PAYMENT CARD INDUSTRY DATA SECURITY STANDARD POLICY


1. BACKGROUND

Payment card indusrty data security standard policy is a comprehensive Regulation on data protection in Nigeria. PCI-DSS as a guide to assist data controllers and data administrators/processors understand the controls and measures they need to introduce into their operations in order to comply with the PCI-DSS.

The PCI-DSS was made in recognition of the fact that many public and private bodies have migrated their respective businesses and other information systems online. These information systems have thus become critical information infrastructure which must be safeguarded, regulated and protected against personal data breaches. Government further takes cognizance of emerging data protection laws and regulations in the international community geared towards protecting privacy, identity, lives and property as well as fostering the integrity of commerce and industry in the data and digital economy and has realised the imperative importance of developing data protection rules and regulations to protect the personal data of Nigerian citizens and residents. It is in view of this that an implementation framework for the PCI-DSS becomes essential. The framework is NITDA’s attempt to promote a shared understanding of the PCI-DSS in order to promote voluntary compliance.

2. RELATIONSHIP OF THE PCI-DSS TO THE FRAMEWORK

This Framework clarifies provisions of the PCI-DSS which needs further clarity or context. The Framework should be read in conjunction with the PCI-DSS and relevant laws applicable to it. It does not supersede the PCI-DSS

2.1. Exceptions to the PCI-DSS

Statutory and legal exceptions to the application of data privacy and protection remain applicable to the PCI-DSS. Therefore, the PCI-DSS does not apply to:

  1. the use of personal data in furtherance of national security, public health, safety and order by agencies of the Federal, State or Local government or those they expressly appoint to carry out such duties on their behalf;
  2. The investigation of criminal and tax offences;
  3. the collection and processing of anonymised data; and
  4. personal or household activities with no connection to a professional or commercial activity.

3. COMPLIANCE FRAMEWORK

3.1 Forms of Compliance

  1.  Cooperation: This policy manual to the extent that is practicable and consistent will seek the cooperation of stakeholders in achieving compliance with the applicable provisions.
  2. Assistance: payment card indusrty data security standard policy Manual may provide technical assistance to stakeholders to help them comply voluntarily with the applicable provisions of the PCI-DSS. This assistance may be provided through the COO.
  3. Self-Reporting: DSC will proactively provide information to show compliance with the applicable provisions of the PCI-DSS.

3.2 Compliance Checklist for Data Controllers and Data Administrators

In enhancing compliance and reducing liabilities, Data Controllers and Data Processors shall:

  1. within twelve months of incorporation and then on an annual basis conduct a data protection audit.;
  2. process data only on legally justifiable basis as provided in Article 2.2 of the PCI-DSS; iii. prepare and publish a privacy policy on every medium of personal data collection within 3 months of commencement of business operations in line with Article 2.5 of the PCI-DSS have a privacy policy on their site and send messages to inform data subjects of developments requiring new or different consent. Publicity of the privacy policy may be fulfilled through any one or combination of the following:
    • publication on the website;
    • publication in a digital media;
    • posted at conspicuous parts of the Data Controller’s business premises;
    • by reading or providing a copy to the Data Subject, or publication in any public media.
    • Where the privacy policy is not given or read to the Data Subject, the request for consent should explicitly refer the Data Subject to where the privacy policy can be accessed;
  3. Design and maintain systems to be data protection compliant: Data Controllers must show that their systems are built with data protection in mind. We will therefore ensure continuous improvement of information security architecture to prevent possible data breaches.
  4. Undertake continuous capacity building for members of staff, contractors, vendors, and relevant third parties;
  5. develop and circulate an internal data protection strategy or policy to help members of staff and vendors to understand the organisation’s direction in connection with the collection and processing of Personal Data and outline the steps they are to take to ensure the organisation’s direction is achieved and maintained;
  6. conduct a Data Protection Impact Assessment (‘DPIA’) in accordance with the provisions of the PCI-DSS (A DPIA is a process to identify, evaluate and minimise possible data protection risks in an existing or new business or organisational activity. Where the organisation intends to embark on a project that would involve the intense use of personal data, a DPIA should be conducted to identify possible areas where breaches may occur and devise a means of addressing such risks. Organisations are expected to conduct a DPIA on their processes, services and technology periodically to ensure continuous compliance);
  7. notify NITDA of Personal Data breaches within 72 (seventy-two) hours of becoming aware of the breach;
  8. update agreements with third party processors to ensure compliance with the PCI-DSS;
  9. design system and processes to make data requests and access seamless for Data Subjects;
  10. design systems and processes to enable Data Subjects to easily correct or update their Personal Data;
  11. design system and processes to enable Data Subjects to easily transfer data to another platform or person (natural or artificial) at minimal costs;
  12. within the first 6 (six) months of incorporation and then on a biennial basis, train members of senior management and employees that collect and/or process Personal Data in the course of their duty, on Nigerian data protection laws and practices;
  13. clearly communicate to Data Subjects the process for objecting to the processing of their Personal Data; and
  14. outline the procedure for informing Data Subject and for protecting their rights, where an automated decision is being made on their Personal Data.

