Security Compliance Requirements
- Definition of FedEx Sensitive Data, Process and Breach. The following terms have the indicated definitions and meanings:
“FedEx Sensitive Data” means data or information (regardless of form, e.g., electronic, paper copy, etc) which is
(A) personally identifiable information [including, but not limited to: (i) individual user passwords (e.g., challenge/response answers, personal identification numbers (PIN) and any other access codes that correlate to a person, etc.); (ii) Social Security number; (iii) driver’s license number; (iv) state identification number; (v) date of birth; (vi) government or federal identification number; (vii) financial information (e.g., financial account number, credit card number or debit card number in combination with any required security code, access code, or PIN that would permit access to an individual’s account, etc.); (viii) health coverage ID number; (ix) biometric data (e.g., thumb print, retina scan, palm scan, etc.); and, (x) electronic handwritten signature];
(B) passwords other than individual user passwords [such passwords include application passwords, database passwords, and share account passwords (for example WebLogic console)];
(C) session identifiers that represent or potentially represent an authenticated identity (e.g., a single sign-on cookie) used by systems that contain any data element considered FedEx Sensitive Data;
(D) employee data [including, but not limited to: (i) human resources data (e.g., performance reviews, medical information, health information, family information, etc.); and, (ii) compensation data (e.g., salary, performance pay, stock options, etc.)];
(E) corporate financial data that has not been released to the public;
(F) identified by FedEx as “FedEx Sensitive Data;”
(G) Cardholder Data; or,
(H) developed, derived, converted, translated, or otherwise created from any of the foregoing categories (including, but not limited to, subsequent variables or data files).
For the avoidance of doubt, FedEx Sensitive Data includes any of the foregoing even when categorized under a different name (e.g., a person’s social security number is such person’s “pilot certification number”).
"Process" means any operation in relation to FedEx Sensitive Data irrespective of the purposes and means applied including, without limitation, access, collection, retention, storage, transfer, disclosure, use, erasure, destruction, and any other operation.
"Breach" means any (a) unauthorized Processing of FedEx Sensitive Data or (b) any act or omission that compromises or undermines the physical, technical, or organizational safeguards put in place by Company regarding Processing FedEx Sensitive Data or otherwise put in place to comply with these InfoSec Compliance Requirements. For the avoidance of doubt, “unauthorized Processing” includes, but is not limited to: misuse, loss, destruction, compromise, or unauthorized access, collection, retention, storage, or transfer).
"Authorized Provider" means any agent, consultant, auditor, contractor, distributor, subcontractor, outsourcer or other third party, acting on behalf of Company (whether direct or indirect and at any tier) who has agreed, in writing, to comply with these InfoSec Compliance Requirements.
For the avoidance of doubt, derivations of the foregoing (e.g., Processed, Breached, etc.) are included in the defined term.
- Application of InfoSec Compliance Requirements. These InfoSec Compliance Requirements apply to all FedEx Sensitive Data which is: (A) Processed by Company; (B) provided by or on behalf of FedEx and/or its Affiliates to Company; (C) learned or otherwise used by Company during or in connection with the performance of Services; or, (D) otherwise collected or gathered from FedEx or third parties in connection with the Services.
Notwithstanding any contrary terms or conditions in the MNDA or any agreements between Company and FedEx, any exclusion in the MNDA or such agreements to the definition of Confidential Information shall not apply to FedEx Sensitive Data.
- Generally Applicable InfoSec Compliance Requirements: In all events, with respect to FedEx Sensitive Data, Company shall:
(A) comply with ISO 27002:2005, Information Technology – Security Techniques - code of Practice for Information Security Management (“ISO Security Standard”).
(B) logically and/or physically segregate FedEx Sensitive Data from the data of any third party.
(C) encrypt (utilizing strong encryption) FedEx Sensitive Data if it is stored on laptops or portable media devices (e.g., USB drives, CD-ROMs, DVDs, backup tapes, etc. ).
(D) unless a longer retention period is required by law, destroy all FedEx Sensitive Data and copies thereof in a manner to ensure that no restoration of such data is possible upon the earlier of (i) termination of the Agreement in relation to which the FedEx Sensitive Data was used; or, (ii) the purpose for which the FedEx Sensitive Data is being used has been completed (and, prior to disposal of any equipment on which FedEx Sensitive Data has been stored or processed, Company shall comply with “NIST Guidelines for Media Sanitization (Draft SP 800-88)”].
(E) contact the FedEx Information Security organization promptly (but in no event more than eight (8) hours) after a Breach is discovered by calling 901/224-2021 or 901/224-2022, or such other number(s) as FedEx may designate from time to time.
(F) Process FedEx Sensitive Data only in accordance with applicable laws, the terms of the applicable agreement between FedEx and Company (including, without limitation, these InfoSec Compliance Requirements), and on the basis of any authorized additional instructions from FedEx and its authorized agents and subcontractors.
