Terms and Conditions
Registered Office : Sandown Court, Station Road, Glenfield, Leicester LE3 8BT. Cheapestprintonline.co.uk shall be referred from now on for the purpose of these terms and conditions as 'CPO'.
Acceptance of orders - a) CPO contracts for the supply of goods and/or services only subject to these terms and conditions and all terms and conditions in the customer's order or enquiries inconsistent therewith shall be of no effect.
b) The terms and conditions herein shall constitute the entire agreement between CPO and any modification to these conditions will be binding only if it is evidenced in writing signed by a director of CPO and such evidence contains specific reference to those conditions being modified.
c) Acceptance of the customers order takes place when an order confirmation - website order/email/fax/written/verbally is despatched/conveyed to the customer, or preliminary work is undertaken on the customers instructions. All turnaround times and delivery dates are estimated and cannot be guaranteed due to the nature of manufacturing (i.e. machine failure, staff sickness etc.) and cannot be therefore held liable for any delay in meeting the agreed delivery schedule, out of pocket expenses or any other claim.
d) We reserve the right to decline any order without giving any reason.
Currency - Payment for accepted orders must be in the currency agreed on the order confirmation or other written communication sent to the customer from ourselves detailing the order - fax/written/email. Without this written notification pounds sterling must be assumed.
Disclaimer - CPO disclaims to the maximum extent permitted by law all representations, warranties (express or implied) regarding products, services, quantities, pricing, graphics, software, information, published on our web site, in our buying guides or in any other form or location. Data is constantly updated and therefore is not necessarily accurate, current or complete. Provision of the products, services, software, information is on an "as is" basis. In particular CPO disclaims without limitation, warranties of merchantability, fitness for purpose or non infringement.
Tax - Value added tax will be charged, if applicable, at the rate ruling on the date of supply whether or not included on the quote, order, invoice.
Preliminary work - All work carried out, whether experimentally or otherwise, at customer's request shall be charged.
Supply of design data - A charge may be made to cover any additional work involved where the design data supplied or specified is not clear, legible, or in the prescribed format/specification to produce satisfactory results. Where design data is so supplied or specified, responsibility will not be accepted for imperfect work caused by defects in the supply, format or specification. In addition, you agree that all material uploaded by you onto our site will be done at your own risk and you must not upload any material that will breach any third party rights to such material unless you have their express consent. We have the right to disclose your identity to any third party claiming that any material uploaded by you to our site constitutes a violation of their rights, unruleful, pornographic or defamatory to third parties. You must retain a copy of all material you upload. We expressly exclude all liability for any uploaded material which is lost or damaged during or after the uploading process.This includes any incompatibility or defects caused by differing software versions/ conflicting operating systems. All compatibility issues should be addressed by the customer to CPO before proceeding with the order. This also applies to incorrect colour formats being provided by the customer (i.e. supplying full colour design but only ordering black and white print or the use of pantone colours when only CMYK print is used).
Proofs - When placing an order with CPO, you are agreeing that you have read and understood the 'How to supply Artwork' page on our website .If you upload a file to our website, you are shown a proof of your final printed product at the final upload stage, you have the option here to either approve your proof or click the button 'i am struggling....' if you approve the proof we will print your file as the proof is displayed on screen - If you choose the wrong size or orientation here, your image may appear correct on your preview but could end up printed cropped,wrong size, upside down or have an incorrect quanitity (i.e. half as many at a larger size) (please note: your monitor or viewing device will display your proof in RGB, your final printed product is printed in CMYK which will differ slightly to the RGB screen proof). We will not be held responsible for any errors reported after approval of artwork - this is the responsibility of the customer to ensure their artwork is provided correctly (i.e. colour make-up, fonts used, safe areas etc). Artwork created by ourselves remains the property of Cheapestprintonline, although the customer is entitled to a print quality .pdf file for reprint purposes.
Archived Designs - Due to the volume of files processed by CPO, we do not store any files uploaded/ provided to us longer than 5 working days. Any orders left outstanding by the customer after 90 days (i.e. incompleted artwork or missing print files) will be cancelled and the paid print slot will be allocated to one of our chosen charities. No refund will be given.
