The Merchant Security Policy refers to the commitment to treat information of employees, customers (drivers and other interested parties) with the utmost care and confidentiality.
This policy refers to the merchant’s responsibility for the following:
- Designating an employee who will be responsible for overseeing the merchant’s data security controls and procedures;
- Maintaining commercially reasonable administrative, technical, and physical safeguards with respect to any payment information and complying with all applicable data security and privacy laws;
- Complying with all security procedures mandated by the payment processor;
- Maintaining the security of all point of sale equipment;
- Providing training to employees regarding identifying evidence of tampering and other security procedures;
- Setting access limitations to any payment information or payment equipment;
- Prohibiting merchant from retaining any payment information once the transaction is completed and from sharing the payment information with any party other than the payment processor;
- Immediately notifying the payment processor of any actual or suspected security breach;
- Immediately notifying the payment processor of any lost or stolen point of sale equipment;
- Indemnifying the payment processor for notification, regulatory, investigatory, and other costs related to any data security incident affecting the payment processor;
- Agreeing to permit the payment processor to conduct audits of its security measures.
2. WHO IS COVERED UNDER THE MERCHANT SECURITY POLICY?
Employees of the merchant (company) and its subsidiaries must follow this policy. Point-of-Sale vendors, contractors, consultants, fleets and any other external entity are also covered. Generally, this policy refers to anyone who collaborates with or acts on the merchants behalf and may need occasional access to data.
3. POLICY ELEMENTS.
As part of operations, the merchant will need to obtain and process information. This information includes any offline or online data that makes a person identifiable such as names, addresses (physical and/or email), usernames, digital footprints, etc.
This collected information should be in a transparent way and only with the full cooperation and knowledge of interested parties. Once this information is available, the following rules apply.
The data will be:
- Accurate and kept up-to-data;
- Collected fairly and for lawful purposes only;
- Transmitted and processed by Mudflap within its legal and moral boundaries;
- Protected against any unauthorized or illegal access by internal or external parties
The data will not be:
- Communicated informally;
- Distributed to any 3rd party other than the ones agreed upon in this agreement with Mudflap to meet its core business and application (exempting legitimate requests from law enforcement authorities);
- Transferred to 3rd party organizations that do not have adequate data security policies.
To exercise data security, the merchant is committed to:
- Restrict and monitor access to sensitive data;
- Train employees in online privacy and security measures;
- Ensure a secure network to protect data from cyber-attacks;
- Establish clear procedures for reporting privacy breaches or data misuse;
- Establish data security practices (not limited to: data encryption, access authorizations, backups, document shredding, secure locks, etc.).
5. DISCIPLINARY CONSEQUENCES.
All principles described in this policy must be strictly followed. A breach of data protection guidelines will invoke disciplinary and possible legal action.