(G) not transfer, provide or otherwise disclose FedEx Sensitive Data to any third party, other than an Authorized Provider, unless required to by applicable law.
(H) not permit any third party, other than an Authorized Provider, to Process FedEx Sensitive Data
(I) take prompt correction action(s) to remedy a Breach and to prevent any future Breach.
(J) take prompt corrective action(s) to remedy a violation of (and to prevent any future violation of) any InfoSec Compliance Requirement.
(K) take prompt corrective action(s) to remediate any vulnerabilities or security concerns identified by FedEx.
(L) implement corrective action(s) in a timeframe commensurate with the risk or as agreed upon with FedEx.
(M) cooperate fully with FedEx in facilitating investigation and remediation of a Breach. For avoidance of doubt, Company shall provide such access, information, and assistance as is necessary for FedEx and/or its designee(s) to complete the investigation of the Breach.
(N) not inform any third party of any Breach except as may be strictly required by applicable law, without first obtaining FedEx’s prior written consent.
(O) promptly notify its primary FedEx business contact of any complaint received related to Processing of FedEx Sensitive Data.
- Connectivity Requirements: In addition to, and without limiting, other applicable requirements, in the event Company is permitted remote access (e.g., VPN, direct connection, etc) to any internal FedEx systems (including, without limitation, hardware, software, data, servers, personal computer or control devices, software or other system), services, or networks (collectively, “FedEx Systems”), Company shall:
(A) connect to FedEx Systems only in the manner and through the means authorized by FedEx.
(B) not connect to, access or use (or attempt to do any of the foregoing) any FedEx Systems without the prior authorization of FedEx.
(C) not enable bridging. Bridging of any FedEx network (e.g., FedEx intranet, etc) and any other network is prohibited.
(D) use strong encryption access methods for network based command and control or monitoring activities.
(E) not use shared personal accounts.
(F) not attempt to gain unauthorized access to any systems, infrastructure, or other user’s account.
(G) not store the PIN or password in the VPN client configuration when using two-factor authentication to the FedEx network.
(H) not physically store hardware-based authenticators for remote access with the device used to connect to the FedEx network.
(I) report to the sponsoring manager or designee when a hardware or software based authenticator is lost, stolen, or otherwise compromised.
(J) restrict duration of access to only such period as when access is required.
(K) not use any FedEx System in any way that (i) is illegal; (ii) is abusive; (iii) is harmful to or interferes with other FedEx’s network or systems, or the network or systems of any other entity, or the use thereof; (iii) infringes, misappropriates or otherwise violates the intellectual property, privacy or other proprietary rights of any party, including FedEx; (v) creates a security risk or vulnerability; or, (vi) attempts to do any of the foregoing.
- Requirements related to testing and/or development services: In addition to, and without limiting, other applicable requirements, in the event Company provides any development or testing services, prior to providing such services to FedEx:
(A) Company’s (including its subcontractors at any tier) developers shall have completed successfully secure code training based on the Open Web Application Security Project (OWASP). Certification of completion of such training shall be provided to FedEx upon its request.
(B) Company’s (including its subcontractors at any tier) shall have successfully completed training in Security Testing practices to ensure that testing performed by Company meets PCI DSS. Certification of completion of such training shall be provided to FedEx upon its request.
- Cardholder Data: In addition to, and without limiting, the other applicable requirements, in the event Company has any access to or use of Cardholder Data (as defined below), Company shall comply with the following:
“Card” means a credit card, debit card, charge card or stored value card bearing the service marks of any Card Organization.
“Cardholder” means the person to whom the Card has been issued.
“Cardholder Data” means all information provided by or about a Cardholder in the course of a transaction or obtained through the use of a Card or otherwise relating to a Card transactions (including, without limitation, name, address, PIN, CVV number, credit card account numbers, expiration dates, magnetic stripe data and any other similar information identifying the Cardholder or the related account.).
“Card Organization” means a Card organization (e.g, Visa, MasterCard, JCB, American Express, Discover, etc), that promulgates operating rules and operates an interchange system for exchanging charges between FedEx and the Payment Card Processor. In the case of debit cards, “Card Organizations” includes Debit Networks.
“Debit Networks” means the telecommunications and processing system of shared electronic funds transfer networks.
“Payment Card Processor” means an entity engaged by FedEx to process Card transactions accepted by FedEx
(B) Cardholder Data Protection
Company shall implement, maintain and use such proper security control and measures as is necessary to ensure the secure Processing of Cardholder Data and to protect Cardholder Data from unauthorized Processing or other compromise. In all events, Company shall comply with the Card Organizations’ Payment Card Industry (“PCI”) Data Security Standard v. 1.2, or such later version or replacement standard required by PCI to maintain its certification (“PCI DSS”). In addition to PCI DDS, Company shall comply with such other programs, policies, procedures, obligations, duties, rules, regulations and requirements of the Card Organizations (now or in the future) regarding Cardholder Data (e.g., the Visa Cardholder Information Security Program, the MasterCard Site Data Protection Program, the American Express Data Security Operating Policy, etc) (collectively, “Card Organizations Rules”). Company acknowledges receipt and review of the Card Organization Rules and will review a Card Organization’s Rules at such Card Organization’s web site and at the Payment Card Industry web site: http://www.PCISecurityStandards.Org.
