decision.
• In case of complaints regarding products that come with a warranty from manufacturers, please refer the issue to them.
• Cancellation is subject to your individual Contract / Subscription agreement with Create Data Systems Limited - this includes Web Services, Marketing Services, Software Application, Starter Packages, Premium Packages, Premium-Plus Packages and Hardware Leasing. Please review your individual contract details for further information. If you have any questions please do not hesitate to call us on 203 750 0338.

2 Refund Policy

When you buy our Equipment / Software Application or Support Services, your purchase is covered by our 30-day money-back guarantee. If you are, for any reason, not entirely happy with your purchase, we will issue a full refund. We develop and sell software that we use ourselves every day and have hundreds of satisfied customers nationwide, and our support is second to none. That is why we can afford to back our products with this special guarantee. To request a refund, simply contact us by phone on 0203 750 0338 with the reason why you are requesting a refund – we take customer feedback very seriously and use it to constantly improve our products and quality of service. Refunds are not being provided for services delivered in full such as installation service and provided knowledge base hosting service. Refunds are being processed within 21 days period.

Security Policy

1 Introduction

This Policy Document encompasses all aspects of security surrounding confidential company information and must be distributed to all company employees. All company employees must read this document in its entirety and sign the form confirming they have read and understand this policy fully. This document will be reviewed and updated by Management on an annual basis or when relevant to include newly developed security standards into the policy and distribute it all employees and contracts as applicable.

2 Information Security Policy

Create Data Systems LTD handles sensitive cardholder information daily. Sensitive Information must have adequate safeguards in place to protect them, to protect cardholder privacy, to ensure compliance with various regulations and to guard the future of the organisation. Create Data Systems LTD commits to respecting the privacy of all its customers and to protecting any data about customers from outside parties. To this end management are committed to maintaining a secure environment in which to process cardholder information so that we can meet these promises. Employees handling Sensitive cardholder data should ensure:

• Handle Company and cardholder information in a manner that fits with their sensitivity;
• Limit personal use of Create Data Systems LTD information and telecommunication systems and ensure it doesn’t interfere with your job performance;
• Create Data Systems LTD reserves the right to monitor, access, review, audit, copy, store, or delete any electronic communications, equipment, systems and network traffic for any purpose;
• Do not use e-mail, internet and other Company resources to engage in any action that is offensive, threatening, discriminatory, defamatory, slanderous, pornographic, obscene, harassing or illegal;
• Do not disclose personnel information unless authorised;
• Protect sensitive cardholder information;
• Keep passwords and accounts secure;
• Request approval from management prior to establishing any new software or hardware, third party connections, etc.;
• Do not install unauthorised software or hardware, including modems and wireless access unless you have explicit management approval;
• Always leave desks clear of sensitive cardholder data and lock computer screens when unattended;
• Information security incidents must be reported, without delay, to the individual responsible for incident response locally – Please find out who this is.

3. Acceptable Use Policy

• Employees are responsible for exercising good judgment regarding the reasonableness of personal use.
• Employees should ensure that they have appropriate credentials and are authenticated for the use of technologies
• Employees should take all necessary steps to prevent unauthorized access to confidential data which includes card holder data.
• Employees should ensure that technologies should be used and setup in acceptable network locations.
• Keep passwords secure and do not share accounts.
• Authorized users are responsible for the security of their passwords and accounts.
• All PCs, laptops and workstations should be secured with a password-protected screensaver with the automatic activation feature.
• All POS and PIN entry devices should be appropriately protected and secured so they cannot be tampered or altered.
• Because information contained on portable computers is especially vulnerable, special care should be exercised.
• Postings by employees from a Company email address to newsgroups should contain a disclaimer stating that the opinions expressed are strictly their own and not necessarily those of Create Data Systems LTD, unless posting is in the course of business duties.
• Employees must use extreme caution when opening e-mail attachments received from unknown senders, which may contain viruses, e-mail bombs, or Trojan horse code.

4. Disciplinary Action

5. Protect Stored Data

• All sensitive cardholder data stored and handled by Create Data Systems LTD and its employees must be securely protected against unauthorised use at all times. Any sensitive card data that is no longer required by Create Data Systems LTD for business reasons must be discarded in a secure and irrecoverable manner.
• If there is no specific need to see the full PAN (Permanent Account Number), it has to be masked when displayed.
• PAN'S which are not protected as stated above should not be sent to the outside network via end user messaging technologies like chats, ICQ messenger etc.,

6. Information Classification

• Confidential data might include information assets for which there are legal requirements for preventing disclosure or financial penalties for disclosure, or data that would cause severe damage to Create Data Systems LTD if disclosed or modified. Confidential data includes cardholder data.
• Internal Use data might include information that the data owner feels should be protected to prevent unauthorized disclosure;
• Public data is information that may be freely disseminated.