3.3. Compliance Approach

The approach adopted for the PCI-DSS is to ensure compliance by all stakeholders in a business-friendly manner.

 

4. HANDLING PERSONAL DATA

4.1 Further Processing Art. 3.1(7)m

4.1.1. According to Article 3.1(7)m: Where the Controller intends to further process the Personal Data for a purpose other than that for which the Personal Data were collected, the controller shall provide the Data Subject prior to that further processing with information on that other purpose, and with any relevant further information.

Where a Data Controller wishes to further process Personal Data initially collected for a defined or limited purpose, the Data Controller shall consider the following:

  1. whether there exists a connection between the original purpose and the proposed purpose;
  2. the context in which the data was originally collected;
  3. the nature of the Personal Data;
  4. the possible impact of the new processing on the data subject; and
  5. the existence of requisite safeguards for the Personal

4.1.2 The above information shall be provided to the Data Subject before further processing is done. The further processing may be done if: 

  1. the Data Subject gives consent based on the new information;
  2. the further processing is solely for the purpose of scientific research, historical research or for statistical purposes in the public interest; or
  3. the further processing is required in compliance with a legal

4.2 Data Protection Impact Assessment

We will assess the impact of Data Protection of our customers regularly. This may require the following Processing:

  1. evaluation or scoring (profiling);
  2. automated decision-making with legal or similar significant effect;
  3. systematic monitoring;
  4. when sensitive or highly Personal Data is involved;
  5. when Personal Data Processing relates to vulnerable or differently-abled data subjects; and
  6. When considering the deployment of innovative processes or the application of new technological or organizational solutions.

5. UNDERSTANDING CONSENT

5.1. Consent of the Data Subject means any freely given, specific, informed and unambiguous indication of the Data Subject's wishes by which he or she, through a statement or a clear affirmative action, signifies agreement to the processing of Personal Data relating to him or her. Consent may be made through a written statement, sign or an affirmative action signifying agreement to the processing of personal.

5.2 Principles governing Consent

 The following principles shall govern the giving and obtaining of consent

  1. Transparency: There must be an explicit privacy policy stating the type of Personal Data collected, how the Personal Data is processed, who processes the Personal Data, the security standard implemented etc.;
  2. No implied consent: silence, pre-ticked boxes or inactivity do not constitute consent; and
  3. No bundled consent: consent request from general terms and conditions should be separated from consent request. There must be consent for different types of data uses.

5.3. When Consent is required

5.3.1. Consent is required:

  1. For any direct marketing activity, except to existing customers of the Data Controllers who have purchased goods or services;
  2. for the Processing of Sensitive Personal Data;
  3. for further processing;
  4. for the processing of the personal data of a minor;
  5. before personal data is processed in a country which is not in the Whitelist of Countries published by NITDA from time to time.
  6. before the Data Controller makes a decision based solely on automated Processing which produces legal effects concerning or significantly affecting the Data Subject.

5.3.2. Special category / higher standard consent: Explicit consent is required for the processing of sensitive personal data.

 

5.4 Types of Consent

  1. Explicit Consent: Subject gives clear, documentable consent e.g., Tick a box, sign a form, send an email, or sign a paper
  2. Opt-in Consent: you are out, except you choose to opt-in. An example of opt-in consent is set out below:

I want to receive XXX newsletter If the box is left unticked, you will not receive the XXX newsletter

5.5. Processing of a Child’s Data (Art. 3.1 PCI-DSS)

A child for the purpose of the PCI-DSS shall be any person below thirteen (13) years. A data controller or processor whose processing activity targets children shall ensure its privacy policy is made in a child-friendly form with the aim of making children and their guardians have clear understanding of the data processing activity before grant of consent.

