Cornerstone Farm South – Information Security Policy
1761 Rock Rd, Naples, FL 34120
Website: cornerstonefarmsouth.com
Phone: (239) 595-7618
Women-Owned Equestrian Facility
Contents
-
Introduction
-
Information Security Policy
-
Network Security
-
Acceptable Use Policy
-
Protect Stored Data
-
Information Classification
-
Access to Sensitive Cardholder Data
-
Physical Security
-
Protect Data in Transit
-
Disposal of Stored Data
-
Security Awareness and Procedures
-
Credit Card (PCI) Security Incident Response Plan
-
Transfer of Sensitive Information Policy
-
User Access Management
-
Access Control Policy
-
Appendix A – Employee Agreement to Comply
-
Appendix B – List of Devices
-
Appendix C – List of Third-Party Service Providers
-
Appendix D – Standalone and P2PE POI Management Policy
-
Appendix E – eCommerce Configuration and Hardening Policy
1. Introduction
This Information Security Policy outlines Cornerstone Farm South’s commitment to protecting all sensitive company and customer information, including payment card data processed through our Authorize.net gateway and related systems.
All employees, contractors, and authorized users must review this document in full and sign the acknowledgment in Appendix A. This policy is reviewed annually by management or upon any significant system or process change to ensure continued compliance with PCI DSS and industry best practices.
2. Information Security Policy
Cornerstone Farm South handles sensitive customer and payment data. Protecting this data is essential to maintain the trust of our riders, clients, and community.
Cornerstone Farm South commits to:
-
Maintaining a secure environment for all payment and customer data.
-
Respecting the privacy of our customers and never disclosing personal information to unauthorized parties.
-
Ensuring all cardholder and account information is processed through Authorize.net, using secure, PCI-compliant channels.
Employees Handling Sensitive Information Must:
-
Handle data in accordance with its sensitivity and classification.
-
Keep all passwords and accounts secure.
-
Never share sensitive data over unapproved communication channels (email, text, chat, etc.).
-
Lock computers when unattended.
-
Report any suspected data breach or unusual activity immediately.
3. Network Security
Cornerstone Farm South maintains a simplified, secure network structure. Payment information is handled exclusively through Authorize.net and SecureTrust PCI-compliant systems.
-
Quarterly scans are conducted by SecureTrust (PCI SSC-approved scanning vendor).
-
Evidence of scans is maintained for 18 months.
-
Wi-Fi access is protected with WPA2 or higher encryption and strong passwords.
-
POS and card terminals are physically secured at all times.
4. Acceptable Use Policy
Employees are expected to act responsibly when using company systems and data.
-
Use Cornerstone devices and systems only for authorized purposes.
-
Keep passwords private and strong.
-
Never install unauthorized software or connect unapproved devices.
-
Do not use company systems to engage in illegal, harassing, or inappropriate activities.
-
Immediately report any suspicious activity, phishing attempts, or tampering of POS devices.
5. Protect Stored Data
Cornerstone Farm South does not store full payment card numbers (PAN), CVV2, or track data in any form — electronic or paper.
-
Payment details are processed directly through Authorize.net’s secure payment gateway.
-
Any printed receipts containing partial card numbers are securely stored and shredded when no longer required.
-
PANs are masked to show only the first six and last four digits if ever displayed.
6. Information Classification
All company information is classified as:
-
Confidential: Customer payment data, financials, employee records.
-
Internal Use: Operational records, invoices, training materials.
-
Public: Marketing materials, social media, public website content.
Confidential data must be securely stored and only accessible to authorized personnel.
7. Access to Sensitive Cardholder Data
-
Access to payment data is restricted to designated staff responsible for payment processing.
-
All cardholder data is handled through Authorize.net; Cornerstone Farm South systems never store or transmit this data directly.
-
Access permissions are reviewed annually.
-
Any sharing of sensitive data with service providers (see Appendix C) requires written authorization.
8. Physical Security
-
Payment devices and terminals are physically secured and inspected regularly for tampering.
