PointCraft IT Security Policy
Company: PointCraft Inc.
Policy Owner: Security & Engineering Team
Effective Date: 02-20-2025
Version: 3.2
1. Purpose
The purpose of this IT Security Policy is to establish guidelines and procedures to protect the confidentiality, integrity, and availability of information systems and data managed by PointCraft Inc.
This policy defines security standards for systems, infrastructure, software, employees, contractors, and third-party services used by PointCraft to deliver payment processing, point-of-sale, and commerce platform services.
2. Scope
This policy applies to:
All employees, contractors, and partners of PointCraft
All information systems operated by PointCraft
Cloud infrastructure and hosting environments
Payment terminals and POS devices
Company-owned and managed devices
Merchant and customer data processed by PointCraft
This includes but is not limited to:
Backend infrastructure
Cloud platforms
Mobile and terminal applications
Merchant dashboards
APIs and integrations
Payment processing services
3. Security Principles
PointCraft security practices are based on the following core principles:
Confidentiality
Sensitive information must be protected against unauthorized access.
Integrity
Systems and data must be protected from unauthorized modification.
Availability
Systems must remain available and resilient to ensure reliable service to merchants.
4. Access Control
4.1 Least Privilege
Access to systems and data is granted based on the principle of least privilege, meaning individuals are granted only the access necessary to perform their job duties.
4.2 Authentication
Access to company systems requires authentication through secure credentials.
Security measures include:
Strong password requirements
Multi-factor authentication (MFA)
Role-based access control
Device authentication for terminal systems
4.3 Access Reviews
Access permissions are periodically reviewed to ensure that access remains appropriate and necessary.
Access is revoked immediately upon termination of employment or contract.
5. Data Protection
5.1 Data Classification
Data handled by PointCraft may include:
Merchant business information
Transaction data
Operational platform data
System logs
Limited personally identifiable information (PII)
Sensitive information must be protected using appropriate safeguards.
5.2 Encryption
Sensitive data is protected using encryption mechanisms such as:
Encryption in transit using TLS
Encryption at rest where appropriate
Secure key management practices
5.3 Payment Data
PointCraft does not store sensitive cardholder data unless required for secure transaction processing and compliant with PCI DSS standards.
Payment data is processed through certified payment processing partners and tokenization services when possible.
6. Infrastructure Security
PointCraft infrastructure security includes the following practices:
Cloud-based infrastructure security controls
Network firewalls and traffic filtering
IP rate limiting and threat protection
Monitoring and logging of infrastructure activity
Secure API authentication
Segmented environments (development, staging, production)
Infrastructure is monitored for abnormal activity and security threats.
7. Software Security
7.1 Secure Development
PointCraft follows secure development practices including:
Code reviews
Dependency vulnerability monitoring
Secure coding standards
Testing prior to deployment
7.2 Updates and Patching
Software systems and dependencies are regularly updated to address security vulnerabilities.
Critical security patches are applied as soon as reasonably possible.
8. Device Security
Devices used to access PointCraft systems must follow security requirements including:
Password or biometric lock
Operating system updates
Secure network connections
Restricted administrative privileges where possible
Payment terminals and POS devices are configured to prevent unauthorized access or tampering.
9. Monitoring and Logging
PointCraft systems maintain logs of security-relevant activity including:
System access
Administrative actions
Payment processing events
API activity
Infrastructure events
Logs are used to detect potential security threats, investigate incidents, and maintain operational integrity.
10. Incident Response
PointCraft maintains procedures for responding to potential security incidents.
These procedures include:
Identification of the security event
Containment of the affected systems
Investigation and analysis
Remediation of vulnerabilities
Notification to affected parties if required
Security incidents are documented and reviewed to improve future response capabilities.
11. Third-Party Security
PointCraft may rely on third-party service providers for infrastructure, payment processing, and integrations.
Vendors are selected based on security reputation and industry standards. When applicable, vendors must demonstrate compliance with relevant security standards.
Examples include:
Cloud infrastructure providers
Payment processing partners
Fraud prevention services
Analytics platforms
12. Employee Responsibilities
Employees and contractors must:
Protect company credentials
Report suspicious activity
Follow security procedures
Avoid unauthorized access to systems or data
Security training may be provided to ensure awareness of best practices.
13. Business Continuity
PointCraft maintains backup and recovery procedures to protect against system failures or data loss.
Systems are designed with redundancy and failover capabilities where possible.
14. Policy Enforcement
Violations of this policy may result in disciplinary action, termination of employment, or legal consequences depending on the severity of the violation.
15. Policy Review
This policy will be reviewed periodically to ensure it remains aligned with industry security practices, regulatory requirements, and operational needs.
Approved By
PointCraft Inc.
Security & Engineering Leadership
