Skip to Content
Security PoliciesInformation Security Policy

Information Security Policy

FieldValue
Document IDPOL-001
Version1.0
Effective Date2026-04-08
Next Review Date2027-04-08
ClassificationInternal
OwnerInformation Security Officer
Approved ByCEO, Paylithix Inc.

1. Purpose

This policy establishes the information security framework for Paylithix Inc. and its product, Gatelithix Gateway. It defines the organization’s commitment to protecting cardholder data, maintaining PCI DSS 4.0.1 Level 1 Service Provider compliance, and managing information security risk across all systems that store, process, or transmit payment card data.

This is the umbrella policy from which all sub-policies derive their authority.

2. Scope

This policy applies to:

  • All personnel of Paylithix Inc., including employees, contractors, and temporary staff
  • All systems that comprise or connect to the Cardholder Data Environment (CDE)
  • All third-party service providers (TPSPs) that store, process, transmit, or could affect the security of cardholder data

2.1 Cardholder Data Environment (CDE) Boundary

The CDE for Gatelithix Gateway is strictly defined as:

ComponentGCP ProjectDescription
Token Vault Servicegatelithix-pciapps/vault/ — encrypts, stores, and decrypts PANs
PCI VPCgatelithix-pciNetwork boundary (10.1.0.0/20) with firewall isolation
PCI Cloud SQLgatelithix-pciPostgreSQL database storing encrypted PAN references
Cloud KMS HSM Keysgatelithix-pciAES-256-GCM encryption keys for PAN protection

Connected systems (in scope but not CDE): Gateway API (apps/gateway/), Connector services (apps/connectors/), Dashboard (apps/dashboard/), Core VPC, Core Cloud SQL.

Out of scope: Documentation site, marketing systems, internal tooling that does not touch cardholder data.

2.2 Compliance Standard

Gatelithix Gateway follows the PCI DSS v4.0.1 Defined Approach for all requirements. We do not use the Customized Approach for any requirement. This means we implement the standard controls as specified by the PCI Security Standards Council.

3. Roles and Responsibilities

3.1 RACI Matrix

ActivityCEOISOEngineering LeadAll Personnel
Approve security policiesARCI
Maintain security policiesIA/RCI
Implement technical controlsICA/RI
Monitor compliance statusIA/RRI
Conduct risk assessmentsARCI
Manage incident responseIA/RRC
Approve CDE architecture changesARRI
Conduct access reviewsIARI
Security awareness trainingIA/RCR
QSA engagement and coordinationARCI
TPSP compliance monitoringIA/RCI

Legend: R = Responsible, A = Accountable, C = Consulted, I = Informed

3.2 Role Definitions

Chief Executive Officer (CEO):

  • Executive sponsor for PCI DSS compliance program
  • Approves information security policies and risk acceptance decisions
  • Allocates budget for security controls, QSA assessment, ASV scanning, and penetration testing

Information Security Officer (ISO):

  • Owns the PCI DSS compliance program and all security policies
  • Coordinates QSA assessments and manages remediation
  • Conducts risk assessments and maintains the risk register
  • Reviews and approves changes to CDE architecture
  • Manages incident response and post-mortem processes
  • Oversees security awareness training program

Engineering Lead:

  • Implements and maintains technical security controls
  • Reviews code changes to CDE components (CODEOWNERS for apps/vault/)
  • Maintains infrastructure-as-code (Terraform) for CDE resources
  • Responds to vulnerability findings and deploys patches

All Personnel:

  • Comply with all security policies
  • Complete annual security awareness training
  • Report suspected security incidents immediately
  • Protect credentials and access tokens

4. Policy Statements

4.1 Risk Management

  1. The ISO shall conduct a formal risk assessment at least annually and whenever significant changes occur to the CDE.
  2. Risk assessments shall identify threats to cardholder data, evaluate likelihood and impact, and produce a prioritized remediation plan.
  3. The organization maintains a risk appetite of zero tolerance for unencrypted PAN storage or transmission outside the CDE boundary.
  4. Residual risks that cannot be immediately remediated must be documented in the risk register with an owner, timeline, and compensating controls.

