Access Control Policy

Access Control Policy

Document Owner IT
Date 01/01/2024
Version 1
Document Classification Confidential / Internal Use Only

Version 1.0 Confidential / Internal Use Only Page 1

 Access Control Policy

Contents

Contents................................................................................................................................................2
1. Overview........................................................................................................................................3
2. Purpose..........................................................................................................................................3
3. Scope.............................................................................................................................................3
4. Access Control Policy.....................................................................................................................3
4.1. Access Controls and Permissions...........................................................................................3
4.2. Authorization Levels and Roles..............................................................................................4
4.3. Process and Mechanisms:......................................................................................................4
4.4. Authentication Mechanisms:.................................................................................................4
4.5. Remote Access:......................................................................................................................5
4.6. Repeated Access:...................................................................................................................5
4.7. Re-authentication Access:......................................................................................................5
4.8. Cardholder Data Environment (CDE):....................................................................................5
5. Definitions and Terms....................................................................................................................6
6. Revision History.............................................................................................................................6

Version 1.0 Confidential / Internal Use Only Page 2

 Access Control Policy

1. Overview

Access Control Policy ensures secure online payment processing by managing access privileges,
safeguarding sensitive financial data and preventing unauthorized entry into our payment gateways.
It defines access levels, authentication methods and authorization protocols to maintain trust among
customers, partners, and stakeholders. Emphasizing compliance, best practices, and continual
security improvements, this policy guides administrators, employees, and third-party entities in
using our payment gateway securely.

2. Purpose
The purpose of this Access Control Policy is to ensure the secure and authorized access to the online
payment system while safeguarding sensitive financial information. It's fundamental to our
commitment to a robust payment infrastructure, showcasing our dedication to protecting financial
information and ensuring seamless online transactions, thereby reinforcing trust in our services
among users and partners.

3. Scope

This policy covers all aspects related to online payment processing at Flight Expert including devices
(e.g., computers, laptops, mobile devices, servers, and terminals) processing transactions. The policy
further extends to encompass the entire network infrastructure (e.g., routers, switches, firewalls)
supporting our online payment operations. Additionally, it applies to all personnel engaged in online
payment system operations, including employees, contractors, third-party vendors, and authorized
individuals accessing or involved in the system's functions.

4. Access Control Policy

Anti-virus solutions form a critical part of the defence mechanism for online payment process,
aiming to ensure the security, integrity and confidentiality of sensitive financial information during
transactions.

4.1. Access Controls and Permissions

Detail access controls for sensitive data and system functionalities:

4.1.1. Specify access controls for cardholder data, system configurations, etc. to
restrict access to cardholder data. 7.1

4.1.2. Outline permissions for viewing, editing, deleting, and exporting payment
records by an access control system. 7.2 & 7.3

Version 1.0 Confidential / Internal Use Only Page 3

 Access Control Policy

4.2. Authorization Levels and Roles

Define distinct user roles and associated permissions:

4.2.1. Define roles such as administrators, financial managers, transaction

processors, etc. @1

4.2.2. Specify the access privileges and limitations for each role based on job
responsibilities. @2

4.3. Process and Mechanisms:

Define procedures for granting access to the payment gateway system:

4.3.1. Specify the process for assigning access rights based on roles and
responsibilities. @3

4.3.2. Outline documentation or approvals required for granting access which

includes a comprehensive listing of specific privileges granted and approved
by authorized personnel. @4

4.3.3. Defined processes and mechanisms for user identification and system access
authentication are comprehensive and well-understood.

4.3.4. Throughout the lifecycle of user and administrator accounts, stringent

management practices are enforced to comply with established protocols
for user identification and associated account handling.

4.3.5. Robust authentication measures have been implemented and actively

managed for users and administrators, meeting high-security standards.

4.3.6. Multi-factor Authentication (MFA) has to be integrated to enhance security

and control access into the Cardholder Data Environment (CDE) within the
payment gateway system.

4.3.7. MFA systems should be configured and monitored to prevent misuse or

unauthorized access attempts, ensuring robust security measures.

4.3.8. Stringent management practices are enforced concerning the usage of

application and system accounts, along with their associated authentication
factors, to mitigate risks associated with unauthorized access or misuse.

4.4. Authentication Mechanisms:

To ensure the security and accountability of access to system components and cardholder data
within the online payment gateway, this policy mandates the assignment of unique User IDs to all
individuals requiring access: 8.1.1 through 8.1.8

4.4.1. Prior to granting access to any system components or sensitive cardholder

data, all users, including employees, administrators, and any other
personnel requiring system access, must be assigned a unique User ID

4.4.2. The creation and assignment of User IDs will be managed through a
controlled and documented process by designated system administrators or
personnel responsible for user access provisioning

Version 1.0 Confidential / Internal Use Only Page 4

 Access Control Policy

4.4.3. Detail the process for disabling or removing user accounts upon employee
termination or role changes.

4.4.4. A periodic review will be conducted every 90 days to identify and

remove/disable user accounts that have been inactive for that duration.

4.5. Remote Access:

To control and monitor vendor access to system components via remote means to prevent
unauthorized or prolonged access:

4.5.1. Vendor IDs used for remote access will be enabled only during the necessary
timeframes required for system support or maintenance and disabled when
not in use.

4.5.2. All vendor access sessions will be actively monitored during their usage to
ensure compliance with the allocated timeframe and prevent unauthorized
access attempts.

4.6. Repeated Access:

To prevent unauthorized access via brute force attempts and strengthen system security:

4.6.1. Users will be allowed a maximum of six access attempts. Subsequent failed
attempts will result in a temporary lockout of the user ID.

4.6.2. The user ID will remain locked for a minimum duration of 30 minutes or until
an administrator re-enables the account.

4.7. Re-authentication Access:

4.7.1. If a session remains idle for more than 15 minutes, users will be required to
re-authenticate to reactivate the terminal or session for continued access.

4.8. Cardholder Data Environment (CDE):

4.8.1. Mandatory use of unique IDs and additional authentication measures for
users accessing the payment gateway system and the Cardholder Data
Environment (CDE).

4.8.2. Explicit prohibition of group/shared IDs, passwords, or any methods

promoting shared access within the payment gateway system.

4.8.3. Exclusive assignment of authentication mechanisms to individual accounts,

strictly avoiding shared usage among multiple accounts, ensuring individual
accountability and security.

4.8.4. Deployment of defined physical and/or logical controls within the payment
gateway system to guarantee that assigned authentication methods are
used only by intended accounts, ensuring robust access control.

Version 1.0 Confidential / Internal Use Only Page 5

 Access Control Policy

5. Definitions and Terms

Term Definition

6. Revision History

Version Date Author Change Details

Version 1.0 Confidential / Internal Use Only Page 6