Statement of Compliance - May 2010
Mongoose Metrics values highly the safety and privacy of all its customers, vendors and constituents as well as their respective data. As such, Mongoose Metrics is certified as compliant with all of the required processes and procedures of the Payment Card Industry Data Security Standards as detailed herein.
The current version of the standards (1.2) specifies 12 requirements for compliance, organized into six logically related groups called control objectives:
| Control Objectives | PCI DSS Requirements (in green) |
| Build and Maintain a Secure Network | 1. Install and maintain a firewall configuration to protect cardholder data. Mongoose uses three levels of firewalls. From untrusted networks to our general trusted internal networks, we use redundant high performance firewalls which deny all traffic by default, only allowing traffic we have specifically permitted. Within our trusted network we have a highly secure segment which is protected via another firewall preventing other trusted hosts from accessing our secure data. Additionally, we employ firewall filtering at the host level to prevent malicious programs from being accessed via the network. |
| 2. Do not use vendor-supplied defaults for system passwords and other security parameters. Mongoose has an access control system and policy which provides guidance for the appropriate setting of remote access credentials. We do not employ any devices on the network with default or easy-to-guess system passwords. | |
| Protect Cardholder Data | 3. Protect stored cardholder data. All full cardholder data is stored in encrypted format in our database. The decryption keys are highly secured and accessible only to our systems administrators. No employee has access to the unencrypted cardholder information. Our support staff has access to partial card information used for customer authentication and validation purposes (Last 4 digits of card). |
| 4. Encrypt transmission of cardholder data across open, public networks. Mongoose Metrics uses SSL 128-bit encryption when transmitting card data to our merchant processors. | |
| Maintain a Vulnerability Management Program | 5. Use and regularly update anti-virus software on all systems commonly affected by malware. All Windows machines at Mongoose run anti-virus software. All Unix backend systems run regular proactive intrusion scans and rootkit detection programs. All systems employed by Mongoose Metrics are patched and updated as suggested by respective vendors. |
| 6. Develop and maintain secure systems and applications. Development of the Mongoose applications both on the telecom and web side employ appropriately secure programming techniques. We are cognizant of various methods of attack including cross site scripting, buffer overflows, and exposing data through unprotected API interfaces. We explicitly review code for best security practices and provide instruction to our developers regarding common security mistakes. | |
| Implement Strong Access Control Measures | 7. Restrict access to cardholder data by business need-to-know. As covered under #3, cardholder data access is highly limited and is only used in our organization to validate the customer. Data is stored only electronically and general employee access is limited to partial data sets, which are not usable for fraudulent purposes. |
| 8. Assign a unique ID to each person with computer access. All access to Mongoose Metrics systems is tied directly to the particular employee accessing the system. We have extensive logging through our authentication and authorization system for both system access as well as system commands executed. We can roll back changes and review usage history for any employee on any system. | |
| 9. Restrict physical access to cardholder data. Cardholder data is only stored electronically and appropriate safeguards are in place to limit access. | |
| Regularly Monitor and Test Networks | 10. Track and monitor all access to network resources and cardholder data. We provide command history for database access and system access to ensure that no unauthorized parties have retrieved database information or secure key information from our servers. |
| 11. Regularly test security systems and processes. We employ proactive penetration testing on a monthly basis and quarterly security process reviews of which a subset are focused on cardholder data protection. | |
| Maintain an Information Security Policy | 12. Maintain a policy that addresses information security. Mongoose has an information security policy which is reviewed annually. All employees are trained on the policy as part of their employment. |
| Click Here to Download Printable Version | |