5.6 Consent to Cookies (Art. 2.5(d) PCI-DSS)

The use of cookies on a website or other digital platforms requires consent. The consent must be freely given, informed and specific. Consent for cookies does not necessarily need the ticking of a box or similar methods; the continued surfing of a website upon a clear notice indicates consent.

In deploying cookies, website owners are required to:

  1. make cookie information clear and easy to understand;
  2. Notify users of the presence and purpose of the cookies;
  3. Identify the entity responsible for the use of the cookies; and
  4. Provide information on how to withdraw consent from the use of the

6. DATA PROTECTION AUDIT (Art. 4.1(5) PCI-DSS)

6.1. Data protection audit is a systematic investigation or examination of the records, processes and procedures of Data Controllers and Processors, to ensure that they are in compliance with the requirements of the PCI-DSS and their data protection policies.

The Management of DSC Microfinance Bank may, at its discretion:

  1. carry out scheduled audits;
  2. require report of audits as carried out by; or
  3. Schedule “spot checks” or “special audits” to ascertain compliance or identify breaches.

 6.2. The reasons for conducting a data protection audit include to:

  1. Assess the level of compliance with the PCI-DSS;
  2. Evaluate compliance with the organisation's own data protection policy;
  3. Identify potential gaps and weaknesses in organisation’s processes; and
  4. Give requisite advice and/or remedial actions for identified

6.3. The Role of CO in Data Audits

 In the performance of data audits, DPCO are responsible for:

  1.  evaluating the status of compliance by the
  2. appraising Data Subjects rights protection. The compliance Officer should be satisfied that DSC Microfinance Bank has clear processes to protect the rights of the Data Subject;
  3. assessing the level of awareness by top management, members of staff, contractors and customers of the PCI-DSS;
  4. identifying current or potential non-compliance; and
  5. drawing up a remedial plan to remediate identified

 6.4. Every licensed Compliance Officer shall:

  1.  abide by the provisions of the PCI-DSS, this Framework, and other related guidelines and frameworks as may be issued or directed by NITDA from time to time;
  2. deliver service in a professional and ethical manner;
  3. ensure every information it provides to NITDA about its client shall be factual and professional;
  4. not mishandle or withhold any Personal Data or asset of DSC Microfinance Bank unlawfully
  5. be held liable, if found to have conspired to provide false and misleading information in an audit filing or communication.

6.5. Compliance Officers’ Code of Conduct

Every Compliance Officer shall ensure all its members of staff are aware of the ethical considerations in the performance of an audit under the PCI-DSS. The following are basic ethical expectations required of COs in the conduct of their business.

  1. Confidentiality – Compliance Officer must execute a binding nondisclosure. This will ensure that the information and data of the client are kept confidential.
  2. Honesty - COs must state verifiable facts and not conjectures, half-truths, or concealed facts, but provide an insight on how the country’s cyber and information management practices can be
  3. Professionalism - CCOs must perform the service with the highest level of professionalism and carry out continuous capacity building for its members of staff 

7.0 RETENTION OF RECORDS

7.1. The Regulation does not explicitly provide for a time period for the retention of data, because the retention period in certain scenarios may be subject to existing laws or contractual agreements

7.2. Where the retention period of Personal Data is not specified in the contract between the parties or by applicable law, the retention period shall be:

    1. 3 (three) years after the last active use of a digital platform
    2. 6 (six) years after the last transaction in a contractual agreement
    3. Upon presentation of evidence of death by a deceased’s relative
    4. immediately upon request by the Data Subject or his/her legal guardian, where
      1. no statutory provision provides otherwise and
      2. the Data Subject is not the subject of an investigation or suit that may require the Personal Data sought to be deleted.

      NITDA would consider the above and other circumstances to determine if the data was stored appropriately and for a reasonable length of time.

7.3. Personal Data that is no longer in use or which has been retained beyond the requisite statutorily required storage period shall be destroyed in line with global best practices for such operations. Evidence of destruction of data shall be a valid defence against future allegations of breach by a Data Subject.

POLICY DOCUMENT relating to Data Privacy and Protection is approved by the board on this day, 20th November 2024.

Logo - Digital Space Microfinance bank

Home          About us          Our services    Privacy policy


© Copyright 2024 Digital Space Microfinance Bank - All Rights Reserved