Copyright - Unless negotiated and agreed in writing, the copyright of General Artwork, Commissioned Artwork and Illustrations belongs to CPO, except where the whole printed product design is uploaded, transferred to us by the customer or designed by the customer. The customer shall be responsible for all the design data they supply. He/she should obtain the necessary authority to reproduce picture, artwork, photographs, logos etc. The customer is also resposnsible for including any relevant watermarks/ disclaimers or copyright within their design. The customer will indemnify us and our agents from any claim arising thereof.
Delivery and payment - Should we fail to despatch within the agreed schedule, It is up to the discretion of CPO as to whether it sees fit to issue compensation in the way of increasing the order quantity at no extra charge or issuing any amount of refund. CPO uses a third party for all delivery services, and as such cannot be held directly responsible for any damages during transit, delay in meeting the agreed delivery schedule, or loss of order. In such an event, CPO will not be held liable for any
(a) Delivery of work shall be accepted when tendered and thereupon or, if earlier, on notification that the work has been completed the ownership shall pass and payment shall become due.
(b) Should expedited delivery be agreed, extra may be charged to cover any overtime or any other additional costs involved.
(c) Should work be suspended at the request of or delayed through any default of the customer for a period of 14 days we shall then be entitled to payment for work already carried out, materials specially ordered and any other additional costs including storage.
(d) Please only sign for the delivery of your order if it is complete and in good condition,
(e) Should the customer place multiple orders for the same required despatch date, we reserve the right to consolidate those orders in as many or as few boxes as we deem necessary, regardless of the multiple postage costs incurred by the customer.
(f) Should the incorrect delivery option be chosen on checkout, we reserve the right to withhold the order and refund only the delivery charge until the correct delivery costs are paid. Should the correct delivery charges not be paid within 10 working days, we reserve the right to destroy the order with no compensation or further refund.
(g) Delivery charge is for delivery to one address and will only be delivered within the specified region (i.e. mainland UK or Scottish Highlands). Additional delivery address are chargeable.
(h) Delivery dates are only estimates and cannot be guaranteed due to the third party service we employ. Compensation is not available for any delayed orders.
Variations in quantity - Every endeavour will be made to provide the correct quantity ordered, but estimates are conditional upon margins for 5 per cent for work in black only and 10 per cent for other work being allowed for overs or shortage.
Quality - You accept that colour variations are inherent within the printing process for files submitted. You also understand and accept that computer hardware set-ups are such that we cannot guarantee that the Product colours will match those displayed on your computer screen during the ordering process. 'Quality of print' will obviously always be based on the quality of the file(s) supplied by the customer. Low quality artwork (low resolution, RGB/ PANTONE colours, no safe area etc.) will therefore always result in low quality print which we cannot be held responsible for.
a) Due to the nature of the printing process, we shall not be required to guarantee an exact match in colour or texture between the printed results and any proof or existing copy so supplied.
Claims or Complaints - Advice of damage, misprints, quality disputes, delay or partial loss of goods in transit or of nondelivery must be given in writing to us and the carrier within three working days of delivery ( or in the case of non-delivery within 7 days of despatch of the goods ). All other claims must be made in writing to us within 7 days of delivery. Any claims made outside of this timeframe can no longer be entertained.
Cancellations - Due to the manufacturing process of our print, orders cannot be cancelled once processed as a print slot is allocated on a larger printed sheet with several other orders - so even if a file is not supplied, the print run still has to go ahead. If you havent supplied a file for print, your 'allocated slot' will still be printed but appear blank (as a bespoke manufactured product, the distance selling act does not apply).
Abusive language - A certain level of civility is expected during every telephone communication with CPO and as such any Racism, Insults, Swearing or Abusive language will not be tolerated and will result in the termination of any communication and cancellation of any outstanding orders.
Limitation of Liability - a) The sole liability of CPO in respect of any defect in, or failure of any goods or services supplied or for any shortage in the quantity of goods delivered or for any loss, injury attributable directly or indirectly thereto (other than in respect of death or personal injury) is limited to i) making good by replacement or ii) repairing defects or failures which under proper use appear therein. b) Without prejudice to the foregoing, CPO shall in no circumstances be liable - i) for any indirect or consequential loss (including without limitation loss of production, loss of profit or liability to third parties) suffered or incurred by the customer. ii) for any loss or damage in excess of the contract price for the goods or part thereof in respect of which a claim is made. We shall not be liable for any loss to the customer arising from delay in transit of their goods.
