Privacy

1. Privacy Policy - Site provides a privacy policy or statement that explains use and retention of any Personally Identifiable Information (PII) collected. A Platform for Privacy Preferences (P3P) document is preferred.

   This requirement insures that this domain has taken the time to create a privacy policy. Domains that do not have a privacy policy either do not care enough about your privacy, or don't want to tell you what they are doing with your information.

2. Personally Identifiable Information (PII) - All collected PII is stored and transmitted via secure systems and networks using currently accepted standards. Any sharing of PII with third parties is disclosed within the privacy policy.

   There are still sites that collect information via a secure SSL connection and then transmit your information in clear-text via an e-mail message. This is not an acceptable way to transmit your Entrusted Data.

Security

1. Financial Information - Management of credit card information and other Government identifiers collected meet the requirements of the Payment Card Industry Data Security Standards (PCI DSS).

   Financial information should only be unencrypted for the minimum period of time that it is needed. This requirement helps assure that if an unauthorized party gains access to the database or to a backup file, they will not be able to use the encrypted information.

2. Network Security - All systems and networks storing PII are protected from unauthorized access. Any external connections to protected networks requires the use of secure connections with the end-points also secured.

   System security can be easily compromised if an unauthorized third-party is able to gain access to the system by capturing a clear-text password being transmitted over the Internet. Secure versions of the above services should be used instead.

3. Data Transmission - All transmission of PII across public networks is done using secure communications. This includes all information sent to third-parties for the processing of orders.

   Data that is not sent through the Internet via a secure channel is susceptible to simple data capture techniques that an unauthorized third-party may use to intercept your information. Sites that never collect passwords or other PII are exempt from this requirement.

Monitoring

1. Security Monitoring - Proper monitoring systems and log storage are in place to assure that a system compromise can be detected and information can be provided to proper authorities.

   Security monitoring tools and log analysis has to be used so that if a security breach does occur, there is a high probability that it will be detected and remedied as soon as possible to minimize the damage

2. Anti-Virus Software - Appropriate Anti-Virus/SpyWare software is installed on all servers that store or collect PII. The software is setup to scan at appropiate intervals and notify if there are issues.

   Systems that contain PII should always have the latest Anti-Virus software installed. This is a fundamental requirement of adequate system administration. This helps prevent malicious code using the same techniques as a virus from gaining access to PII.

3. Software Updates - Regular software maintenance has to be performed often to install all security related patches or upgrades available for systems that handle PII.

   Many of the most damaging viruses would have had no impact if everybody had installed the latest software patches. We know that this is not possible, but it is practical that all systems involved with PII maintain the latest software.

General

1. Domain Contact - Site contact information is available in the form of either a published site e-mail address or a customer contact form.

   If a web visitor has a problem or issue with the site, there has to be a visibly easy way for them to contact a proper representative with their issue.

2. Applicable Laws - All applicable laws are followed, especially those related to the receipt and handling of PII. All laws with respect to unsolicited e-mail are also followed.

   Unfortunately a domain that is not following applicable laws is probably not going to be truthful with respect to the Entrusted Data requirements. If you encounter such a violation, please report it using the form below.