Process for filing, monitoring, tracking and restricting access to sensitive payment data
AU-4.7.7
The PISP and PSP should provide a description of the process in place to file, monitor, track and restrict access to sensitive payment data consisting of, but not limited to, the following:
(a) a description of the flows of data classified as sensitive payment data in the context of the applicant's business model;(b) the procedures in place to authorise access to sensitive payment data;(c) a description of the monitoring tool;(d) the access right policy, detailing access to all relevant infrastructure components and systems, including databases and back-up infrastructures;(e) a description of how the collected data are encrypted such that the applicant will not be able to read or store it;(f) the expected internal and/or external use of the collected data;(g) the IT system and technical security measures that have been implemented including encryption and/or tokenisation;(h) confirmation that access to sensitive customer data is not available to the applicant;(i) an explanation of how breaches will be detected and addressed; and(j) an annual internal control programme in relation to the safety of the IT systems.Added: December 2018