-
Visitors must be escorted when in areas where payment data or computer systems are accessible.
-
All confidential documents are stored in locked cabinets or password-protected systems.
-
Devices used for payment processing are inventoried and logged with model, serial number, and location.
9. Protect Data in Transit
-
All sensitive data transmitted electronically is encrypted using industry-standard methods (TLS 1.2 or higher).
-
Cardholder data is never sent via email, chat, or text.
-
Only authorized SecureTrust and Authorize.net systems are used for electronic payment processing.
10. Disposal of Stored Data
-
Any physical media containing sensitive data is shredded or destroyed beyond recovery.
-
Electronic data is securely wiped or degaussed when no longer needed.
-
Outdated equipment is reset and wiped to factory standards before disposal.
11. Security Awareness and Procedures
All staff receive training annually on:
-
Secure handling of customer and payment data.
-
Identifying phishing and social engineering attempts.
-
Incident response procedures.
-
PCI DSS compliance basics and SecureTrust standards.
12. Credit Card (PCI) Security Incident Response Plan
In the event of a suspected data breach or cardholder data compromise:
Steps:
-
Immediately isolate affected systems.
-
Notify the Information Security Officer (Farm Owner/Manager).
-
Document the event and affected systems.
-
Contact Authorize.net and SecureTrust support.
-
If necessary, notify affected cardholders and relevant authorities.
-
Review and update policies to prevent recurrence.
13. Transfer of Sensitive Information Policy
-
All third-party providers must comply with PCI DSS.
-
Cornerstone Farm South uses Authorize.net as its sole third-party payment processor.
-
No cardholder data is ever transferred outside of this system.
-
All business partners and vendors must acknowledge their responsibility to maintain data security.
14. User Access Management
-
Each user is assigned a unique login for system access.
-
Accounts are immediately deactivated upon termination.
-
Access is limited to the minimum level necessary for job duties.
-
Shared credentials are prohibited.
15. Access Control Policy
-
Access to systems and sensitive information is role-based.
-
Administrator privileges are restricted to management or IT support.
-
Passwords must be at least 8 characters, include upper/lowercase letters, numbers, and symbols, and be changed every 90 days.
-
Two-factor authentication is used where available.
Appendix A – Employee Agreement to Comply Sample
Employee Name: ___________________________
Department: ___________________________
I acknowledge that I have read, understood, and agree to comply with Cornerstone Farm South’s Information Security Policy. I will protect all sensitive data and report any suspected violations immediately.
Employee Signature: ___________________________
Date: ___________________________
Appendix B – List of Devices
| Device Type | Make/Model | Serial Number | Location | Last Inspected |
|---|---|---|---|---|
| Credit Card Terminal | Authorize.net / EMV Reader | TBD | Main Office | ______ |
| Office Computer | Apple iMac / Windows PC | TBD | Main Office | ______ |
| Backup Laptop | Apple MacBook | TBD | Manager Office | ______ |
Appendix C – List of Third-Party Service Providers
| Provider | Service | Contact |
|---|---|---|
| Authorize.net | Payment Gateway | authorize.net |
| SecureTrust | PCI Scanning / Compliance | securetrust.com |
| Hosting.com | Domain / Email Hosting | hosting.com |
Appendix D – Standalone and P2PE POI Management Policy
-
All payment devices are secured and inspected regularly for tampering.
-
Device serial numbers are logged and verified monthly.
-
Only authorized personnel may connect, move, or replace devices.
-
Devices are stored securely when not in use.
Appendix E – eCommerce Configuration and Hardening Policy
-
Website uses SSL/TLS certificates and secure HTTPS enforced site-wide.
-
All WordPress plugins and themes are kept up to date.
-
Administrative access is limited to approved users only.
-
Regular vulnerability scans are performed by SecureTrust.
-
Backups are encrypted and stored offsite.
-
Default passwords are changed immediately upon installation.
Approved By: Leslie Terry
Date: October 14th, 2025
Reviewed Annually by Cornerstone Farm South Management