Security Capabilities & Policy

        Effective Date: October 23rd, 2024

        1. Purpose

        The purpose of this document is to outline the security measures and policies for the transmission of payment card details within the Dash Me app, leveraging the First Atlantic Commerce (FAC) payment gateway. This ensures compliance with the Payment Card Industry Data Security Standard (PCI DSS) and protects sensitive cardholder data from unauthorized access and breaches.

        2. Scope

        This policy applies to all employees, contractors, and third-party partners who handle, transmit, or manage payment card data through the Dash Me app. It covers all stages of payment processing, from data entry to transmission and storage.

        3. Definitions

        Payment Card Data (PCD): Information such as credit card number, expiration date, CVV, and cardholder name.

        PCI DSS: Payment Card Industry Data Security Standard, a set of security standards designed to ensure that all companies that accept, process, store, or transmit credit card information maintain a secure environment.

        First Atlantic Commerce (FAC): A payment gateway integrated into Dash Me for processing payment transactions securely.

        4. Security Capabilities

           4.1 Data Encryption

           End-to-End Encryption: All payment card data entered by users is encrypted at the point of entry and remains encrypted during transmission to FAC using industry-standard algorithms (e.g., AES-256).

           Transport Layer Security (TLS): Secure communication channels are established using TLS 1.2 or higher, ensuring data integrity and confidentiality during transmission between the Dash Me app and FAC servers.

           4.2 Tokenization

           Payment Tokenization: FAC provides a tokenization service that replaces sensitive card data with a unique token, which is used for payment processing and stored in place of actual card details. This reduces the risk of data exposure.

           4.3 Access Control

           Role-Based Access Control (RBAC): Access to payment card data is restricted based on the user’s role within Dash Me. Only authorized personnel involved in payment processing and support have access to this data.

           Authentication and Authorization: Strong multi-factor authentication is required for all users accessing the payment processing system.

           4.4 Monitoring and Logging

           Real-Time Monitoring: Continuous monitoring of payment transactions for suspicious activities and anomalies.

           Comprehensive Logging: Detailed logs of access and transaction activities are maintained to facilitate audits and investigations.

           4.5 Vulnerability Management

           Regular Security Audits: Periodic vulnerability assessments and penetration testing are conducted to identify and mitigate security risks.

           Patch Management: Timely updates and patches are applied to all systems involved in payment processing to protect against known vulnerabilities.

        5. Policy Statements

           5.1 Data Protection

           Encryption at Rest and In Transit: All payment card data must be encrypted at rest and during transmission to ensure confidentiality.

           Data Minimization: Only the minimum necessary payment card data required for processing transactions is collected and stored.

           5.2 Compliance with Standards

           PCI DSS Compliance: Dash Me commits to adhering to all relevant PCI DSS requirements to protect cardholder data.

           FAC Compliance: Integration with FAC ensures that all transactions comply with FAC’s security standards and policies.

           5.3 Incident Response

           Incident Reporting: All suspected security incidents involving payment card data must be reported immediately to the Security Officer.

           Response and Mitigation: A defined incident response plan will be activated to investigate and mitigate any data breaches, including notifying affected customers and relevant authorities as required by law.

           5.4 Employee Training and Awareness

           Security Training: All employees handling payment card data must undergo regular security training, including understanding the importance of data protection and incident reporting.

           Awareness Programs: Continuous awareness programs will be conducted to keep employees informed of the latest security threats and best practices.

           5.5 Third-Party Agreements

           Third-Party Compliance: All third-party service providers, including FAC, must comply with Dash Me’s security policies and undergo regular security assessments to ensure their compliance with PCI DSS.

           Data Sharing Agreements: Agreements with third parties must specify security requirements and responsibilities for protecting payment card data.

        6. Responsibilities

           Chief Information Security Officer (CISO): Responsible for overseeing the implementation and enforcement of this policy.

           IT Security Team: Responsible for maintaining secure systems, monitoring for threats, and responding to incidents.

           Payment Processing Team: Ensures that all payment processing activities comply with this policy and PCI DSS requirements.

        7. Review and Revision

        This policy will be reviewed annually or whenever there are significant changes to the payment processing environment or relevant regulations. All revisions will be documented, and updates will be communicated to all stakeholders.

        8. Contact Information

        For any questions or concerns regarding our delivery policy, please contact Dash Me Customer Support:

           Email: dashmebvi@gmail.com

           Phone: 1 (284) 342-0917

           Address: The Valley, Virgin Gorda, British Virgin Islands

        Thank you for choosing Dash Me! We look forward to delivering your favorite meals with care and efficiency.