Horatio | Betterment PCI Requirements

Horatio-Betterment Associates are responsible for adhering to a set of policies and procedures that protect credit, debit, and cash card transactions and prevent the misuse of cardholders' personal information. These guidelines are outlined in a comprehensive Standard Operating Procedure outlined below: 

Standard Operating Procedure for Compliance and Security

1. Purpose:

This document outlines the standard procedures to ensure compliance and security within the company, focusing on digital systems/software security, physical security, compliance training, permitted items, handling lost/missing IDs, and entry/exit protocols.

2. Scope:

This SOP applies to all employees, contractors, and visitors accessing the company's facilities and digital systems within the CW3 space.

3. Digital Systems/Software Security:

• Access Control:

  • Use strong and unique passwords.

  • Enable two-factor authentication (2FA) where applicable.

  • Do not share passwords.

• Data Protection:

  • Regularly update software to patch vulnerabilities.

• Monitoring:

  • Implement audit logs and regular security monitoring to detect unauthorized access.

• Incident Response:

  • Immediately report security breaches to the IT department.

• Control over the care of physical equipment (Laptop, Mouse, established headphones, Yubikeys, Secondary monitors)

4. Physical Security:

• Access Control:

  • Secure entry points with access cards or biometric systems.

• Surveillance:

  • Use CCTV in sensitive areas.

• Visitor Management:

  • Register visitors, issue temporary IDs, and escort them in restricted areas.

5. Compliance Training:

• Mandatory Training:

  • All personnel must complete compliance and security training upon hiring and periodically as assigned.

• Content:

  • Training includes data protection laws, company policies, and security best practices.

• Records:

  • Maintain training records for audit purposes.

6. Permitted Items:

• Permitted:

  • Coats, blankets, hoodies (these must be inspected in their compartments).

  • Sealed water or coffee thermoses, identified with the bearer's name (the company will provide these utensils).

• Prohibited:

  • Electronic devices

  • Weapons

  • Any item that could compromise security

  • USB devices

  • Any type of paper that can be used for writing.

  • Writing utensils (pens, pencils, markers)

  • Personalized thermoses and thermoses with stickers are prohibited.

7. Procedure for Lost/Missing IDs:

• Immediate Action:

  • Immediately report the loss of IDs to security.

• Temporary ID:

  • Issue a temporary ID after verifying the employee's identity.

• Position Confirmation:

  • Confirm with the area manager (if unavailable, contact the area supervisor).

8. Entry/Exit Protocols:

• Employee Entry/Exit:

  • Use identification credentials to access and exit the facilities; do not enter by following other employees without identification.

  • The Security Officer will thoroughly inspect the members of the designated space.

  • A visible box will be available where the employee entering the area will remove all contents from the compartments of their clothing to ensure that no prohibited items enter the space.

  • If a prohibited item is found, the employee with access to the area must store all personal materials inside the lockers assigned in the space outside the production area.

  • In case of resistance and/or refusal to follow the established procedures, the employee will not be allowed entry to the work area, and security must inform project leaders to make them aware of the situation.

• Visitor Entry:

  • Register at reception, sign the visitor log, and wear a visible visitor badge.

  • Return temporary IDs upon departure; employees must report any suspicious activity.

  • Confirm if the person has a specific role to fulfill in that area apart from the operations employees. Support Departments must inform the reason for their visit and an estimated duration (Technology, Cleaning, Security, etc.).

9. Review and Updates:

• This document will be reviewed periodically or after significant security incidents to ensure its effectiveness and compliance with current regulations.

• Updates will be made as needed based on performance trends and feedback.