ATPCO Compliance

Asset Management 

ATPCO maintains an accurate asset inventory that is monitored and audited at least monthly.  Data retention is strictly enforced via embedded operating system (OS) controls based on data classification and business owner declaration. Retired assets (for example, hard drives) are removed from inventory and securely wiped prior to disposal.  In the case of sensitive data, the media is destroyed and verified via a certificate of destruction. 

Human Resources Security

All prospective employees undergo professional reference checks.  Any prospective employee who will have access to credit-card data will be subject to pre-employment background checks.  Additional background screening is conducted as necessary dependent on the position of the candidate, which include Directors and Officers.

All employees are required to undergo annual security awareness training and are required to take a security awareness test which confirms their acknowledgment and agreement to abide by the ATPCO Information Security policies.

ATPCO has a strict on-boarding/off-boarding process with an established workflow for requesting access to systems and data and for revoking access upon termination.

Communications and Operations Management

ATPCO employs state-of-the-art, layered firewalls to protect and control access to its internal resources.  Encryption (SSL/TLS) is enabled for all credentialed access to ATPCO systems and application.  Network-level access and remote administrative access requires two-factor authentication.

Anti-virus software is deployed on all servers/hosts where applicable.

Logging is enabled via standard configuration of all network devices and hosts, and includes details such as User name / UserID, timestamp, system / application/ host being accessed, and the result of the access attempt (success for fail).  Additionally, all end-user log-on activity is logged and maintained for at least 90 days.

ATPCO has an established Privacy Policy.

All confidential and sensitive data is transmitted via SSL/TLS. While at rest, confidential and sensitive data is either encrypted or protected by additional layers of access control which require approval for access.

All production removable media that leaves the ATPCO facility is logged, tracked, and accounted for via authorized sign-offs at each point.

ATPCO conducts monthly scans for rogue wireless devices.

Systems back-ups and restoration is validated via regularly scheduled disaster recovery testing.

A formal change control program is in place that requires management approval for all system configuration changes or application updates.

Physical Security

Physical access to sensitive areas is controlled by an electronic card key system and only employees with elevated access are granted access to the most secure environments.   Access is also monitored and recorded via an electronic surveillance system.

ATPCO has implemented hardware environmental controls such as generators, UPS, and a fire suppression/control system.

Access control

All ATPCO systems display a warning log-on banner upon first access to secured resources.   

Each user (employee or customer) is assigned a unique user ID for system access.
Password controls are enforced for complexity and account lockout via the security system on all platforms. Initial passwords are randomly generated and communicated securely to the authorized user. User accounts are revoked upon termination. Access to systems in controlled via a formal request process. Inactive accounts are regularly reviewed and deleted. System and session timeouts are employed for unattended systems.

Physical access rights are granted only based on authorized request and on business need.

Logical access to data is restricted by layered security controls, and all access is monitored/recorded and logged. Access lists are periodically reviewed for accuracy and consistency. Personnel are only granted access to systems and data based on their role and job responsibilities and this is strictly enforced by our systems security server with a default “deny” rule.

Information Systems Acquisition, Development, and Maintenance

All ATPCO system software is patched on a regular cycle; all critical system security patches/updates are installed within 30 days of release.  

ATPCO performs regular (at least weekly) vulnerability scanning against all public Internet-facing hosts, and any identified vulnerabilities are remediated via established procedures. Network and Application Penetrations Tests are conducted at least quarterly, or when there are significant network changes.

All ATPCO systems are developed according to an established Systems Development Life Cycle (SDLC), which includes security controls for common security vulnerabilities. ATPCO developers must undergo training for secure coding principles upon hire and annually thereafter.

Incident and Event Management

ATPCO has implemented an Information Security Incident Response Plan to prevent, detect, and respond to any breach of ATPCO information security controls resulting in destruction, loss, alternation, disclosure, or unauthorized access to, ATPCO systems or data.

Upon detection, Incidents are categorized based upon the type of incident and prioritized to determine the response time objective. The response plan prioritizes limiting the scope of the incident, and containment and remediation steps to restore normal business operations. Depending on the type of incident, a communication escalation plan is followed to determine notification requirements in the event of a data breach. Affected customers must be notified within 48 hours, advising them of the breach and the steps ATPCO is taking to contain the event and limit data loss or exposure. All external communication with customers must be approved by executive management and coordinated via the Marketing Communications team.  

Business Continuity Management

ATPCO has developed a Business Continuity plan (Enterprise Availability Plan) that provides for the protection of ATPCO’s data and resources against disruption. The plan defines and ranks in priority those data systems/resources and business processes that are critical to ATPCO ongoing operations, and formulates procedures for the prompt resumption of business functions in case of disruption.

Disaster Recovery

The ATPCO computing environment consists of geographically dispersed, co-located data center facilities which provide fault-tolerance and complete N+1 redundancy for system/ network failures. Our disaster recovery strategy includes data replication to our second data center location with the ability to restore normal operations (RTO) within 8-hours with minimal data loss (RPO of 10 minutes or less).  Our secondary data center also provides full capacity to run the ATPCO normal production business transaction load so we can operate with no degradation of performance for our customers.

Employees are prohibited from storing unencrypted customer data on mobile devices. Only company issued devices with a digital security certificate are permitted to access the cardholder data environment.

ATPCO has implemented a Data Classification system for handling Public, Sensitive, and Confidential data.

Any storage device or removable media used for transport is logged, authorized by management, and tracked.

No proprietary and/or confidential documents are left on employee desks in plain sight.

All software testing is conducted in a non-production environment and tests in non-production environments do not use live production data. If there´s a justified need for testing with production-like data, the data is sanitized in a way to make it impossible to identify sensitive data.