Information Security Policy

1. Introduction

This Policy document encompasses all aspects of security surrounding confidential company information and must be distributed to all My Eye Rx employees. All employees must read this document in its entirety and sign the form confirming they have read and fully understand this policy. This document will be reviewed and updated by Management on an annual basis or when relevant to include newly developed security standards into the policy and re-distributed to all employees and contractors where applicable.

2. Information Security Policy

My Eye Rx handles sensitive information daily. Sensitive Information must have adequate safeguards in place to protect the account data that includes cardholder data, cardholder privacy, and to ensure compliance with various regulations, along with guarding the future of the organization.

My Eye Rx commits to respecting the privacy of all its customers and to protecting any customer data from outside parties. To this end management are committed to maintaining a secure environment in which to process cardholder information so that we can meet these promises.

Employees handling sensitive cardholder data should ensure:

• Handle My Eye Rx and account data information in a manner that fits with their sensitivity and classification;
• Limit personal use of My Eye Rx information and telecommunication systems and ensure it doesn't interfere with your job performance;
• My Eye Rx reserves the right to monitor, access, review, audit, copy, store, or delete any electronic communications, equipment, systems and network traffic for any purpose;
• Do not use e-mail, internet and other My Eye Rx resources to engage in any action that is offensive, threatening, discriminatory, defamatory, slanderous, pornographic, obscene, harassing or illegal;
• Do not disclose personnel information unless authorized;
• Protect sensitive account data including cardholder information;
• Keep passwords and accounts secure;
• Request approval from management prior to establishing any new software or hardware, third party connections, etc.;
• Do not install unauthorized software or hardware, including modems and wireless access unless you have explicit management approval;
• Always leave desks clear of sensitive cardholder data and lock computer screens when unattended;
• Information security incidents must be reported, without delay, to the Information Security Officer;
• Attend security awareness training on an annual basis.

We each have a responsibility for ensuring our company's systems and data are protected from unauthorized access and improper use. If you are unclear about any of the policies detailed herein you should seek advice and guidance from your line manager.

3. Network Security

A high-level network diagram of the network is maintained and reviewed on a yearly basis. The network diagram provides a high level overview of the cardholder data environment (CDE), which at a minimum shows the connections in and out of the CDE. Critical system components within the CDE, such as eCommerce web servers, re-direction/iFrame servers, and any other necessary payment components, as applicable should also be illustrated.

In addition, ASV (Approved Scanning Vendor) scans should be performed and completed by a PCI SSC Approved Scanning Vendor on a quarterly basis (every 90–92 days), where applicable. Evidence of these scans should be maintained for a period of 18 months.

My Eye Rx utilizes a redirect-based eCommerce model where customers are redirected to Clover's PCI-compliant Hosted Checkout environment for all payment processing. No cardholder data is entered on, transmitted through, or stored on My Eye Rx's servers or infrastructure.

4. Acceptable Use Policy

Management's intentions for publishing an Acceptable Use Policy are not to impose restrictions that are contrary to My Eye Rx's established culture of openness, trust and integrity. Management is committed to protecting the employees, partners and My Eye Rx from illegal or damaging actions, either knowingly or unknowingly by individuals. My Eye Rx will maintain an approved list of technologies and devices and personnel with access to such devices.

• Employees are responsible for exercising good judgment regarding the reasonableness of personal use.
• Employees should take all necessary steps to prevent unauthorized access to confidential data which includes account data/card holder data.
• Keep passwords secure and do not share accounts. Authorized users are responsible for the security of their passwords and accounts.
• All PCs, laptops and workstations should be secured with a password-protected screensaver with the automatic activation feature.
• The List of Devices will be regularly updated when devices are modified, added or decommissioned. A stocktake of devices will be regularly performed and devices inspected to identify any potential tampering or substitution of devices.
• Users should be trained in the ability to identify any suspicious behavior where any tampering or substitution may be performed. Any suspicious behavior will be reported accordingly.
• Information contained on portable computers is especially vulnerable; special care should be exercised.
• Postings by employees from a My Eye Rx email address to newsgroups should contain a disclaimer stating that the opinions expressed are strictly their own and not necessarily those of My Eye Rx, unless posting is in the course of business duties.
• Employees must use extreme caution when opening e-mail attachments received from unknown senders, which may contain viruses, e-mail bombs, Trojan horse code, or phishing attacks.

