Security Policies
Gatelithix Gateway maintains a comprehensive set of security policies as required by PCI DSS 4.0.1 for Level 1 Service Providers. These policies govern the protection of cardholder data and the operation of our Cardholder Data Environment (CDE).
Policy Framework
All policies are reviewed annually (or more frequently when significant changes occur), approved by the Information Security Officer, and communicated to all affected personnel. Policies are versioned and maintained under source control with full audit history.
| Policy | PCI DSS Requirements | Scope |
|---|---|---|
| Information Security Policy | 12.1, 12.3, 12.4, 12.5 | Umbrella policy governing all information security activities |
| Access Control Policy | 7.1—7.3, 8.1—8.6 | CDE access, authentication, authorization, account lifecycle |
| Network Security Policy | 1.1—1.5, 4.1—4.2 | VPC segmentation, firewall rules, encryption in transit |
| Key Management Policy | 3.5—3.7 | Cloud KMS/HSM key lifecycle, rotation, custodianship |
| Incident Response Plan | 12.10 | Detection, escalation, containment, recovery, post-mortem |
| Change Management Policy | 6.5 | CDE change approval, testing, deployment, rollback |
| Data Classification Policy | 3.1—3.4, 3.7, 4.1 | CHD/SAD categories, handling rules, retention, disposal |
Governance
- Policy Owner: Information Security Officer, Paylithix Inc.
- Review Cycle: Annual (next review: April 2027)
- Approval Authority: Executive Sponsor / CEO
- Distribution: All personnel with access to CDE systems or cardholder data
- Compliance Standard: PCI DSS v4.0.1 (Defined Approach)
Questions
For questions about these policies, contact the Security team at security@gatelithix.com.