Information Security Policy

At TSUNAMI.STORE, safeguarding information is an important part of maintaining trust with our customers and partners. Our Information Security Policy outlines the principles and practices we follow to help protect sensitive data, maintain system integrity, and support secure operations across our website and related services.

Explore the Wave

1. Introduction

This Policy governs all aspects of information security for Tsunami and applies to employees, contractors, and vendors. Personnel must read the entire document and sign the acknowledgement form (Appendix A). Management reviews and updates the Policy at least annually or sooner if new security standards arise.

2. Information Security Policy

Tsunami processes sensitive information daily. Adequate safeguards protect account data—including cardholder data and customer privacy—to ensure regulatory compliance and safeguard the organisation’s future. Employees handling sensitive data shall:

  • Handle information according to its classification.
  • Limit personal use of company systems and avoid interference with job performance.
  • Acknowledge that Tsunami may monitor, access, review, audit, copy, store, or delete any electronic communications, equipment, systems, and network traffic.
  • Refrain from using company resources for offensive, discriminatory, defamatory, harassing, or illegal activities.
  • Protect sensitive account data, including cardholder information.
  • Keep passwords and accounts secure.
  • Obtain management approval before installing software, hardware, or establishing third-party connections.
  • Keep desks clear of sensitive data and lock computer screens when unattended.
  • Report information-security incidents immediately to the designated incident-response contact.
  • Complete annual security-awareness training.

3. Network Security

  • A high-level network diagram of the cardholder-data environment (CDE) is maintained and reviewed annually.
  • Approved Scanning Vendor (ASV) scans are performed quarterly (every 90–92 days) and evidence retained for 18 months.
  • For e-commerce, scans include any redirect/iFrame servers in scope.

4. Acceptable Use Policy

  • Employees must exercise good judgment regarding personal use of company assets.
  • Prevent unauthorised access to confidential information, including cardholder data.
  • Keep passwords secure and never share accounts.
  • All workstations require password-protected screen-savers.
  • Device inventory (Appendix B) is maintained and inspected for tampering or substitution.
  • Exercise caution with email attachments and links from unknown senders.

5. Protect Stored Data

  • Tsunami does not store electronic PAN or sensitive authentication data.
  • Any hard-copy card data is secured and destroyed when no longer needed.
  • If PAN must be displayed, mask to the first six and last four digits.
  • Never store magnetic-stripe data, CVV2/CVC2/CID, or PIN/PIN block data.

6. Information Classification

ClassificationExamplesHandling RequirementsConfidentialLegal/financial records, cardholder dataEncryption in transit and at rest; restricted accessInternal UseProprietary but non-confidential materialsInternal distribution onlyPublicMarketing content, published FAQsMay be freely distributed

 

7. Access to Sensitive Cardholder Data

  • Access is limited to individuals with a legitimate business need.
  • Display of PAN is limited to the first six and last four digits.
  • A list of approved third-party service providers (TPSPs) is maintained (Appendix C).
  • Due-diligence processes verify each TPSP’s PCI DSS compliance.

8. Physical Security

  • Media containing sensitive data is stored in physically restricted areas.
  • Visitors are escorted in secure areas at all times.
  • POS/POI devices are listed (make, model, location, serial #) and inspected for tampering.

9. Protect Data in Transit

  • Cardholder data is never sent via clear-text email, chat, or other insecure channels.
  • Strong encryption (TLS 1.2+, AES, PGP) is required for authorised transmissions.
  • Physical transport of sensitive media must be logged and handled via secure courier.

10. Disposal of Stored Data

  • Data is securely destroyed when no longer required.
  • Electronic media is degaussed or securely wiped.
  • Paper is cross-cut shredded.

11. Security Awareness and Procedures

  • Policy is distributed to all personnel; signed acknowledgements are retained.
  • Background checks are performed within legal limits.
  • Third parties accessing card data must contractually comply with PCI DSS.
  • Policies are reviewed at least annually.

12. Credit Card (PCI) Security Incident Response Plan

  • The PCI Response Team includes the CIO, Information Security Officer, Risk Manager, and other key roles.
  • Incidents are reported immediately, investigated promptly, and escalated per card-brand rules.
  • Visa, Mastercard, Discover, and American Express notification procedures are maintained.

13. Transfer of Sensitive Information Policy

  • Third-party companies must have SLAs and comply with Tsunami security requirements and PCI DSS.

14. User Access Management

  • Formal user-registration process; unique IDs issued.
  • Least-privilege principle enforced.
  • Accounts disabled immediately upon termination or role change.

15. Access Control Policy

Complex passwords (minimum 8 characters, changed every 90 days).

  • Privileged access requires dual authorization.
  • Remote access follows the approved Remote Access Policy and uses MFA.

 

Appendices:

Appendix A – Agreement to Comply Form

(Employee acknowledgement form – to be completed and retained.)

Appendix B – List of Devices

(Inventory to be populated and reviewed quarterly.)

Appendix C – List of Third-Party Service Providers

Service ProviderContact DetailsServices ProvidedPCI DSS CompliantAuthorize.nethttps://www.authorize.net/support.htmlPayment gateway & merchant processingYes (Level 1)Argyle Paymentshttps://argylepayments.com/contact/Payment gateway & merchant processingYesMX™ Merchanthttps://mxmerchant.com/Payment gateway & merchant processing

 

Appendix D – Stand-Alone & P2PE POI Management Policy
  • Maintain current inventory of all POI devices.
  • Secure devices with tamper-evident seals or locked enclosures.
  • Inspect devices at least quarterly; log findings.
  • Change default passwords and restrict admin access; apply firmware patches promptly.
  • Restrict physical/logical access to authorised personnel and enforce MFA where possible.
Appendix E – eCommerce Configuration & Hardening Policy
  • Remove unnecessary services and default accounts.
  • Enforce TLS 1.2+ for all public-facing services.
  • Apply OS and application patches within 30 days.
  • Implement file-integrity monitoring, anti-malware, and endpoint-detection tools.
  • Limit root/administrator access; enforce MFA; maintain audit logs.
  • Perform quarterly vulnerability scans and after significant changes; remediate critical findings within 30 days.
  • Maintain daily off-site backups; test restores annually.
  • Enable real-time alerting via WAF and IDS; follow the Incident Response Plan for any detected compromise.

For questions regarding this Information Security Policy, please contact the Security Officer via https://tsunami.store/contact-us/