Information Security Policy
Effective Date: May 03, 2025
Owner: Lasona's Designs
1. Purpose
This Information Security Policy establishes the principles and requirements to protect sensitive information, particularly cardholder data (CHD), processed through our Shopify online store and associated third-party services, in accordance with industry best practices and PCI DSS standards.
2. Scope
This policy applies to all systems, contractors, and third-party providers that store, process, or transmit cardholder data related to A$S Print on Demand Services e-commerce operations.
3. Network Security
Our Shopify store operates on Shopify’s secure infrastructure, which includes robust network protection mechanisms such as firewalls, intrusion detection systems, and regular vulnerability scanning. Shopify manages its own network and maintains PCI DSS Level 1 compliance, ensuring that cardholder data is processed in a secure environment.
4. Acceptable Use Policy
All personnel accessing systems or information related to our e-commerce business must follow acceptable use guidelines, including:
-
No sharing of login credentials.
-
Use of secure, updated devices and browsers.
-
Accessing systems only through authorized accounts.
5. Protect Stored Data
We do not store any cardholder data on our systems. All payment information is securely handled by third-party PCI DSS-compliant providers: Tilopay and Powertranz.
6. Information Classification
Information is classified into three levels:
-
Public: Information meant for public consumption (e.g., product listings).
-
Internal: Business operations data not intended for the public.
-
Sensitive: Includes customer information, transaction records, and cardholder data handled only by authorized third-party services.
7. Access to Sensitive Cardholder Data
Cardholder data is never accessible to our internal team. All transactions are processed directly through:
-
Tilopay (PCI DSS-compliant payment gateway)
-
Powertranz (PCI DSS Level 1 compliant processor)
Both Tilopay and Powertranz encrypt cardholder data at all stages of the transaction and do not allow any storage or transmission of plain-text card data.
8. Physical Security
As a cloud-based e-commerce operation, we do not maintain physical servers. All hosting and data storage are handled by Shopify and our payment providers in their secure data centers.
9. Protect Data in Transit
Data is protected in transit through:
-
HTTPS (SSL/TLS) encryption for all web traffic.
-
Encrypted API communications between Shopify, Tilopay, and Powertranz.
-
No cardholder data is transmitted unencrypted at any point.
10. Disposal of Stored Data
Since no cardholder data is stored, there is no need for disposal processes. Any customer data (e.g., contact details) stored in Shopify is retained per our privacy policy and securely deleted upon request or after retention periods expire.
11. Security Awareness and Procedures
All staff are trained on:
-
Basic information security principles.
-
Recognizing phishing attempts and social engineering.
-
Importance of securing accounts with strong passwords and 2FA.
12. Credit Card (PCI) Security Incident Response Plan
In the event of a suspected or confirmed security incident involving cardholder data:
-
Notify Shopify support and affected payment providers immediately.
-
Initiate internal investigation.
-
Inform customers and stakeholders, as necessary.
-
Document incident and resolution for compliance purposes.
-
Review and improve preventive measures.
13. Transfer of Sensitive Information Policy
Sensitive information is only transmitted via secure, encrypted channels. No CHD is transferred via email, chat, or unsecure web forms.
14. User Access Management
User accounts for Shopify, Tilopay, and Powertranz:
-
Must use strong passwords and 2FA.
-
Are granted access based on the principle of least privilege.
-
Are reviewed quarterly for unnecessary or dormant accounts.
15. Access Control Policy
Access to systems and data is governed by role-based access controls (RBAC). Only authorized personnel are permitted to view customer information, and no one can access cardholder data directly.
Review & Maintenance:
This policy is reviewed annually or upon significant changes in technology, vendors, or regulation directly.