This requirement insures that this domain has taken the time to create a privacy policy. Domains that do not have a privacy policy either do not care enough about your privacy, or don't want to tell you what they are doing with your information.
There are still sites that collect information via a secure SSL connection and then transmit your information in clear-text via an e-mail message. This is not an acceptable way to transmit your Entrusted Data.
Financial information should only be unencrypted for the minimum period of time that it is needed. This requirement helps assure that if an unauthorized party gains access to the database or to a backup file, they will not be able to use the encrypted information.
System security can be easily compromised if an unauthorized third-party is able to gain access to the system by capturing a clear-text password being transmitted over the Internet. Secure versions of the above services should be used instead.
Data that is not sent through the Internet via a secure channel is susceptible to simple data capture techniques that an unauthorized third-party may use to intercept your information. Sites that never collect passwords or other PII are exempt from this requirement.
Security monitoring tools and log analysis has to be used so that if a security breach does occur, there is a high probability that it will be detected and remedied as soon as possible to minimize the damage
Systems that contain PII should always have the latest Anti-Virus software installed. This is a fundamental requirement of adequate system administration. This helps prevent malicious code using the same techniques as a virus from gaining access to PII.
Many of the most damaging viruses would have had no impact if everybody had installed the latest software patches. We know that this is not possible, but it is practical that all systems involved with PII maintain the latest software.
If a web visitor has a problem or issue with the site, there has to be a visibly easy way for them to contact a proper representative with their issue.
Unfortunately a domain that is not following applicable laws is probably not going to be truthful with respect to the Entrusted Data requirements. If you encounter such a violation, please report it using the form below.