How We Comply with the 12 PCI DSS Requirements
1. Install and maintain a firewall configuration to protect cardholder data
Not applicable with regards to cardholder data – We do not store or access PCI data.
2. Do not use vendor-supplied defaults for system passwords and other security parameters
Not applicable with regards to cardholder data – We do not store or access PCI data. No password on any level of our company is ever a vendor-supplied or default password.
3. Protect stored cardholder data
Until it’s destroyed, all physical client media is stored in our secure and monitored facility. When destroying media containing cardholder data, we do so according to NIST guidelines, by shredding.
4. Encrypt transmission of cardholder data across open, public networks
Not applicable with regards to cardholder data – We do not store or access PCI data. All our company networks are private and encrypted.
5. Use and regularly update antivirus software
Not applicable with regards to cardholder data – We do not store or access PCI data. Our own networks are protected from viruses and other malware via regular updates of antivirus and other security software.
6. Develop and maintain secure systems and applications
We maintain a secure and documented “chain of possession” during the entire handling process of all to-be-destroyed data assets and media.
7. Restrict access to cardholder data by business need-to-know?
Our security policy prohibits the access of any client data by any means, as there is no need to know anything about cardholder data for our destruction processes.
8. Assign a unique ID to each person with computer access
Not applicable with regards to cardholder data – We do not store or access PCI data. For our own networks, each person is has unique IDs and passwords based one level of access
9. Restrict physical access to cardholder data
We maintain NAID AAA certified secure plant and mobile based destruction facilities. Access to the secure facilities is restricted to authorized employees only.
10. Track and monitor all access to network resources and cardholder data
Our networks are controlled and monitored. Cardholder data is never accessed as per our security policies.
11. Regularly test security systems and processes
As part of our NAID AAA certification, our security systems and processes are checked and audited regularly.
Can you provide evidence of proper insurance coverages?
12. Maintain a policy that addresses information security
Information security is within the scope of our ISO 9001:2015 Quality Management System. We have numerous policies and procedures that address information security and we evaluation them regularly.