7. Access to the sensitive cardholder data

• Any display of the card holder should be restricted at a minimum of the first 6 and the last 4 digits of the cardholder data.
• Access rights to privileged user ID’s should be restricted to least privileges necessary to perform job responsibilities.
• Privileges should be assigned to individuals based on job classification and function (Role based access control).
• Access to sensitive cardholder information such as PAN’s, personal information and business data is restricted to employees that have a legitimate need to view such information.
• No other employees should have access to this confidential data unless they have a genuine business need.
• If cardholder data is shared with a Service Provider (3rd party) then a list of such Service Providers will be maintained as detailed in Appendix B.
• Create Data Systems LTD will ensure a written agreement that includes an acknowledgement is in place that the Service Provider will be responsible for the for the cardholder data that the Service Provider possess.
• Create Data Systems LTD will ensure that a there is an established process including proper due diligence is in place before engaging with a Service provider.
• Create Data Systems LTD will have a process in place to monitor the PCI DSS compliance status of the Service provider.

8. Physical Security

• Employees are responsible for exercising good judgment regarding the reasonableness of personal use.
• Employees should ensure that they have appropriate credentials and are authenticated for the use of technologies.
• Employees should take all necessary steps to prevent unauthorized access to confidential data which includes card holder data.
• Employees should ensure that technologies should be used and setup in acceptable network locations.
• A list of devices that accept payment card data should be maintained.
• The list should include make, model and location of the device.
• The list should have the serial number or a unique identifier of the device.
• The list should be updated when devices are added, removed or relocated.
• POS devices surfaces should be periodically inspected to detect tampering or substitution.
• Personnel using the devices should be trained and aware of handling the POS devices.
• Personnel using the devices should verify the identity of any third party personnel claiming to repair or run maintenance tasks on the devices, install new devices or replace devices.
• Personnel using the devices should be trained to report suspicious behaviour and indications of tampering of the devices to the appropriate personnel.
• A “visitor” is defined as a vendor, guest of an employee, service personnel, or anyone who needs to enter the premises for a short duration, usually not more than one day.
• Keep passwords secure and do not share accounts. Authorized users are responsible for the security of their passwords and accounts.
• Media is defined as any printed or handwritten paper, received faxes, floppy disks, back-up tapes, computer hard drive, etc.
• Media containing sensitive cardholder information must be handled and distributed in a secure manner by trusted individuals.
• Visitors must always be escorted by a trusted employee when in areas that hold sensitive cardholder information.
• Procedures must be in place to help all personnel easily distinguish between employees and visitors, especially in areas where cardholder data is accessible. “Employee” refers to full-time and part-time employees, temporary employees and personnel, and consultants who are “resident” on Create Data Systems LTD sites. A “visitor” is defined as a vendor, guest of an employee, service personnel, or anyone who needs to enter the premises for a short duration, usually not more than one day.
• Network Jacks located in public and areas accessible to visitors must be disabled and enabled when network access is explicitly authorised.
• All POS and PIN entry devices should be appropriately protected and secured so they cannot be tampered or altered.
• Strict control is maintained over the external or internal distribution of any media containing card holder data and has to be approved by management.
• Strict control is maintained over the storage and accessibility of media.
• All computer that store sensitive cardholder data must have a password protected screensaver enabled to prevent unauthorised use.

9. Protect Data in Transit

• Card holder data (PAN, track data etc) must never be sent over the internet via email, instant chat or any other end user technologies.
• If there is a business justification to send cardholder data via email or via the internet or any other modes then it should be done after authorization and by using a strong encryption mechanism (i.e. – AES encryption, PGP encryption, IPSEC, GSM, GPRS, Wireless technologies etc.,).
• The transportation of media containing sensitive cardholder data to another location must be authorised by management, logged and inventoried before leaving the premises. Only secure courier services may be used for the transportation of such media. The status of the shipment should be monitored until it has been delivered to its new location.
 