5. Protect Stored Data

My Eye Rx and its employees are not to store cardholder data in the form of PAN or sensitive authentication data in electronic format at all. All payment processing is handled by Clover's PCI-compliant Hosted Checkout platform; My Eye Rx never receives, processes, or stores full cardholder data on its systems.

All sensitive account data including cardholder data stored and handled in hard copy by My Eye Rx and its employees must be securely protected against unauthorized use at all times. Any sensitive card data that is no longer required for business reasons must be discarded in a secure and irrecoverable manner.

If there is no specific need to see the full PAN (Primary Account Number), it has to be masked when displayed, showing the first six and last four numbers of the PAN maximum.

PANs which are not protected as stated above should not be sent to the outside network via end user messaging technologies like email, chats, or instant messenger.

It is strictly prohibited to store:

• The contents of the payment card magnetic stripe (track data) or chip equivalent track data on any media whatsoever.
• The CVV2/CVC2/CAV2/CID (the 3 or 4 digit number on the signature panel on the reverse of the payment card) on any media whatsoever.
• The PIN or the encrypted PIN Block under any circumstance.

6. Information Classification

Data and media containing data must always be labeled to indicate sensitivity level.

• Confidential data might include information assets for which there are legal requirements for preventing disclosure or financial penalties for disclosure, or data that would cause severe damage to My Eye Rx if disclosed or modified. Confidential data includes account data / cardholder data.
• Internal Use data might include information that the data owner feels should be protected to prevent unauthorized disclosure.
• Public data is information that may be freely disseminated.

7. Access to Sensitive Cardholder Data

All access to sensitive cardholder data should be controlled and authorized. Any job functions that require access to cardholder data should be clearly defined.

• Any display of the account data / card holder should be restricted at a minimum to the first 6 and the last 4 digits of the primary account number (PAN).
• Access to sensitive cardholder information such as PANs, personal information and business data is restricted to employees that have a legitimate need to view such information.
• No other employees should have access to this confidential data unless they have a genuine business need.
• If cardholder data is shared with a Service Provider (third party), then a list of such Service Providers will be maintained.
• My Eye Rx will ensure a written agreement that includes an acknowledgment is in place that the Service Provider will be responsible for the cardholder data that the Third Party Service Provider (TPSP) possesses.
• My Eye Rx will ensure that proper due diligence is in place before engaging with a TPSP.
• My Eye Rx will have a process in place to monitor the PCI DSS compliance status of the TPSP.
• My Eye Rx will ensure that the responsibilities for ensuring the security of account data / cardholder data are defined between My Eye Rx and a TPSP, documented in a responsibility matrix.

8. Physical Security

Access to sensitive information in both hard and soft media format must be physically restricted to prevent unauthorized individuals from obtaining sensitive data.

• Media is defined as any printed or handwritten paper, received faxes, floppy disks, back-up tapes, computer hard drive, etc.
• Media containing sensitive cardholder information must be handled and distributed in a secure manner by trusted individuals.
• Visitors must always be escorted by a trusted employee when in areas that hold sensitive cardholder information.
• Procedures must be in place to help all personnel easily distinguish between employees and visitors, especially in areas where account data including cardholder data is accessible.
• All computers that store sensitive cardholder data must have a password protected screensaver enabled to prevent unauthorized use.
• Strict control is maintained over the external or internal distribution of any media containing card holder data and has to be approved by management.
• Strict control is maintained over the storage and accessibility of media.

9. Protect Data in Transit

All sensitive cardholder data must be protected securely if it is to be transported physically or electronically.

• Card holder data (PAN, track data, etc.) must never be sent over the internet via email, instant chat or any other end user technologies.
• If there is a business justification to send cardholder data via email or by any other mode then it should be done after authorization and by using a strong encryption mechanism (i.e. AES encryption, PGP encryption, IPSEC, etc.).
• The transportation of media containing sensitive cardholder data to another location must be authorized by management, logged and inventoried before leaving the premises. Only secure courier services may be used for the transportation of such media. The status of the shipment should be monitored until it has been delivered to its new location.

My Eye Rx's eCommerce website (https://www.myeyerx.net) enforces HTTPS (TLS 1.2+) on all connections. All payment data entry occurs on Clover's PCI-compliant hosted payment page, not on My Eye Rx's website.

10. Disposal of Stored Data

All data must be securely disposed of when no longer required by My Eye Rx, regardless of the media or application type on which it is stored.

