Reversec Finland PCI services Privacy Policy

 

In brief

This privacy policy sets out the data processing related to Reversec regarding Payment Card Industries (hereon PCI) criteria. These services include Data Security Standard (DSS) and 3 Domain Security (3DS) assessments.

 

The core privacy aspects of these services are:

  • PCI DSS and 3DS security standards require the assessing organization (Reversec) to collect and store assessment-related evidence data for three (3) years.
  • This evidence data is collected from the organization being assessed (the customer), and might include personally identifiable information.
  • Evidence data of the assessment is stored for the needs of the PCI Security Standard Council quality assurance program and is used to verify.
    • Reversec’s judgement of the performed assessment, if requested by the council.
  • Evidence data is not shared with any other parties except PCI Security Standard Council or their appointed auditors.

In full

This service-specific policy focuses on the items we believe are the most relevant for you. Such items are in particular:

  1. The type of personal and private data that the service collects
  2. What we use it for
  3. Our justification
  4. Typical disclosures
  5. For how long we store it

More information on such topics as well as on other aspects (data subject rights, contact information, etc.) of the processing of your personal data is also available via the embedded links to our General privacy policy.

 

What do we collect and what do we do with it?

Collected evidence from the organization being assessed

During the PCI DSS or 3DS assessment, we collect evidence from the assessed organization’s information systems and related devices. We also conduct documented interviews with the customers personnel. This data is used to showcase that the organization being assessed has built its security controls to match the requirements of PCI DSS and/or 3DS, and that they are capable of performing security management processes and procedures as is required of them:

  • Screen captures of management systems
  • Security log exports
  • Configuration exports from the security infrastructure devices
  • Internal documentation of the customer organization

Certain PCI DSS/3DS security controls require personally identifiable evidence items to be collected (for example to ensure fulfillment of audit trail requirements), others might include unintentional personally identifiable information (such as identifiable names in device configuration exports).

  • Third-party service providers’ employee data: In case the organization being assessed uses third-party services to support, develop, or maintain parts (or all) of their PCI DSS/3DS-related information systems or related processes, evidence collection might include collecting personally identifiable information of third-party personnel.

Legal grounds

The PCI DSS and 3DS security standard requires the assessing organization (Revesec) to collect and store assessment-related evidence data for three (3) years. Therefore Reversec has a legitimate interest in collecting the evidence data, as it is necessary in order for Reversec to provide customers with PCI DSS/3DS-related services.

Evidence data that Reversec receives during the PCI DSS/3DS assessments is stored as defined in this privacy policy. Reversec acts as a controller of the data.

During assessments, only the necessary amount of personal data is collected in order to fulfill the assessment requirements set by the PCI Security Standards Council.

 

Transfers and disclosures

Evidence data is stored for the needs of the PCI Security Standard Council quality assurance program and could be used to verify Reversec’s judgement of the performed assessment.

Evidence data is not shared with any external parties, except upon written request to PCI Security Standard Council or their appointed forensics investigators.
Reversec further employs its own affiliates and subcontractors so that we can provide our services globally.

More information on transfers and disclosures is available in the General privacy policy.

 

Retention

The PCI DSS and 3DS security standard requires the assessing organization (Reversec) to collect and store assessment-related evidence data for three (3) years.

Reversec securely destroys the evidence data after this defined retention period has exceeded.

Please read our General privacy policy for possible exceptions or typical reasons why we may need to deviate from the primary retention rules set out above.

 

Security

PCI DSS/3DS assessment-related evidence data is stored in a secure document management system, managed by Reversec and protected by access controls, firewalls, and other protective measures.

We apply strict security measures to protect the confidentiality, integrity, and availability of your personal data when transferring, storing, or processing it.

We use physical, administrative, and technical security measures to reduce the risk of loss, misuse, or unauthorized access, disclosure, or modification of your personal data.

All personal data is stored on secure servers operated by Reversec or our partners with access limited to authorized personnel only.

 

Your rights

Please read our General privacy policy for information on your statutory rights and how to contact us.

 

General

Please note that this privacy policy will regularly be updated to reflect any changes in the way we handle your personal data or any changes in applicable laws.

This version of the policy clarifies, updates, and replaces the previous version. To continue keeping this document up to date, we will make changes and additions to this from time to time.

For information on definitions and change management please read our General privacy policy.