Customer's property - (a) Except in the case of a customer who is not contracting in the course of a business or holding himself out as doing so, customer's property and all property supplied to us by or on behalf of the customer shall while it is in our possession or in transit to or from the customer be deemed to be at customer's risk unless otherwise agreed and the customer should arrange insurance accordingly.
Materials/data supplied by the customer - (a) We may reject any paper, plates, data, media or other materials supplied or specified by the customer which appear to us to be unsuitable. Additional cost incurred if materials are found to be unsuitable during production may be charged.
(b) Responsibility will not be accepted for imperfect work caused by defects in or unsuitability of materials so supplied or specified.
(c) Supplying files of imperfect quality (such as images/text with an original resolution of less than 300dpi) will be printed by CPO on the basis of 'if it is legible, it is deemed printable' and fit for purpose. CPO will not be held responsible for the customer's image quality and will not comment on resolution/quality. Should the resolution be so bad that it is not legible, the customer will be informed and the order possibly delayed. Due to our proofing process, we advise that customers' only upload and approve their artwork for print from a computer based website browser as CPO will not be held responsible for the quality / content of print if approved on a device other than a computer or failure to upload the artwork, delaying the order.
(d) Due to the manufacturing process, any files provided without adequate bleed may end up with thin white slithers once cut to size for which CPO cannot be held responsible.
(e) Quantities of materials supplied shall be adequate to cover normal spoilage.
Inappropriate subject matter supplied by the customer. When a file is uploaded to our automated workflow all material is uploaded at your own risk.
Promotions and special offers - Although not listed on certain promotions by mail or email, all promotions, coupons and special offers are only available on quantities up to 25,000. Any promotional codes or coupons used over these quantities will be null and void.Credit terms - For invoices not settled within the agreed credit terms, we reserve the right to charge interest on the overdue debt at 2% above the HSBC Bank base rate at the time and an administration fee to cover the debt recovery costs.
Overdue Payments - If payment is not received within the agreed terms, CPO will instruct their solicitors to recover the amount due. The solicitors costs plus a £50.00 admin charge will be added to the amount due along with any interest accrued as in section (c)
Insolvency - If the customer ceases to pay his debts in the ordinary course of business or cannot pay his debts as they become due or being a company is deemed to be unable to pay its debts or has a winding-up petition issued against it or being a person commits an act of bankruptcy or has a bankruptcy petition issued against him, we without prejudice to other remedies shall (I) have the right not to proceed further with the contract or any other work for the customer and be entitled to charge for work already carried out (whether completed or not) and materials purchased for the customer, such charge to be an immediatem debt due to us, and (ii) in respect of all unpaid debts due from the customer we have a general lien on all goods and property of his in our possession (whether worked on or not) and shall be entitled on the expiration of 14 days notice to dispose of such goods or property in such manner and at such price as we think fit and to apply the proceeds towards such debts.
Illegal matter - (a)We shall not be required to print or design any matter which in our opinion is or may be of an illegal or libellous nature or any infringement of the proprietary or other rights of any third party.
(b)We shall be indemnified by the customer in respect of any claims costs and expenses arising out of any libellous matter, overprinting, finishing or modification to print supplied, or any infringement of copyright, patent, design of or any other proprietary or personal rights contained in any material printed for the customer. The indemnity shall extend to any amounts paid on a lawyer's advice in settlement of any claim.
Printing - Every effort will be made to obtain the best possible colour reproduction on customer's work but because of the nature of the processes involved, we shall not be required to guarantee an exact colour consistency throughout a quantity or an exact match in colour or texture between the customer's file provided, monitor display - local or over the internet, colour proof and the printed article. Final printed materials can vary between Litho and Digital printing processes and as such cannot be matched between them.
For operational reasons we may at times need to upgrade paper weight to the next grammage available - we will never print on a lesser weight but may upgrade the material at our discretion.
