Information Security Policy

Reference: ISP-PCI-001 Version: 1.0 Effective Date: 15/04/26 Review Date: 15/04/27 Owner: Rhys Young

Contents

1. Purpose & Scope
2. Roles & Responsibilities
3. Cardholder Data & Payment Security
4. Network & System Security
5. Access Control
6. Physical Security
7. Vulnerability & Patch Management
8. Monitoring & Logging
9. Incident Response
10. Third-Party & Vendor Management
11. Staff Awareness & Training
12. Policy Review & Compliance

1. Purpose & Scope

The Deepings Caravan Park Ltd (“the Company”) is committed to protecting the security of all payment card data processed, transmitted, or stored in the course of its business operations. This Information Security Policy has been established in accordance with the Payment Card Industry Data Security Standard (PCI DSS) and applies to all systems, processes, staff, contractors, and third parties that interact with cardholder data or the cardholder data environment (CDE).

This policy covers all payment acceptance activities at the site, including but not limited to:

• Reception and office card payments
• Online booking payments
• Bar and restaurant transactions
• Any telephone or mail order payments

All personnel must comply with this policy. Non-compliance may result in disciplinary action, termination of contract, or referral to relevant authorities.

2. Roles & Responsibilities

Senior Management

The Director(s) of The Deepings Caravan Park Ltd are responsible for approving this policy, allocating appropriate resources for its implementation, and ensuring ongoing PCI DSS compliance is maintained across all business operations.

Security Owner / Designated Contact

A named individual (the “Security Owner”) is responsible for day-to-day oversight of information security practices, coordinating with payment service providers, and managing the annual PCI DSS self-assessment questionnaire (SAQ) process.

All Staff

Every employee and contractor is responsible for:

• Adhering to this policy and all associated procedures
• Completing mandatory security awareness training
• Reporting any suspected security incidents or policy breaches promptly
• Never disclosing passwords, access credentials, or cardholder data to unauthorised persons

3. Cardholder Data & Payment Security

The Company will take all reasonable steps to minimise the storage of cardholder data. Where possible, payment processing is handled entirely by PCI DSS-compliant third-party payment service providers (PSPs) so that sensitive card data does not enter Company systems.

• Full card numbers (PANs) must never be stored in any electronic or paper format beyond the immediate point of processing
• CVV/CVC codes must never be stored under any circumstances
• PIN data must never be stored
• Any paper records containing partial card data must be stored securely and destroyed by cross-cut shredding when no longer required
• All online payments are processed via a PCI DSS-compliant hosted payment page — card data does not pass through the Company’s own web server

4. Network & System Security

The Company will maintain a secure network environment to protect all systems that interact with the cardholder data environment.

• A firewall is installed and maintained on all network entry and exit points
• Default vendor passwords and security settings are changed on all hardware and software before use
• Guest Wi-Fi networks are segregated from any internal business networks
• Payment terminals are connected to a dedicated, isolated network segment wherever practicable
• Unused network ports and services are disabled
• All data transmitted over open/public networks is encrypted using strong cryptographic protocols (TLS 1.2 or higher)
• Anti-virus and anti-malware software is installed on all applicable systems and kept up to date

5. Access Control

Access to systems and data within the cardholder data environment is restricted on a strict need-to-know basis.

• Each user is assigned a unique user ID — shared logins are not permitted
• Strong passwords are required: minimum 8 characters, including a mix of letters, numbers, and symbols; changed at least every 90 days
• Access rights are reviewed at least annually and promptly revoked upon staff departure or role change
• Administrative access to systems is limited to authorised personnel only
• Remote access, where permitted, must be via a secure VPN connection with multi-factor authentication (MFA)
• All user access to sensitive systems is logged

6. Physical Security

Physical access to any equipment or media containing cardholder data is controlled and monitored.

• Payment terminals are secured and not left unattended in accessible public areas
• Payment terminals are inspected regularly for signs of tampering, skimming devices, or unauthorised modification
• The serial numbers of all payment terminals are recorded and verified against the device regularly
• Visitors to restricted areas (e.g. server rooms, office) are logged and escorted
• Paper records containing any cardholder information are stored in locked filing cabinets and disposed of securely
• CCTV is in operation in areas where payments are processed, in accordance with the Company’s GDPR obligations

7. Vulnerability & Patch Management

The Company will maintain the security of all systems through proactive vulnerability management.

• Operating system and software patches are applied in a timely manner — critical patches within 30 days of release
• Anti-virus definitions are updated automatically
• New systems are assessed for security vulnerabilities before deployment
• Only approved, licensed software is installed on business systems
• Where required by the Company’s acquirer or PSP, quarterly external vulnerability scans are conducted by an Approved Scanning Vendor (ASV)

8. Monitoring & Logging

All access to systems within the cardholder data environment is monitored and recorded to enable detection of and response to security events.

• Audit logs are enabled on all systems within scope of PCI DSS
• Logs capture: user identification, type of event, date and time, success or failure, and the system component involved
• Logs are retained for a minimum of 12 months, with at least the most recent 3 months available for immediate analysis
• Logs are reviewed regularly for anomalies or suspicious activity
• System clocks on all relevant devices are synchronised to a reliable time source

9. Incident Response

The Company has an incident response plan to manage and contain any suspected or confirmed information security breach involving cardholder data.

In the event of a suspected breach, staff must immediately:

1. Report the incident to the Security Owner and/or Director without delay
2. Preserve all evidence — do not delete logs or alter systems
3. Isolate any affected system if instructed to do so
4. Not discuss the incident externally without authorisation

Management will:

• Notify the Company’s acquiring bank and payment service provider as required
• Engage forensic support if necessary
• Notify the ICO within 72 hours if personal data is involved (GDPR obligation)
• Document the incident, response actions, and lessons learned

10. Third-Party & Vendor Management

Any third party that has access to the Company’s cardholder data environment, or that provides services relevant to payment card processing, must meet appropriate security standards.

• A list of all service providers with access to cardholder data is maintained and reviewed annually
• Contracts with relevant third parties include security obligations and the right to audit
• Third-party PCI DSS compliance status is confirmed at least annually (e.g. by obtaining their Attestation of Compliance)
• Third parties are provided only the minimum level of access necessary to perform their function
• Access for third parties is immediately revoked when the relationship ends

11. Staff Awareness & Training

All staff who handle payment card data or have access to systems in scope of PCI DSS must receive appropriate security awareness training.

• Security awareness training is provided to all relevant staff at induction and at least annually thereafter
• Training covers: identifying social engineering and phishing attacks, safe handling of cardholder data, password security, physical security awareness, and how to report incidents
• Staff are made aware of this policy and required to acknowledge it in writing
• Records of training completion are maintained

12. Policy Review & Compliance

This policy will be reviewed at least annually and following any significant change to the business, technology, or threat environment that may affect the cardholder data environment.

• Compliance with this policy is assessed as part of the annual PCI DSS Self-Assessment Questionnaire (SAQ) process
• Any identified non-compliance is documented and remediated promptly
• This policy is communicated to all relevant staff and made available on the Company website
• Questions or concerns regarding this policy should be directed to the Security Owner

Breaches of this policy may constitute a disciplinary offence and, where applicable, may be referred to law enforcement authorities or regulatory bodies.