2. Access Control Policy (ACP)

Information Systems Access Policy

I. PURPOSE The purpose of this policy is to maintain an adequate level of security to protect neaPay data and information systems from unauthorized access. This policy defines the rules necessary to achieve this protection and to ensure a secure and reliable operation of neaPay information systems.

II. POLICY Only authorized users are granted access to information systems, and users are limited to specific defined, documented and approved applications and levels of access rights. Computer and communication system access control is to be achieved via user IDs that are unique to each individual user to provide individual accountability.

Who is Affected: This policy affects all employees of this neaPay and its subsidiaries, and all contractors, consultants, temporary employees and business partners. Employees who deliberately violate this policy will be subject disciplinary action up to and including termination. Affected Systems: This policy applies to all computer and communication systems owned or operated by neaPay and its subsidiaries. Similarly, this policy applies to all platforms (operating systems) and all application systems. Entity Authentication: Any User (remote or internal), accessing neaPay networks and systems, must be authenticated. The level of authentication must be appropriate to the data classification and transport medium. Entity authentication includes but is not limited to: Automatic logoff And Unique user identifier At least one of the following: Biometric identification Password Personal identification number A telephone callback procedure Token Workstation Access Control System: All workstations used for this neaPay business activity, no matter where they are located, must use an access control system approved by neaPay. In most cases this will involve password-enabled screen-savers with a time-out-after-no-activity feature and a power on password for the CPU and BIOs. Active workstations are not to be left unattended for prolonged periods of time, where appropriate. When a user leaves a workstation, that user is expected to properly log out of all applications and networks. Users will be held responsible for all actions taken under their sign-on. Where appropriate, inactive workstations will be reset after a period of inactivity (typically 30 minutes). Users will then be required to re-log on to continue usage. This minimizes the opportunity for unauthorized users to assume the privileges of the intended user during the authorized users absence.

Disclosure Notice: A notice warning that those should only access the system with proper authority will be displayed initially before signing on to the system. The warning message will make clear that the system is a private network or application and those unauthorized users should disconnect or log off immediately. System Access Controls: Access controls will be applied to all computer-resident information based on its Data Classification to ensure that it is not improperly disclosed, modified, deleted, or rendered unavailable.

Access Approval: System access will not be granted to any user without appropriate approval. Management is to immediately notify the Security Administrator and report all significant changes in end-user duties or employment status. User access is to be immediately revoked if the individual has been terminated. In addition, user privileges are to be appropriately changed if the user is transferred to a different job.

Limiting User Access: neaPay approved access controls, such as user logon scripts, menus, session managers and other access controls will be used to limit user access to only those network applications and functions for which they have been authorized. Need-to-Know: Users will be granted access to information on a need-toknow basis. That is, users will only receive access to the minimum applications and privileges required performing their jobs.

Compliance Statements: Users who access to this neaPays information systems must sign a compliance statement prior to issuance of a user-ID. A signature on this compliance statement indicates the user understands and agrees to abide by these neaPay policies and procedures related to computers and information systems. Annual confirmations will be required of all system users. Audit Trails and Logging: Logging and auditing trails are based on the Data Classification of the systems. Confidential Systems: Access to confidential systems will be logged and audited in a manner that allows the following information to be deduced: Access time User account Method of access All privileged commands must be traceable to specific user accounts In addition logs of all inbound access into neaPay s internal network by systems outside of its defined network perimeter must be maintained. Audit trails for confidential systems should be backed up and stored in accordance with neaPay back-up and disaster recovery plans.

All system and application logs must be maintained in a form that cannot readily be viewed by unauthorized persons. All logs must be audited on a periodic basis. Audit results should be included in periodic management reports. Access for Non-Employees: Individuals who are not employees, contractors, consultants, or business partners must not be granted a user-ID or otherwise be given privileges to use the neaPay computers or information systems unless the written approval of the Department Head has first been obtained. Before any third party or business partner is given access to this neaPay computers or information systems, a chain of trust agreement defining the terms and conditions of such access must have been signed by a responsible manager at the third party organization. Unauthorized Access: Employees are prohibited from gaining unauthorized access to any other information systems or in any way damaging, altering, or disrupting the operations of these systems. System privileges allowing the modification of production data must be restricted to production applications. Remote Access: Remote access must conform at least minimally to all statutory requirements including but not limited to HCFA, HRS-323C, and HIPAA.

Password Policy

I. PURPOSE The purpose of this policy is to ensure that only authorized users gain access to neaPays information systems.

II. POLICY To gain access to neaPay information systems, authorized users, as a means of authentication must supply individual user passwords. These passwords must conform to certain rules contained in this document. Who is Affected: This policy affects all employees of this neaPay and its subsidiaries, and all contractors, consultants, temporary employees and business partners. Employees who deliberately violate this policy will be subject disciplinary action up to and including termination.

