Data Classification Policy
| Field | Value |
|---|---|
| Document ID | POL-007 |
| Version | 1.0 |
| Effective Date | 2026-04-08 |
| Next Review Date | 2027-04-08 |
| Classification | Internal |
| Owner | Information Security Officer |
| Approved By | CEO, Paylithix Inc. |
| Parent Policy | Information Security Policy (POL-001) |
1. Purpose
This policy classifies the types of data handled by the Gatelithix Gateway, defines handling rules for each category, and establishes storage, transmission, retention, and disposal requirements. It ensures that cardholder data is protected according to its sensitivity, in compliance with PCI DSS 4.0.1 Requirements 3 and 4.
2. Scope
This policy applies to all data stored, processed, or transmitted by Gatelithix Gateway systems, including:
- Cardholder data received from merchants via the API
- Data stored in Cloud SQL databases (PCI and Core)
- Data stored in Cloud KMS (encrypted key material)
- Data in transit between services, processors, and clients
- Data in logs, error messages, and monitoring systems
- Data in backups and database snapshots
- Data used in development and testing environments
3. Roles and Responsibilities
| Role | Responsibility |
|---|---|
| Information Security Officer | Classifies data; defines handling rules; conducts annual data inventory review |
| Engineering Lead | Implements technical controls for data handling; reviews code for data exposure |
| All Engineers | Handle data according to classification; never introduce PAN into unauthorized systems |
| All Personnel | Recognize data sensitivity levels; report mishandled data immediately |
4. Data Classification Levels
4.1 Classification Definitions
| Level | Name | Definition | Color Code |
|---|---|---|---|
| L1 | Prohibited | Data that must never be stored after authorization, regardless of encryption | Red |
| L2 | Restricted | Cardholder data subject to PCI DSS protection requirements | Orange |
| L3 | Confidential | Business-sensitive data requiring access controls and encryption | Yellow |
| L4 | Internal | Operational data requiring reasonable access controls | Blue |
| L5 | Public | Information intended for public consumption | Green |
4.2 PCI Data Categories
L1: Prohibited — Sensitive Authentication Data (SAD)
Sensitive Authentication Data must never be stored after authorization, even if encrypted (PCI DSS 3.3.1).
| Data Element | Description | Storage | Transmission | Logging |
|---|---|---|---|---|
| CVV/CVC/CVV2 | Card verification value | NEVER stored | TLS 1.2+ only; discarded from memory after processor call | NEVER logged |
| Full Track Data | Magnetic stripe data | NEVER stored | Not applicable (e-commerce only) | NEVER logged |
| PIN / PIN Block | Personal identification number | NEVER stored | Not applicable (CNP transactions only) | NEVER logged |
Gatelithix implementation: The vault service accepts CVV in the tokenization request, includes it in the processor API call, and discards it from memory. CVV is never written to any database, log, cache, or persistent storage.
L2: Restricted — Cardholder Data (CHD)
| Data Element | Description | Storage Rules | Transmission Rules | Logging Rules |
|---|---|---|---|---|
| PAN (Primary Account Number) | The full card number | Encrypted only (AES-256-GCM via Cloud KMS HSM); stored only in PCI Cloud SQL within the vault database | TLS 1.2+ required; transmitted only between vault and processors | NEVER logged; masked to first 6 / last 4 in any display |
| Cardholder Name | Name on the card | Stored in Core Cloud SQL if provided by merchant | TLS 1.2+ required | May be logged with appropriate access controls |
| Expiration Date | Card expiry (MM/YY) | Stored in Core Cloud SQL as card metadata | TLS 1.2+ required | May be logged (month/year only, no full date) |
| Service Code | 3-digit code from track data | Not applicable (e-commerce only) | Not applicable | Not applicable |
PAN masking rules:
- Display: show BIN (first 6 digits) and last 4 digits only (e.g.,
424242******4242) - API responses: return
binandlast4fields; never return full PAN - Logs: never log any portion of PAN beyond BIN and last 4
- Database (non-vault): store only
bin(string) andlast4(string) — never the full PAN
L3: Confidential — Business-Sensitive Data
| Data Element | Description | Handling Rules |
|---|---|---|
| API keys (plaintext) | Merchant API secret keys | Shown only at creation; stored as bcrypt hash; transmitted over TLS only |