Force majeure - We shall be under no liability if we shall be unable to carry out any provision of the contract for any reason beyond our control including (without limiting the foregoing) Act of God, legislation, war, fire, flood, drought, failure of power of supply, lock-out, strike or other action taken by employees in contemplation or furtherance of a dispute or owing to any inability to procure materials required for the performance of the contract. During the continuance of such a contingency the customer may by written notice to us elect to terminate the contract and pay for work done and materials used but subject thereto shall otherwise accept delivery when available.
Law - These conditions and all other express terms of the contract shall be governed and construed in accordance with the laws of England.
This website is operated by CPO We take your privacy very seriously therefore we urge to read this policy very carefully because it contains important information about on:
Who we are
The personal information we collect and use
b) Personal information you provide about third parties
c) Monitoring and recording communications
d) Cookies and similar technologies
For further information on cookies generally visit www.aboutcookies.org or www.allaboutcookies.org.
How we use your personal information
Who your information may be shared with
Whether personal information has to be provided by you, and if so why
This is to enable us to do the following:
How long your personal information will be kept
Reasons we can collect and use your personal information
Consequence of our use of your personal information
Keeping your information secure
We also have procedures in place to deal with any suspected data security breach. We will notify you and any applicable regulator of a suspected data security breach where we are legally required to do so. Indeed, while we will use all reasonable efforts to secure your personal data, in using the site you acknowledge that the use of the internet is not entirely secure and for this reason we cannot guarantee the security or integrity of any personal data that are transferred from you or to you via the internet. If you have any particular concerns about your information, please contact us using the details below.
Transfers of your information out of the EEA
Children and the validity of consent
What rights do you have?
How to complain
CPO handles sensitive cardholder information daily. Sensitive Information must have adequate safeguards in place to protect the cardholder data, cardholder privacy, and to ensure compliance with various regulations, along with guarding the future of the organisation.
Handle Company and cardholder information in a manner that fits with their sensitivity and classification;
Limit personal use of CPO information and telecommunication systems and ensure it doesn’t interfere with your job performance;
CPO reserves the right to monitor, access, review, audit, copy, store, or delete any electronic communications, equipment, systems and network traffic for any purpose;
Do not use e-mail, internet and other Company resources to engage in any action that is offensive, threatening, discriminatory, defamatory, slanderous, pornographic, obscene, harassing or illegal;
Do not disclose personnel information unless authorised;
Protect sensitive cardholder information;
Keep passwords and accounts secure;
Request approval from management prior to establishing any new software or hardware, third party connections, etc.;
Do not install unauthorised software or hardware, including modems and wireless access unless you have explicit management approval;
Always leave desks clear of sensitive cardholder data and lock computer screens when unattended;
Information security incidents must be reported, without delay, to the individual responsible for incident response locally – Please find out who this is.
We each have a responsibility for ensuring our company’s systems and data are protected from unauthorised access and improper use. If you are unclear about any of the policies detailed herein you should seek advice and guidance from your line manager.
A high-level network diagram of the network is maintained and reviewed on a yearly basis. The network diagram provides a high level overview of the cardholder data environment (CDE), which at a minimum shows the connections in and out of the CDE. Critical system components within the CDE, such as POS devices, databases, web servers, etc., and any other necessary payment components, as applicable should also be illustrated.
In addition, ASV should be performed and completed by a PCI SSC Approved Scanning Vendor, where applicable. Evidence of these scans should be maintained for a period of 18 months.
Acceptable Use Policy
Management’s intentions for publishing an Acceptable Use Policy are not to impose restrictions that are contrary to CPO’s established culture of openness, trust and integrity. Management is committed to protecting the employees, partners and CPO from illegal or damaging actions, either knowingly or unknowingly by individuals. The Company will maintain an approved list of technologies and devices and personnel with access to such devices as detailed in Appendix B.
Employees are responsible for exercising good judgment regarding the reasonableness of personal use.
Employees should take all necessary steps to prevent unauthorized access to confidential data which includes card holder data.
Keep passwords secure and do not share accounts. Authorized users are responsible for the security of their passwords and accounts.
All PCs, laptops and workstations should be secured with a password-protected screensaver with the automatic activation feature.