10. Disposal of Stored Data

• All data must be securely disposed of when no longer required by Create Data Systems LTD, regardless of the media or application type on which it is stored.
• An automatic process must exist to permanently delete on-line data, when no longer required.
• All hard copies of cardholder data must be manually destroyed as when no longer required for valid and justified business reasons. A quarterly process must be in place to confirm that all non-electronic cardholder data has been appropriately disposed of in a timely manner.
• Create Data Systems LTD will have procedures for the destruction of hardcopy (paper) materials. These will require that all hardcopy materials are crosscut shredded, incinerated or pulped so they cannot be reconstructed.
• Create Data Systems LTD will have documented procedures for the destruction of electronic media. These will require:
  All cardholder data on electronic media must be rendered unrecoverable when deleted e.g. through degaussing or electronically wiped using military grade secure deletion processes or the physical destruction of the media;
  If secure wipe programs are used, the process must define the industry accepted standards followed for secure deletion.
  All cardholder information awaiting destruction must be held in lockable storage containers clearly marked “To Be Shredded” - access to these containers must be restricted.

11. Security Awareness and Procedures

• Review handling procedures for sensitive information and hold periodic security awareness meetings to incorporate these procedures into day to day company practice. • Distribute this security policy document to all company employees to read. It is required that all employees confirm that they understand the content of this security policy document by signing an acknowledgement form (see Appendix A) • All employees that handle sensitive information will undergo background checks (such as criminal and credit record checks, within the limits of the local law) before they commence their employment with Create Data Systems LTD. • All third parties with access to credit card account numbers are contractually obligated to comply with card association security standards (PCI/DSS). • Company security policies must be reviewed annually and updated as needed.  

12. Network security

• Firewalls must be implemented at each internet connection and any demilitarized zone and the internal company network.
• A network diagram detailing all the inbound and outbound connections must be maintained and reviewed every 6 months.
• A firewall and router configuration document must be maintained which includes a documented list of services, protocols and ports including a business justification.
• Firewall and router configurations must restrict connections between untrusted networks and any systems in the card holder data environment.
• Stateful Firewall technology must be implemented where the Internet enters Create Data Systems LTD Card network to mitigate known and on-going threats. Firewalls must also be implemented to protect local network segments and the IT resources that attach to those segments such as the business network, and open network.
• All inbound and outbound traffic must be restricted to that which is required for the card holder data environment.
• All inbound network traffic is blocked by default, unless explicitly allowed and the restrictions have to be documented.
• All outbound traffic has to be authorized by management (i.e. what are the whitelisted category of sites that can be visited by the employees) and the restrictions have to be documented.
• Create Data Systems LTD will have firewalls between any wireless networks and the cardholder data environment.
• Create Data Systems LTD will quarantine wireless users into a DMZ, where they will be authenticated and firewalled as if they were coming in from the Internet.
• Disclosure of private IP addresses to external entities must be authorized.
• A topology of the firewall environment has to be documented and has to be updated in accordance to the changes in the network.
• The firewall rules will be reviewed on a six months basis to ensure validity and the firewall has to have clean up rule at the bottom of the rule base.
• Create Data Systems LTD have to quarantine wireless users into a DMZ, where they were authenticated and firewalled as if they were coming in from the Internet.
• No direct connections from Internet to cardholder data environment will be permitted. All traffic has to traverse through a firewall.

13. System and Password Policy

• A system configuration standard must be developed along industry acceptable hardening standards (SANS, NIST, ISO)
• System configurations should be updated as new issues are identified (as defined in PCI DSS requirement 6.1)
• System configurations must include common security parameter settings
• The systems configuration standard should be applied to any news systems configured.
• All vendor default accounts and passwords for the systems have to be changed at the time of provisioning the system/device into Create Data Systems LTD network and all unnecessary services and user/system accounts have to be disabled.
• All unnecessary default accounts must be removed or disabled before installing a system on the network.
• Security parameter settings must me set appropriately on System components.
• All unnecessary functionality (scripts, drivers, features, subsystems, file systems, web servers etc.,) must be removed.
• All unnecessary services, protocols, daemons etc., should be disabled if not in use by the system.
• Any insecure protocols, daemons, services in use must be documented and justified.
• All users with access to card holder data must have a unique ID.
• All user must use a password to access Create Data Systems LTD network or any other electronic resources
• All user ID’s for terminated users must be deactivated or removed immediately.
• The User ID will be locked out if there are more than 5 unsuccessful attempts. This locked account can only be enabled by the system administrator. Locked out user accounts will be disabled for a minimum period of 30 minutes or until the administrator enables the account.
• All system and user level passwords must be changed on at least a quarterly basis.
• A minimum password history of four must be implemented.
• A unique password must be setup for new users and the users prompted to change the password on first login.
• Group, shared or generic user account or password or other authentication methods must not be used to administer any system components.
• Where SNMP is used, the community strings must be defined as something other than the.
• Standard defaults of "public," "private" and "system" and must be different from the passwords used to log in interactively.
• All non-console administrative access will use appropriate technologies like ssh,vpn etc or strong encryption is invoked before the administrator password is requested.
• System services and parameters will be configured to prevent the use of insecure technologies like telnet and other insecure remote login commands.
• Administrator access to web based management interfaces is encrypted using strong cryptography.
• The responsibility of selecting a password that is hard to guess generally falls to users. A strong password must:
  A) Be as long as possible (never shorter than 6 characters).
  B) Include mixed-case letters, if possible.
  C) Include digits and punctuation marks, if possible.
  D) Not be based on any personal information.
  E) Not be based on any dictionary word, in any language.
• If an operating system without security features is used (such as DOS, Windows or MacOS), then an intruder only needs temporary physical access to the console to insert a keyboard monitor program. If the workstation is not physically secured, then an intruder can reboot even a secure operating system, restart the workstation from his own media, and insert the offending program.
• To protect against network analysis attacks, both the workstation and server should be cryptographically secured. Examples of strong protocols are the encrypted Netware login and Kerberos.