• An automatic process must exist to permanently delete on-line data when no longer required.
• All hard copies of cardholder data must be manually destroyed when no longer required for valid and justified business reasons. A quarterly process must be in place to confirm that all non-electronic cardholder data has been appropriately disposed of in a timely manner.
• My Eye Rx will have procedures for the destruction of hardcopy (paper) materials. These will require that all hardcopy materials are crosscut shredded, incinerated or pulped so they cannot be reconstructed.
• My Eye Rx will have documented procedures for the destruction of electronic media, requiring all cardholder data on electronic media to be rendered unrecoverable when deleted (e.g., through degaussing or electronically wiped using military grade secure deletion processes or the physical destruction of the media).
• If secure wipe programs are used, the process must define the industry accepted standards followed for secure deletion.
• All cardholder information awaiting destruction must be held in lockable storage containers clearly marked "To Be Shredded" — access to these containers must be restricted.

11. Security Awareness and Procedures

The policies and procedures outlined below must be incorporated into company practice to maintain a high level of security awareness. The protection of sensitive data demands regular training of all employees and contractors.

• Review handling procedures for sensitive information and hold periodic security awareness meetings to incorporate these procedures into day to day company practice.
• Distribute this security policy document to all My Eye Rx employees to read. It is required that all employees confirm that they understand the content of this security policy document by signing an acknowledgment form.
• All employees that handle sensitive information will undergo background checks (such as criminal and credit record checks, within the limits of the local law) before they commence their employment with My Eye Rx.
• All third parties with access to credit card account numbers are contractually obligated to comply with card association security standards (PCI/DSS).
• My Eye Rx security policies must be reviewed annually and updated as needed.

12. Credit Card (PCI) Security Incident Response Plan

My Eye Rx PCI Security Incident Response Team (PCI Response Team) is comprised of the Information Security Officer and management. The My Eye Rx PCI security incident response plan is as follows:

1. Each department must report an incident to the Information Security Officer or to another member of the PCI Response Team.
2. That member of the team receiving the report will advise the PCI Response Team of the incident.
3. The PCI Response Team will investigate the incident and assist the potentially compromised department in limiting the exposure of cardholder data and in mitigating the risks associated with the incident.
4. The PCI Response Team will resolve the problem to the satisfaction of all parties involved, including reporting the incident and findings to the appropriate parties (credit card associations, credit card processors, etc.) as necessary.
5. The PCI Response Team will determine if policies and processes need to be updated to avoid a similar incident in the future, and whether additional safeguards are required in the environment where the incident occurred.

Incident Response Notification — Escalation

First Level: Information Security Officer, Legal Counsel

Second Level: My Eye Rx Owner / Executive Management

External Contacts (as needed): Merchant Provider (Clover / Fiserv), Card Brands, Internet Service Provider, Business Partners, Insurance Carrier, External Response Team, Law Enforcement Agencies as applicable in local jurisdiction.

In response to a systems compromise, the PCI Response Team will:

1. Ensure compromised system(s) is isolated on/from the network.
2. Gather, review and analyze the logs and related information from various central and local safeguards and security controls.
3. Conduct appropriate forensic analysis of compromised system.
4. Contact internal and external departments and entities as appropriate.
5. Make forensic and log analysis available to appropriate law enforcement or card industry security personnel, as required.
6. Assist law enforcement and card industry security personnel in investigative processes, including in prosecutions.

Card Brand Notification Requirements

In the event of a suspected security breach, alert the Information Security Officer immediately. Upon confirmation that a security breach has occurred, the security officer will alert management and begin informing all relevant parties that may be affected by the compromise.

Visa

• Shut down any systems or processes involved in the breach to limit the extent and prevent further exposure.
• Alert all affected parties and authorities such as the Merchant Bank, Visa Fraud Control, and law enforcement.
• Provide details of all compromised or potentially compromised card numbers to Visa Fraud Control within 24 hours.

Mastercard

• Within 24 hours of an account compromise event, notify the MasterCard Compromised Account Team via phone at 1-636-722-4100.
• Provide a detailed written statement of fact about the account compromise via secured e-mail.
• Within 72 hours, engage the services of a data security firm acceptable to MasterCard to assess the vulnerability.
• Provide weekly written status reports to MasterCard until the audit is complete.

Discover

• Within 24 hours of an account compromise event, notify Discover Fraud Prevention at (800) 347-3102.
• Prepare a detailed written statement of fact about the account compromise.
• Prepare a list of all known compromised account numbers.