All POS and PIN entry devices should be appropriately protected and secured so they cannot be tampered or altered.
The List of Devices in Appendix B will be regularly updated when devices are modified, added or decommissioned. A stocktake of devices will be regularly performed and devices inspected to identify any potential tampering or substitution of devices.
Users should be trained in the ability to identify any suspicious behaviour where any tampering or substitution may be performed. Any suspicious behaviour will be reported accordingly.
Information contained on portable computers is especially vulnerable, special care should be exercised.
Postings by employees from a Company email address to newsgroups should contain a disclaimer stating that the opinions expressed are strictly their own and not necessarily those of CPO, unless posting is in the course of business duties.
Employees must use extreme caution when opening e-mail attachments received from unknown senders, which may contain viruses, e-mail bombs, or Trojan horse code.
Protect Stored Data
All sensitive cardholder data stored and handled by CPO and its employees must be securely protected against unauthorised use at all times. Any sensitive card data that is no longer required by the Company for business reasons must be discarded in a secure and irrecoverable manner.
If there is no specific need to see the full PAN (Permanent Account Number), it has to be masked when displayed.
PAN'S which are not protected as stated above should not be sent to the outside network via end user messaging technologies like chats, ICQ messenger etc.,
It is strictly prohibited to store:
The contents of the payment card magnetic stripe (track data) on any media whatsoever.
The CVV/CVC (the 3 or 4 digit number on the signature panel on the reverse of the payment card) on any media whatsoever.
The PIN or the encrypted PIN Block under any circumstance.
Data and media containing data must always be labelled to indicate sensitivity level.
Confidential data might include information assets for which there are legal requirements for preventing disclosure or financial penalties for disclosure, or data that would cause severe damage to CPO if disclosed or modified. Confidential data includes cardholder data.
Internal Use data might include information that the data owner feels should be protected to prevent unauthorized disclosure.
Public data is information that may be freely disseminated.
Access to the sensitive card holder data
All Access to sensitive cardholder should be controlled and authorised. Any job functions that require access to cardholder data should be clearly defined.
Any display of the card holder should be restricted at a minimum to the first 6 and the last 4 digits of the cardholder data.
Access to sensitive cardholder information such as PAN’s, personal information and business data is restricted to employees that have a legitimate need to view such information.
No other employees should have access to this confidential data unless they have a genuine business need.
If cardholder data is shared with a Service Provider (3rd party) then a list of such Service Providers will be maintained as detailed in Appendix C.
CPO will ensure a written agreement that includes an acknowledgement is in place that the Service Provider will be responsible for the for the cardholder data that the Service Provider possess.
CPO will ensure that a there is an established process, including proper due diligence is in place, before engaging with a Service provider.
CPO will have a process in place to monitor the PCI DSS compliance status of the Service provider.
Access to sensitive information in both hard and soft media format must be physically restricted to prevent unauthorised individuals from obtaining sensitive data.
Media is defined as any printed or handwritten paper, received faxes, floppy disks, back-up tapes, computer hard drive, etc.
Media containing sensitive cardholder information must be handled and distributed in a secure manner by trusted individuals.
Visitors must always be escorted by a trusted employee when in areas that hold sensitive cardholder information.
Procedures must be in place to help all personnel easily distinguish between employees and visitors, especially in areas where cardholder data is accessible. “Employee” refers to full-time and part-time employees, temporary employees and personnel, and consultants who are “resident” on Company sites. A “visitor” is defined as a vendor, guest of an employee, service personnel, or anyone who needs to physically enter the premises for a short duration, usually not more than one day.
A list of devices that accept payment card data should be maintained.
The list should include make, model and location of the device.
The list should have the serial number or a unique identifier of the device
The list should be updated when devices are added, removed or relocated
POS devices surfaces are periodically inspected to detect tampering or substitution.
Personnel using the devices should be trained and aware of handling the POS devices
Personnel using the devices should verify the identity of and=y third party personnel claiming to repair or run maintenance tasks on the devices, install new devices or replace devices.