Affected Systems: This policy applies to all computer and communication systems owned or operated by this neaPay and its subsidiaries. Similarly, this policy applies to all platforms (operating systems) and all application systems. User Authentication: All systems will require a valid user ID and password. All unnecessary operating system or application user IDs not assigned to an individual user will be deleted or disabled. Password Storage: Passwords will not be stored in readable form without access control or in other locations where unauthorized persons might discover them. All such passwords are to be strictly controlled using either physical security or computer security controls. Application Passwords Required: All programs, including third party purchased software and applications developed internally by this neaPay must be password protected. Choosing Passwords: All user-chosen passwords must contain at least one alphabetic and one non-alphabetic character. The use of control characters and other non-printing characters are prohibited. All users must be automatically forced to change their passwords appropriate to the classification level of information. To obtain a new password, a user must present suitable identification. Changing Passwords: All passwords must be promptly changed if they are suspected of being disclosed, or known to have been disclosed to unauthorized parties. All users must be forced to change their passwords at least once every sixty- (60) days. Password Constraints: The display and printing of passwords should be masked, suppressed, or otherwise obscured so that unauthorized parties will not be able to observe or subsequently recover them. After three unsuccessful attempts to enter a password, the involved user-ID must be either: (a) suspended until reset by a system administrator, (b) temporarily disabled for no less than three minutes, or (c) if dial-up or other external network connections are involved, disconnected.

 
Contact    

Iso8583 - articles


ISO8583 simulator scheduling tasks and test regressions
ISO8583 Simulator   88 views

ISO8583 simulator scheduling tasks and test regressions


The neaPay ISO8583 simulator improves automated testing with full capabilities for scheduling minutely message exchanges, duration tests, nightly or w ...
ISO8583 Message Converter to XML SQL CSV interface specification mapping
ISO8583 Converter   5695 views

ISO8583 Message Converter to XML SQL CSV interface specification mapping


ISO8583 Converter creating an XML,  SQL and CSV object from an incoming TCP/IP ISO8583 binary message, and then sending it to a HTTP host as ...
PCI compliant with neapay switch
ISO8583 Switch   5730 views

PCI compliant with neapay switch


PCI compliant with neapay switch Steps and procedure: Configuration parameters to acheive service PCI DSS compliance   ...
Trace configuration in neaPay Simulator, Converter, Switch, Authorization and Cards Issuer
Products   6122 views

Trace configuration in neaPay Simulator, Converter, Switch, Authorization and Cards Issuer


Trace configuration in neaPay Simulator, Converter, Switch, Authorization and Cards Issuer ...
Add extra custom fields to the ISO8583 simulator
ISO8583 Simulator   6153 views

Add extra custom fields to the ISO8583 simulator


Adding extra, custom fields to the ISO8583 simulator in 3 simple steps is as easy as running the tests: Edit the spreadsheet and save it; Edit th ...
Deploy the Payments Switch Router in a test environment
ISO8583 Switch   6540 views

Deploy the Payments Switch Router in a test environment


Deploy then neaPay Payments switch router to easily route transactions based on BIN/prefix, amount, merchant, originating or destination insytitution, ...
Regression Testing in 1 click with instant Analytics and CSV report
ISO8583 Simulator   6658 views

Regression Testing in 1 click with instant Analytics and CSV report


The neaPay Payments simulator is designed from the start to follow the life of a project, and therefore, after all testing has been completed, we need ...
Altering test cases in Excel for the ISO8583 simulator
ISO8583 Simulator   6945 views

Altering test cases in Excel for the ISO8583 simulator


When you need to customize your own test case, you need to follow some simple steps all the time.In order to obtain this, you need to alter test data ...
Deploy the neaPay ISO8583 Payments converter in a test environment
ISO8583 Converter   6948 views

Deploy the neaPay ISO8583 Payments converter in a test environment


When you receive a delivery from neaPay for an iso8583 convertor, you will get 1 zip file.  This step by step guide will guide you through ...
How the fingerprint reader works in the ISO8583 payments simulator
ISO8583 Simulator   6954 views

How the fingerprint reader works in the ISO8583 payments simulator


Step by step guide to enable and disable fingerprint reading, enrollment and verification with the neapay Simulator is pretty straight forward and ass ...
Enabling traces in the payments simulator
ISO8583 Simulator   6965 views

Enabling traces in the payments simulator


Enabling traces in the ISO8583 Payments Simulator, just like the ISO8583 message converter and the ISO8583 Host, is a call to the system core to write ...
Sample Recommended design for an Acquirer test cases suite, Scenarios and Regression
ISO8583 Simulator   6971 views

Sample Recommended design for an Acquirer test cases suite, Scenarios and Regression


A test suit is composed of different scenarios which follow in a functional (or another) way in order to cover the full, or as much as possible, of th ...

Choose the product you need


ISO8583 Converter

Convert ISO8583 to JSON XML SQL


ISO8583 Interface

ISO8583 Interface Handler


ISO20022 Converter

Convert ISO20022 to ISO8583 ...


ISO8583 Builder

Build ISO8583 from scratch


ISO8583 Switch

ISO8583 Router by criteria


ISO8583 Authorization

Authorize cards and ledger


Payments Acquirer

Acquiring host from devices


Cards Issuing

Generate and issue cards


ISO8583 Simulator

ISO8583 HISO98 HISO87 simulator


ISO20022 Simulator

ISO20022 & SWIFT simulator


POS Simulator

POS protocols simulator


Web Api Simulator

Web API tester Performance

 

Get a free quote, Ask for details
Get help

Contact us

Try the software yourself
Download

Download software

Read Documentation and Start guides

Documentation

Online Tools Overview

Online Tools