The company sets forth the relevant Information Security Policy based on PCI DSS V3.2 and ISO 27001. When setting up or carrying out policy specified tasks, the relevant personnel are required to observe the stipulations of (but not limited to) the PCI DSS, “Personal Data Protection Act”, Company Operation Act and the contracts set forth with the customers.

Data Security Policy:

  1. The company sets up an “Information Security Management Committee” for integrating the planning of the Information Security Management System, and appoints members for the “Information Security Work Team” for system implementation. In the event of a special or critical incident, the “Information Security Management Committee” will convene an irregular discussion meeting with the relevant personnel.
    • To ensure security of the company’s host system and networking equipment and network communication to effectively reduce the risks of pilferage, improper use, revelation, tampering or damage of information assets resulting from human error, deliberate sabotage or natural calamities; also to set forth the Information Security Management Specifications.
      • To ensure confidentiality, integrity and availability of card holders’ data.
        • Confidentiality: To ensure that the information is accessible to card holders.
        • Integrity: To ensure that card holders’ data are correct and untampered.
        • Availability: To ensure that the necessary information can be obtained by the card holder.
      • To define the operating regulations and relevant planning of responsibilities for reducing impacts of attacks resulting from technical weak points of the system host.
        • To instruct the staff to implement Information Security Management tasks: annually conduct proper Information Security training; to establish the concept of “everyone is responsible for maintaining Information Security” so that the staff are well aware of the significance of Information Security, thereby elevating their Information Security mindsets as well as improving their contingence response capabilities and lowering the Information Security risks to achieve the goal of sustained operation.
          • To ensure data security, and plan data backup and remote backup tasks to prevent any damage caused by data corruption.
            • To establish control measures for password and key management, thereby preventing improper access and unsecured use for ensuring safe and integral data encryption.
              • To segregate the test environment from the operation environments for lowering risks of unauthorized access or tampering of the operation system; to monitor and allocate resource uses and technical weak points of the system, for adopting proper improvement measures as well as establishing detection and restoration measures against malicious software/programs.
                • To establish the Information Assets Risk Assessment Standard for identifying risks caused by weak points and threats in Information Assets, and to take countermeasures or control methods based on assessment results to minimize risks that may damage Information Assets.
                  • To establish the list of information assets, ensuring that they comply with the requirements of relevant statutes and can be prevented from sustaining to deliberate or incidental threats, either internal or external, for protecting the benefits of stakeholders in relation with the company.
                    • To carry out annual audit measures to ensure the respective control objectives, control measures, operation processes and relevant procedures of ISMS are all in compliance with the specifications.