Personnel using the devices should be trained to report suspicious behaviour and indications of tampering of the devices to the appropriate personnel. CPO sites. A “visitor” is defined as a vendor, guest of an employee, service personnel, or anyone who needs to enter the premises for a short duration, usually not more than one day. Strict control is maintained over the external or internal distribution of any media containing card holder data and has to be approved by management
Strict control is maintained over the storage and accessibility of media
All computer that store sensitive cardholder data must have a password protected screensaver enabled to prevent unauthorised use.
Protect Data in Transit
All sensitive cardholder data must be protected securely if it is to be transported physically or electronically.
Card holder data (PAN, track data, etc.) must never be sent over the internet via email, instant chat or any other end user technologies.
If there is a business justification to send cardholder data via email or by any other mode then it should be done after authorization and by using a strong encryption mechanism (i.e. – AES encryption, PGP encryption, IPSEC, etc.).
The transportation of media containing sensitive cardholder data to another location must be authorised by management, logged and inventoried before leaving the premises. Only secure courier services may be used for the transportation of such media. The status of the shipment should be monitored until it has been delivered to its new location.
Disposal of stored data
All data must be securely disposed of when no longer required by CPO, regardless of the media or application type on which it is stored.
An automatic process must exist to permanently delete on-line data, when no longer required.
All hard copies of cardholder data must be manually destroyed when no longer required for valid and justified business reasons. A quarterly process must be in place to confirm that all non-electronic cardholder data has been appropriately disposed of in a timely manner.
CPO will have procedures for the destruction of hardcopy (paper) materials. These will require that all hardcopy materials are crosscut shredded, incinerated or pulped so they cannot be reconstructed.
CPO will have documented procedures for the destruction of electronic media. These will require:
All cardholder data on electronic media must be rendered unrecoverable when deleted e.g. through degaussing or electronically wiped using military grade secure deletion processes or the physical destruction of the media;
If secure wipe programs are used, the process must define the industry accepted standards followed for secure deletion.
All cardholder information awaiting destruction must be held in lockable storage containers clearly marked “To Be Shredded” - access to these containers must be restricted.
Security Awareness and procedures
The policies and procedures outlined below must be incorporated into company practice to maintain a high level of security awareness. The protection of sensitive data demands regular training of all employees and contractors.
Review handling procedures for sensitive information and hold periodic security awareness meetings to incorporate these procedures into day to day company practice.
Distribute this security policy document to all company employees to read. It is required that all employees confirm that they understand the content of this security policy document by signing an acknowledgement form (see Appendix A).
All employees that handle sensitive information will undergo background checks (such as criminal and credit record checks, within the limits of the local law) before they commence their employment with CPO.
All third parties with access to credit card account numbers are contractually obligated to comply with card association security standards (PCI/DSS).
Company security policies must be reviewed annually and updated as needed.
Credit Card (PCI) Security Incident Response Plan
The Company PCI Security Incident Response Team (PCI Response Team) is comprised of the Information Security Officer and Merchant Services. CPO PCI security incident response plan is as follows:
Each department must report an incident to the Information Security Officer (preferably) or to another member of the PCI Response Team.
That member of the team receiving the report will advise the PCI Response Team of the incident.
The PCI Response Team will investigate the incident and assist the potentially compromised department in limiting the exposure of cardholder data and in mitigating the risks associated with the incident.
The PCI Response Team will resolve the problem to the satisfaction of all parties involved, including reporting the incident and findings to the appropriate parties (credit card associations, credit card processors, etc.) as necessary.
The PCI Response Team will determine if policies and processes need to be updated to avoid a similar incident in the future, and whether additional safeguards are required in the environment where the incident occurred, or for the institution.
CPO PCI Security Incident Response Team (or equivalent in your organisation):
Information Security Officer
Collections & Merchant Services
Information Security PCI Incident Response Procedures:
A department that reasonably believes it may have an account breach, or a breach of cardholder information or of systems related to the PCI environment in general, must inform CPO PCI Incident Response Team. After being notified of a compromise, the PCI Response Team, along with other designated staff, will implement the PCI Incident Response Plan to assist and augment departments’ response plans.