American Express

• Within 24 hours of an account compromise event, notify American Express Merchant Services at (800) 528-5200 in the U.S.
• Prepare a detailed written statement of fact about the account compromise.
• Prepare a list of all known compromised account numbers.

13. Transfer of Sensitive Information Policy

• All third-party companies providing critical services to My Eye Rx must provide an agreed Service Level Agreement.
• All third-party companies providing hosting facilities must comply with My Eye Rx's Physical Security and Access Control Policy.
• All third-party companies which have access to Card Holder information must:
  • Adhere to the PCI DSS security requirements.
  • Acknowledge their responsibility for securing the Card Holder data.
  • Acknowledge that the Card Holder data must only be used for assisting the completion of a transaction, supporting a loyalty program, providing a fraud control service or for uses specifically required by law.
  • Have appropriate provisions for business continuity in the event of a major disruption, disaster or failure.
  • Provide full cooperation and access to conduct a thorough security review after a security intrusion by a Payment Card industry representative, or a Payment Card industry approved third party.

14. User Access Management

• Access to My Eye Rx systems is controlled through a formal user registration process beginning with a formal notification from management.
• Each user is identified by a unique user ID so that users can be linked to and made responsible for their actions. The use of group IDs is only permitted where they are suitable for the work carried out.
• There is a standard level of access; other services can be accessed when specifically authorized by management.
• The job function of the user decides the level of access the employee has to cardholder data.
• A request for service must be made in writing (email or hard copy) by the newcomer's manager and must state: name of person making request, job title and workgroup, start date, and services required.
• Each user will be given a copy of their new user form to provide a written statement of their access rights. The user signs the form indicating that they understand the conditions of access.
• As soon as an individual leaves My Eye Rx employment, all system logons must be immediately revoked and accounts must be disabled and removed.
• As part of the employee termination process, management will inform IT operations of all leavers and their date of leaving.

15. Access Control Policy

Access Control systems are in place to protect the interests of all users of My Eye Rx computer systems by providing a safe, secure and readily accessible environment in which to work.

• My Eye Rx will provide all employees and other users with the information they need to carry out their responsibilities in an effective and efficient manner.
• Generic or group IDs shall not normally be permitted, but may be granted under exceptional circumstances if sufficient other controls on access are in place.
• The allocation of privilege rights (e.g. administrator, super-user, root access) shall be restricted and controlled, and authorization provided jointly by the system owner and IT.
• Access rights will be accorded following the principles of least privilege and need to know.
• Every user should attempt to maintain the security of data at its classified level even if technical security mechanisms fail or are absent.
• Users are obligated to report instances of non-compliance to the Information Security Officer.
• No access to any My Eye Rx IT resources and services will be provided without prior authentication and authorization.
• Password requirements: minimum 8 characters, complex, unique, change at first use, not re-usable, change every 90 days.
• Access to Confidential, Restricted and Protected information will be limited to authorized persons whose job responsibilities require it, as determined by the data owner. Requests for access permission to be granted, changed or revoked must be made in writing.
• Users are expected to become familiar with and abide by My Eye Rx policies, standards and guidelines for appropriate and acceptable usage of the networks and systems.
• Access for remote users shall be subject to authorization and be provided in accordance with the Remote Access Policy and the Information Security Policy. No uncontrolled external access shall be permitted to any network device or networked system.
• A formal process shall be conducted at regular intervals by system owners and data owners to review users' access rights.

eCommerce Configuration

My Eye Rx utilizes a redirect-based eCommerce model (Clover Hosted Checkout) for all payment processing. The following policies apply to My Eye Rx's eCommerce environment:

• Standard Server Configuration: Define a standard configuration for servers that includes necessary services, protocols, and settings. Ensure that vendor default accounts are changed, removed or disabled. Disable unnecessary services and protocols to minimize vulnerabilities.
• Hardening Procedures: Implement strong authentication and authorization mechanisms. Use file integrity monitoring tools to detect unauthorized changes. Enforce the use of antivirus and anti-malware solutions where applicable.
• Administrative Access: Limit access to server configurations to authorized personnel only. Use multi-factor authentication for administrative access. Maintain an audit trail of all access and changes made to server configurations.
• Regular Reviews: Periodically review server configurations against the established standard. Update configurations in response to new threats, vulnerabilities, or changes in organizational needs.
• Vulnerability Management: Regularly scan for vulnerabilities and address identified weaknesses. Establish a process to check for new security vulnerabilities using industry recognized sources. Regularly update and patch operating systems and software. Apply applicable security patches within one month from release.