| Webhook signing secrets | HMAC keys for webhook verification | Stored in Secret Manager; never logged; transmitted over TLS only |
| Cloud KMS key names | Resource identifiers for encryption keys | Access restricted to authorized personnel; not publicly shared |
| Merchant credentials | Processor API keys per merchant | Stored in Secret Manager; accessed only by connector services at runtime |
| Audit logs | Security event records | Append-only; access restricted to ISO and authorized personnel |
| Database credentials | Cloud SQL connection details | IAM-based authentication; no static passwords; connection via Auth Proxy |
L4: Internal — Operational Data
| Data Element | Description | Handling Rules |
|---|---|---|
| Transaction metadata | Amounts, currencies, statuses, timestamps | Access controlled; retained per business requirements |
| Merchant configuration | Routing rules, pricing plans, connector settings | Access controlled per RBAC |
Gateway tokens (tok_...) | References to vaulted card data | Not cardholder data; normal access controls apply |
Short IDs (mrc_..., pay_...) | Public-facing identifiers | Internal use; may appear in URLs and logs |
| System logs (non-security) | Application debug and info logs | Retained per operational needs; no CHD content |
L5: Public — Public Information
| Data Element | Description | Handling Rules |
|---|---|---|
| API documentation | Published at docs.gatelithix.com | Publicly accessible; version controlled |
| Error codes and messages | Standardized error responses | Publicly documented; must not contain CHD |
| Supported processor list | Stripe, NMI, FluidPay (deprecation track); TSYS planned | Publicly known |
5. Handling Rules by Classification
5.1 Storage Requirements
| Level | At-Rest Encryption | Storage Location | Access Control |
|---|---|---|---|
| L1 (Prohibited) | N/A — must not be stored | Nowhere | N/A |
| L2 (Restricted/PAN) | AES-256-GCM via Cloud KMS HSM | PCI Cloud SQL only (vault database) | Vault service account only; no human query access to raw data |
| L2 (Restricted/other CHD) | Cloud SQL default encryption (CMEK) | Core Cloud SQL | RBAC per Auth0 roles |
| L3 (Confidential) | Cloud SQL CMEK or Secret Manager | Core Cloud SQL, Secret Manager | Role-restricted; need-to-know |
| L4 (Internal) | Cloud SQL CMEK | Core Cloud SQL, Cloud Logging | Standard RBAC |
| L5 (Public) | Not required | Docs site, public repositories | Publicly accessible |
5.2 Transmission Requirements
| Level | Encryption in Transit | Allowed Channels |
|---|---|---|
| L1 (Prohibited) | TLS 1.2+ (during initial transmission only) | HTTPS API call from merchant to vault; vault to processor API |
| L2 (Restricted/PAN) | TLS 1.2+ mandatory | Vault-to-processor over HTTPS; never over email, chat, or unencrypted channel |
| L2 (Restricted/other CHD) | TLS 1.2+ mandatory | HTTPS API responses; never over email or chat |
| L3 (Confidential) | TLS 1.2+ mandatory | HTTPS, SSH, encrypted email only |
| L4 (Internal) | TLS recommended | HTTPS preferred; internal VPC traffic encrypted |
| L5 (Public) | No requirement | Any channel |
5.3 Logging Restrictions
| Level | Logging Rules |
|---|---|
| L1 (Prohibited) | NEVER logged in any form — not even masked or hashed |
| L2 (Restricted/PAN) | NEVER logged — BIN and last4 may be logged separately as L4 data |
| L2 (Restricted/other CHD) | May be logged with access controls; never in debug logs exposed to general engineering |
| L3 (Confidential) | Logged only in security audit trail; never in application debug logs |
| L4 (Internal) | Standard logging with appropriate retention |
| L5 (Public) | No restrictions |
6. Development and Testing
6.1 Test Data Requirements
- Production cardholder data shall never be used in development, testing, or staging environments.
- All development and testing shall use designated test card numbers:
| Test PAN | Processor | Purpose |
|---|---|---|
4242424242424242 | Stripe (tok_visa) | Successful Visa payment |
4000000000000002 | Stripe (tok_chargeDeclined) | Declined payment |
5555555555554444 | Stripe (tok_mastercard) | Successful Mastercard payment |
378282246310005 | Stripe (tok_amex) | Successful Amex payment |
- Test CVV: any 3-digit number (e.g.,
123). Test expiry: any future date (e.g.,12/29). - Sandbox processor credentials (prefixed
sk_test_*) shall be used for all non-production environments. - The vault encrypts test PANs with the same encryption pipeline as production — security controls are not bypassed in test mode.