Incident Response Notification
Escalation Members (or equivalent in your company):
Escalation – First Level:
Director of CPO Communications
Escalation – Second Level:
External Contacts (as needed)
In response to a systems compromise, the PCI Response Team and designees will:
Ensure compromised system/s is isolated on/from the network.
Gather, review and analyze the logs and related information from various central and local safeguards and security controls
Conduct appropriate forensic analysis of compromised system.
Contact internal and external departments and entities as appropriate.
Make forensic and log analysis available to appropriate law enforcement or card industry security personnel, as required.
Assist law enforcement and card industry security personnel in investigative processes, including in prosecutions.
The credit card companies have individually specific requirements that the Response Team must address in reporting suspected or confirmed breaches of cardholder data. See below for these requirements.
Incident Response notifications to various card schemes
In the event of a suspected security breach, alert the information security officer or your line manager immediately.
The security officer will carry out an initial investigation of the suspected security breach.
Upon confirmation that a security breach has occurred, the security officer will alert management and begin informing all relevant parties that may be affected by the compromise.
If the data security compromise involves credit card account numbers, implement the following procedure:
Shut down any systems or processes involved in the breach to limit the extent, and prevent further exposure.
Alert all affected parties and authorities such as the Merchant Bank (your Bank), Visa Fraud Control, and the law enforcement.
Provide details of all compromised or potentially compromised card numbers to Visa Fraud Control within 24 hrs.
For more Information visit: http://usa.visa.com/business/accepting_visa/ops_risk_management/cisp_if_ compromised.html
Visa Incident Report Template
This report must be provided to VISA within 14 days after initial report of incident to VISA. The following report content and standards must be followed when completing the incident report. Incident report must be securely distributed to VISA and Merchant Bank. Visa will classify the report as “VISA Secret”*.
Include overview of the incident
Include RISK Level(High, Medium, Low)
Determine if compromise has been contained
Include forensic tools used during investigation
Number of accounts at risk, identify those stores and compromised
Type of account information at risk
Identify ALL systems analyzed. Include the following:
Domain Name System (DNS) names
Internet Protocol (IP) addresses
Operating System (OS) version F
unction of system(s)
Identify ALL compromised systems. Include the following:
Function of System(s)
Timeframe of compromise
Any data exported by intruder
Establish how and source of compromise
Check all potential database locations to ensure that no CVV2, Track 1 or Track 2 data is stored anywhere, whether encrypted or unencrypted (e.g., duplicate or backup tables or databases, databases used in development, stage or testing environments, data on software engineers’ machines, etc.)
If applicable, review VisaNet endpoint security and determine risk
Compromised Entity Action
Contact(s) at entity and security assessor performing investigation
*This classification applies to the most sensitive business information, which is intended for use within VISA. Its unauthorized disclosure could seriously and adversely impact VISA, its employees, member banks, business partners, and/or the Brand.
Within 24 hours of an account compromise event, notify the MasterCard Compromised Account Team via phone at 1-636-722-4100.
Provide a detailed written statement of fact about the account compromise (including the contributing circumstances) via secured e-mail to firstname.lastname@example.org.
Provide the MasterCard Merchant Fraud Control Department with a complete list of all known compromised account numbers.
Within 72 hours of knowledge of a suspected account compromise, engage the services of a data security firm acceptable to MasterCard to assess the vulnerability of the compromised data and related systems (such as a detailed forensics evaluation).
Provide weekly written status reports to MasterCard, addressing open questions and issues until the audit is complete to the satisfaction of MasterCard.
Promptly furnish updated lists of potential or known compromised account numbers, additional documentation, and other information that MasterCard may request.
Provide finding of all audits and investigations to the MasterCard Merchant Fraud Control department within the required time frame and continue to address any outstanding exposure or recommendation until resolved to the satisfaction of MasterCard.
Once MasterCard obtains the details of the account data compromise and the list of compromised account numbers, MasterCard will:
Identify the issuers of the accounts that were suspected to have been compromised and group all known accounts under the respective parent member IDs.
Distribute the account number data to its respective issuers.
Employees of CPO will be expected to report to the security officer for any security related issues. The role of the security officer is to effectively communicate all security policies and procedures to employees within CPO and contractors. In addition to this, the security officer will oversee the scheduling of security training sessions, monitor and enforce the security policies outlined in both this document and at the training sessions and finally, oversee the implantation of the incident response plan in the event of a sensitive data compromise.