4.2 Policy Framework

  1. This information security policy and all sub-policies shall be reviewed at least once every 12 months (PCI DSS 12.1.2).
  2. Policy reviews shall be documented with reviewer name, date, and any changes made.
  3. Updated policies shall be communicated to all affected personnel within 30 days of approval.
  4. All personnel shall acknowledge receipt and understanding of policies annually.

4.3 PCI DSS Compliance Program

  1. Paylithix Inc. operates a formal PCI DSS compliance program targeting Level 1 Service Provider certification.
  2. The ISO is responsible for maintaining the PCI DSS control matrix (compliance/PCI_DSS_v4.0.1_control_matrix.md) and tracking remediation of gaps.
  3. Compliance status shall be reviewed quarterly, with a formal report to the CEO (PCI DSS 12.4.1, 12.4.2).
  4. PCI DSS scope shall be validated at least every six months and upon any significant change to infrastructure or data flows (PCI DSS 12.5.2.1).

4.4 Security Awareness

  1. All personnel with access to CDE systems shall complete PCI-specific security awareness training upon hire and annually thereafter (PCI DSS 12.6.3).
  2. Training shall cover: threats to cardholder data, social engineering and phishing, acceptable use of technology, incident reporting procedures, and data handling requirements.
  3. Training completion records shall be maintained for the duration of employment plus one year.

4.5 Personnel Screening

  1. All personnel who will have access to CDE systems or cardholder data shall undergo background screening prior to being granted access (PCI DSS 12.7.1).
  2. Screening shall include, at minimum, identity verification and criminal background check, subject to applicable law.

4.6 Third-Party Service Provider Management

  1. The ISO shall maintain an inventory of all TPSPs that store, process, or transmit cardholder data or could affect CDE security (PCI DSS 12.8.1).
  2. Current TPSPs: Google Cloud Platform, Stripe, NMI, FluidPay (deprecation track), Auth0, Cloudflare. TSYS planned (next connector).
  3. Written agreements with each TPSP shall include acknowledgment of their PCI DSS responsibilities (PCI DSS 12.8.2).
  4. TPSP PCI DSS compliance status (AOC, SOC 2, or equivalent) shall be verified at least annually (PCI DSS 12.8.4).
  5. A responsibility matrix shall document which PCI DSS requirements are managed by each TPSP versus Paylithix (PCI DSS 12.8.5).

4.7 Service Provider Obligations

  1. As a service provider, Paylithix Inc. shall provide written acknowledgment to merchants that it is responsible for the security of cardholder data it possesses or processes (PCI DSS 12.9.1).
  2. Paylithix shall respond to merchant requests for PCI DSS compliance information within 10 business days (PCI DSS 12.9.2).

5. Sub-Policies

This policy is supported by the following sub-policies, each addressing specific domains of information security:

Sub-PolicyDocument IDPCI DSS Requirements
Access Control PolicyPOL-0027.1—7.3, 8.1—8.6
Network Security PolicyPOL-0031.1—1.5, 4.1—4.2
Key Management PolicyPOL-0043.5—3.7
Incident Response PlanPOL-00512.10
Change Management PolicyPOL-0066.5
Data Classification PolicyPOL-0073.1—3.4, 3.7, 4.1
Vendor Management PolicyPOL-00812.8, 12.9

6. Compliance and Enforcement

  1. Compliance with this policy is mandatory for all personnel.
  2. Violations shall be reported to the ISO and investigated promptly.
  3. Intentional violations or negligence resulting in cardholder data exposure may result in disciplinary action up to and including termination and legal action.
  4. The ISO shall report compliance violations and remediation actions to the CEO quarterly.

8. Document History

VersionDateAuthorChanges
1.02026-04-08Information Security OfficerInitial policy creation
Security PoliciesAccess Control Policy