6.2 Code Review Data Checks
Every code review shall verify:
- No PAN, CVV, or SAD appears in source code, comments, or test fixtures (except designated test PANs above)
- No PAN is logged, included in error messages, or returned in API responses
- Structured logging is used (not string concatenation that could leak sensitive fields)
json.Marshalis used for audit metadata serialization (notfmt.Sprintf)
7. Data Retention and Disposal
7.1 Retention Schedule
| Data Category | Retention Period | Justification |
|---|---|---|
| Encrypted PAN (vault) | Duration of token validity or merchant relationship + 90 days | Required for recurring payments and refunds |
| Transaction records | 7 years | Financial record-keeping, dispute resolution |
| Audit logs (security) | 1 year minimum; 3 months immediately accessible | PCI DSS 10.5.1 |
| Application logs | 90 days | Operational debugging |
| API key hashes | Duration of key validity + 90 days | Authentication records |
| Merchant configuration | Duration of merchant relationship + 1 year | Business records |
| Cloud SQL backups | 30 days (automated), 1 year (monthly snapshots) | Disaster recovery |
7.2 Data Disposal
- When PAN data is no longer needed (token revoked, merchant offboarded), the encrypted PAN record shall be securely deleted from the vault database. This deletion is automated by the
cmd/vault-purgeCloud Run job (Phase 110), which runs daily at 05:00 UTC and HARD-DELETEsvaulted_cardsrows that have crossed any of three retention boundaries: soft-delete grace (7 days afterdeleted_at), post-revocation retention (90 days afterrevoked_at), or merchant offboarding (90 days aftermerchant_offboarded_at). The PCI Cloud SQL FK cascade atomically drops dependentgateway_tokensandprocessor_tokensrows. - Secure deletion means: DELETE from Cloud SQL (which overwrites on SSD via GCP’s storage layer) plus the associated Cloud KMS key version may be scheduled for destruction per the Key Management Policy. True crypto-shred (KMS key-version destruction once no rows reference a given version) is deferred to v2.5+; Phase 110 ships only the row-level disposal half.
- Cloud SQL backups containing deleted PAN data expire per the retention schedule above. No manual extraction of individual records from backups is performed.
- When decommissioning a CDE system component, all data shall be securely deleted and the deletion documented.
- Paper documents containing cardholder data (if any) shall be cross-cut shredded. In practice, Gatelithix operates paperlessly — no CHD exists on paper.
Operational procedure for the automated purge job — including the first-week DRY-RUN rollout, manual trigger commands, and integration with the daily Req 10.4 log review — is documented in compliance/runbooks/vault-purge.md.
7.3 Automated Retention Enforcement
- A scheduled job shall review and purge expired data per the retention schedule.
- The purge job logs which records were deleted (by token reference, never by PAN) in the audit trail.
- The ISO reviews retention compliance quarterly.
8. Acceptable Use
- Cardholder data shall be accessed only for legitimate business purposes: payment processing, refund processing, dispute resolution, or security investigation.
- Cardholder data shall not be:
- Copied to personal devices, USB drives, or personal cloud storage
- Sent via email, chat, or any unencrypted communication channel
- Used for purposes other than those listed above
- Shared with unauthorized personnel or third parties
- Personnel who encounter cardholder data outside the vault (e.g., in a log file, error message, or database query result) shall immediately report it to the ISO for remediation.
9. Compliance and Enforcement
- Violations of this policy, particularly unauthorized storage or exposure of PAN or SAD, shall be treated as security incidents per the Incident Response Plan.
- Unauthorized PAN found outside the vault triggers the PCI DSS 12.10.7 response procedure: isolate the system, securely delete the data, investigate how it arrived there, and remediate the root cause.
- Intentional mishandling of cardholder data is grounds for immediate termination and potential legal action.
10. Related Documents
- Information Security Policy (POL-001) — Parent policy
- Key Management Policy (POL-004) — Encryption key lifecycle for PAN protection
- Access Control Policy (POL-002) — Who can access what data
- Incident Response Plan (POL-005) — Response to data exposure incidents
- Change Management Policy (POL-006) — Test data requirements for changes
- PCI DSS 4.0.1 Requirements 3 and 4
11. Document History
| Version | Date | Author | Changes |
|---|---|---|---|
| 1.0 | 2026-04-08 | Information Security Officer | Initial policy creation |