Transfer of sensitive data policy
All third-party companies providing critical services to CPO must provide an agreed Service Level Agreement.
All third-party companies providing hosting facilities must comply with CPO’s Physical Security and Access Control Policy.
All third-party companies which have access to Card Holder information must
Adhere to the PCI DSS security requirements.
Acknowledge their responsibility for securing the Card Holder data.
Acknowledge that the Card Holder data must only be used for assisting the completion of a transaction, supporting a loyalty program, providing a fraud control service or for uses specifically required by law.
Have appropriate provisions for business continuity in the event of a major disruption, disaster or failure.
Provide full cooperation and access to conduct a thorough security review after a security intrusion by a Payment Card industry representative, or a Payment Card industry approved third party.
User Access management
Access to Company is controlled through a formal user registration process beginning with a formal notification from HR or from a line manager.
Each user is identified by a unique user ID so that users can be linked to and made responsible for their actions. The use of group IDs is only permitted where they are suitable for the work carried out.
There is a standard level of access; other services can be accessed when specifically authorized by HR/line management.
The job function of the user decides the level of access the employee has to cardholder data
A request for service must be made in writing (email or hard copy) by the newcomer’s line manager or by HR. The request is free format, but must state:
Name of person making request;
Each user will be given a copy of their new user form to provide a written statement of their access rights, signed by an IT representative after their induction procedure. The user signs the form indicating that they understand the conditions of access.
Access to all CPO systems is provided by IT and can only be started after proper procedures are completed.
As soon as an individual leaves the Company employment, all his/her system logons must be immediately revoked.
As part of the employee termination process HR (or line managers in the case of contractors) will inform IT operations of all leavers and their date of leaving.
Access Control Policy
Access Control systems are in place to protect the interests of all users of CPO computer systems by providing a safe, secure and readily accessible environment in which to work.
The Company will provide all employees and other users with the information they need to carry out their responsibilities in an as effective and efficient manner as possible.
Generic or group IDs shall not normally be permitted, but may be granted under exceptional circumstances if sufficient other controls on access are in place.
The allocation of privilege rights (e.g. local administrator, domain administrator, super-user, root access) shall be restricted and controlled, and authorization provided jointly by the system owner and IT Services. Technical teams shall guard against issuing privilege rights to entire teams to prevent loss of confidentiality. Access rights will be accorded following the principles of least privilege and need to know.
Every user should attempt to maintain the security of data at its classified level even if technical security mechanisms fail or are absent.
Users electing to place information on digital media or storage devices or maintaining a separate database must only do so where such an action is in accord with the data’s classification.
Users are obligated to report instances of non-compliance to CPO CISO.
Access to CPO IT resources and services will be given through the provision of a unique Active Directory account and complex password.
No access to any CPO IT resources and services will be provided without prior authentication and authorization of a user’s CPO Windows Active Directory account.
Password issuing, strength requirements, changing and control will be managed through formal processes. Password length, complexity and expiration times will be controlled through Windows Active Directory Group Policy Objects.
Access to Confidential, Restricted and Protected information will be limited to authorised persons whose job responsibilities require it, as determined by the data owner or their designated representative. Requests for access permission to be granted, changed or revoked must be made in writing.
Users are expected to become familiar with and abide by CPO policies, standards and guidelines for appropriate and acceptable usage of the networks and systems.
Access for remote users shall be subject to authorization by IT Services and be provided in accordance with the Remote Access Policy and the Information Security Policy. No uncontrolled external access shall be permitted to any network device or networked system.
Access to data is variously and appropriately controlled according to the data classification levels described in the Information Security Management Policy.
Access control methods include logon access rights, Windows share and NTFS permissions, user account privileges, server and workstation access rights, firewall permissions, IIS intranet/extranet authentication rights, SQL database rights, isolated networks and other methods as necessary.
A formal process shall be conducted at regular intervals by system owners and data owners in conjunction with IT Services to review users’ access rights. The review shall be logged and IT Services shall sign off the review to give authority for users’ continued access rights.