Home » Information Security Policy

Information Security Policy for Epic Fun LLC

1. Introduction

Epic Fun LLC (the “Company”) is committed to maintaining the confidentiality, integrity, and availability of its information systems and protecting customer data in accordance with the highest industry standards, including the Payment Card Industry Data Security Standard (PCI DSS). This Information Security Policy outlines the Company’s approach to safeguarding sensitive information, ensuring compliance with relevant laws and regulations, and promoting a culture of security awareness within the organization.

2. Purpose

The purpose of this policy is to:

  • Protect cardholder data (CHD) and sensitive authentication data (SAD).
  • Ensure compliance with the PCI DSS.
  • Establish the roles, responsibilities, and procedures required to secure the Company’s information systems.
  • Provide guidance on the appropriate measures to prevent, detect, and respond to security threats and breaches.

3. Scope

This policy applies to all employees, contractors, and third-party vendors who have access to systems that store, process, or transmit cardholder data or other sensitive information. It covers all information systems, networks, devices, and applications owned, operated, or managed by the Company.

4. Information Security Governance

The Company has appointed a Chief Information Security Officer (CISO) responsible for overseeing information security operations, compliance, and risk management efforts. The CISO will report to the executive leadership team on a quarterly basis.

  • Security Committee: A cross-functional security committee will meet regularly to ensure the Company’s security posture is in line with industry best practices.

5. Data Protection and PCI DSS Compliance

5.1 Cardholder Data (CHD) Protection
  • Encryption: Cardholder data must be encrypted both at rest and in transit using industry-standard encryption protocols (e.g., AES-256, TLS 1.2 or higher).
  • Data Minimization: Only necessary cardholder data should be stored, and any unnecessary data should be deleted immediately after it is no longer needed for business purposes.
  • Access Control: Access to CHD will be granted on a need-to-know basis and must be regularly reviewed to ensure it is still necessary for business operations.
5.2 Secure Authentication and Authorization
  • Strong Authentication: The use of multi-factor authentication (MFA) will be enforced for all systems handling cardholder data or other sensitive information.
  • Access Control: Role-based access control (RBAC) will be implemented across all systems to ensure that employees and third parties can only access the data necessary for their job functions.
  • Periodic Reviews: Access permissions will be reviewed at least quarterly and promptly adjusted when employees change roles or leave the organization.
5.3 Secure Systems and Networks
  • Firewall Configuration: A robust firewall configuration will be maintained to protect the cardholder data environment (CDE) and prevent unauthorized access to sensitive systems.
  • Intrusion Detection/Prevention: Intrusion detection and prevention systems (IDPS) will be implemented to monitor for unusual or unauthorized activity.
  • Regular Vulnerability Scanning: Regular internal and external vulnerability scans will be conducted to identify and address potential weaknesses in the Company’s systems and applications.

6. Incident Response and Monitoring

6.1 Monitoring and Logging
  • Logging: All access to cardholder data and other sensitive systems must be logged and these logs should be securely stored for at least one year, with the last three months of logs readily accessible for analysis.
  • Real-time Monitoring: The Company will implement real-time monitoring of all critical systems to detect any unusual or potentially malicious activity.
6.2 Incident Response Plan
  • Incident Response Team (IRT): A dedicated Incident Response Team (IRT) will be established and trained to respond to security breaches involving sensitive information.
  • Incident Reporting: Employees are required to report any suspected security incident immediately to the IRT. All incidents will be investigated thoroughly to determine the cause and implement corrective measures.

7. Security Awareness and Training

7.1 Employee Training
  • Initial Training: All new employees will receive training on information security, including PCI DSS requirements and how to handle sensitive data.
  • Ongoing Training: Employees will undergo annual security training to stay informed of current threats, best practices, and changes in security policy.
  • Phishing Awareness: Employees will be regularly tested with simulated phishing attacks to ensure awareness of social engineering tactics.
7.2 Vendor Security Requirements
  • Third-Party Risk Assessment: All third-party vendors with access to cardholder data must undergo a thorough risk assessment to ensure they comply with the relevant security standards, including PCI DSS.
  • Contractual Obligations: All third-party contracts will include specific language regarding data protection and compliance with applicable security standards.

8. Data Retention and Disposal

8.1 Data Retention
  • Cardholder data will only be retained for as long as necessary to fulfill business and legal requirements. Any data retained must be protected according to the highest security standards.
  • Data that is no longer required must be securely destroyed (e.g., via secure erasure or physical destruction) in accordance with PCI DSS requirements.
8.2 Secure Disposal
  • Hardware Disposal: Any hardware that is decommissioned, including hard drives and servers, must undergo a secure destruction process (e.g., physical destruction or secure wiping).
  • Paper Records: Any physical records containing sensitive information must be shredded or otherwise securely disposed of.

9. Compliance and Audits

9.1 Compliance Audits
  • The Company will conduct regular internal and external audits to assess compliance with this policy and the PCI DSS. These audits will be used to identify gaps and ensure corrective actions are taken.
  • Quarterly Self-Assessments: The Company will conduct quarterly PCI DSS self-assessments to ensure ongoing compliance with all applicable security controls.
9.2 Compliance with Other Regulations
  • The Company will ensure compliance with all other relevant data protection regulations, such as the General Data Protection Regulation (GDPR) or California Consumer Privacy Act (CCPA), as applicable.

10. Enforcement and Disciplinary Actions

  • Any employee, contractor, or third-party vendor found to have violated this policy will be subject to disciplinary action, which may include termination of employment or contract, legal action, or fines.
  • Violations of PCI DSS standards or other security breaches may also result in sanctions from relevant authorities, including the suspension of payment processing services.

11. Review and Revision

This policy will be reviewed and updated annually or whenever significant changes occur in the Company’s operations, technology, or applicable regulations. Any revisions will be communicated to all employees and relevant stakeholders.

12. Contact Information

For questions or concerns regarding this policy, please contact the Company’s Information Security Officer at:

Email: hello@epicfunla.com
 Phone: (310) 905-6125

This Information Security Policy is effective as of January 28, 2023. By adhering to this policy, Epic Fun LLC commits to protecting its customers’ data, maintaining compliance with PCI DSS, and fostering a culture of security across the organization.

This policy ensures that Epic Fun LLC maintains robust information security practices and meets the PCI DSS requirements necessary to safeguard sensitive customer data and maintain trust.