14. Anti-virus policy

• All machines must be configured to run the latest anti-virus software as approved by Create Data Systems LTD. The preferred application to use is XXXX Anti-Virus software, which must be configured to retrieve the latest updates to the antiviral program automatically on a daily basis. The antivirus should have periodic scanning enabled for all the systems.
• The antivirus software in use should be cable of detecting all known types of malicious software (Viruses, Trojans, adware, spyware, worms and rootkits).
• All removable media (for example floppy and others) should be scanned for viruses before being used.
• All the logs generated from the antivirus solutions have to be retained as per legal/regulatory/contractual requirements or at a minimum of PCI DSS requirement 10.7 of 3 months online and 1 year offline.
• Master Installations of the Antivirus software should be setup for automatic updates and periodic scans.
• End users must not be able to modify and any settings or alter the antivirus software.
• E-mail with attachments coming from suspicious or unknown sources should not be opened. All such e-mails and their attachments should be deleted from the mail system as well as from the trash bin. No one should forward any e-mail, which they suspect may contain virus.

15. Patch Management Policy

• All Workstations, servers, software, system components etc. owned by Create Data Systems LTD must have up-to-date system security patches installed to protect the asset from known vulnerabilities.
• Where ever possible all systems, software must have automatic updates enabled for system patches released from their respective vendors. Security patches have to be installed within one month of release from the respective vendor and have to follow the process in accordance with change control process.
• Any exceptions to this process have to be documented.
 

16. Remote Access policy

• It is the responsibility of Create Data Systems LTD employees, contractors, vendors and agents with remote access privileges to Create Data Systems LTD’s corporate network to ensure that their remote access connection is given the same consideration as the user's on-site connection to Create Data Systems LTD.
• Secure remote access must be strictly controlled. Control will be enforced by two factor authentication via one-time password authentication or public/private keys with strong pass-phrases.
• Vendor accounts with access to Create Data Systems LTD network will only be enabled during the time period the access is required and will be disabled or removed once access is no longer required.
• Remote access connection will be setup to be disconnected automatically after 30 minutes of inactivity.
• All hosts that are connected to Create Data Systems LTD internal networks via remote access technologies will be monitored on a regular basis.
• All remote access accounts used by vendors or 3rd parties will be reconciled at regular interviews and the accounts will be revoked if there is no further business justification.
• Vendor accounts with access to Create Data Systems LTD network will only be enabled during the time period the access is required and will be disabled or removed once access is no longer required.

17. Vulnerability Management Policy

• All the vulnerabilities would be assigned a risk ranking such as High, Medium and Low based on industry best practices such as CVSS base score.
• As part of the PCI-DSS Compliance requirements, Create Data Systems LTD will run internal and external network vulnerability scans at least quarterly and after any significant change in the network (such as new system component installations, changes in network topology, firewall rule modifications, product upgrades).
• Quarterly internal vulnerability scans must be performed by Create Data Systems LTD by internal staff or a 3rd party vendor and the scan process has to include that rescans will be done until passing results are obtained, or all High vulnerabilities as defined in PCI DSS Requirement 6.2 are resolved.
• Quarterly external vulnerability scans must be performed by an Approved Scanning Vendor (ASV) qualified by PCI SSC. Scans conducted after network changes may be performed by Create Data Systems LTD’s internal staff. The scan process should include re-scans until passing results are obtained.