(C) Data Breach
In the event any Breach affecting, directly or indirectly, Cardholder Data is suspected, alleged or confirmed (an “Event”), Company will notify FedEx promptly (in all events, within twenty-four (24) hours) of such Event. Within forty-eight (48) hours of the Event, Company shall conduct an internal investigation to determine whether unauthorized Processing of Cardholder Data may have occurred and shall report the results of such investigation to FedEx. If such investigation is inconclusive, or upon request by FedEx or a Card Organization, Company, at Company’s sole expense, will engage a forensic investigator vendor, selected or approved by FedEx and/or the Card Organizations, no later than 48 hours following Company’s notice of the Event to FedEx, to investigate the Event. Such forensic investigator shall conduct promptly an examination of Company’s systems, procedures and records and issue a written report of its findings. For avoidance of doubt, Company shall provide such access, information, and assistance as is necessary for the forensic investigator, FedEx and/or Card Organizations to complete the investigation of the Event. Company will not alter or destroy any records related to the Event. Under all circumstances, Company shall maintain complete and accurate documentation regarding Processing of Cardholder Data and the circumstances surrounding an Event. Company will provide to FedEx information related to Company’s or any Card Organization’s investigation related to any unauthorized Processing of Cardholder Data including but not limited to forensic reports and systems audits.
Company will comply with Card Organizations’ registration requirements (including, but not limited to, site inspections, background investigations, provision of financial statements, etc) and reporting requirements. In addition, each year, and as otherwise requested by FedEx, Company shall provide proof of compliance to PCI DSS by: (i) being published in Visa Global List of PCI | DSS Validated Service Providers; or (ii) providing FedEx a copy of Company’s executive summary of either (a) its PCI DSS Report On Compliance (“ROC”) or (b) Self-Assessment Questionnaire (“SAQ”), whichever is applicable based on Company’s PCI vendor or merchant level, as determined by the Card Organizations.
- Certification Requirements:
(A) comply with both the general certification requirements set forth in this Section and any other applicable certification requirement(s) set forth elsewhere in these InfoSec Compliance Requirements or Company’s agreement(s) with FedEx.
(B) provide certification of compliance with the applicable InfoSec Compliance Requirements by either obtaining such certification from an independent information security service company or through an annual self-assessment and certification, as approved by FedEx.
(C) provide FedEx with a copy of Company's applicable security standards, policies, procedures, and guidelines upon request of FedEx.
(D) provide written certification to FedEx that FedEx Sensitive Data has been destroyed in accordance with these requirements.
These certifications shall be sent to: (i) the contact listed in the notices provision of the agreement in relation to which the FedEx Sensitive Data is used; and, (ii) Data Protection Management, Vendor Compliance, 80 FedEx Parkway, Collierville, Tennessee 38017, or such other address(es) as FedEx may designated from time to time.
- Audit Right:
(A) Company shall, upon reasonable notice, allow its data processing facilities, procedures and documentation to be inspected by FedEx, Card Organizations and Payment Card Processor (or designee(s) of any them) in order to ascertain compliance with applicable law, these InfoSec Compliance Requirements, the MNDA and any agreements between FedEx and Company.
(B) Company shall fully cooperate with such audit requests by providing access to relevant knowledgeable personnel, physical premises, documentation, infrastructure and application software.
(C) In addition, upon notice, FedEx, Card Organization, Payment Card Processor (or designee of any of them) may conduct remote electronic scans, associated security testing scans or other associated security testing for Company’s systems, similar to those conducted under PCI DSS, to confirm compliance with the requirements of these InfoSec Requirements (including, without limitation, Card Organization Rules and PCI DSS). Company shall promptly cooperate to allow such scans.
(D) In the event Company maintains an internet facing application or web site which Processes FedEx Sensitive Data or through which FedEx Sensitive Data is other wise accessible, Company shall conduct annual penetration tests with quarterly vulnerability scans. Company must provide the results of such testing and scans upon FedEx requests, but in any event, at least annually.
(E) In all events, the results of audits and scans, including but not limited to any written reports, shall be made available to FedEx and, notwithstanding any contrary confidentiality, use or disclosure restrictions in any agreement between Company and FedEx, FedEx may make such results available, as applicable, to Card Organizations and Payment Card Processor.
Company’s failure to comply with any InfoSec Compliance Requirement (including, without limitation, failure to implement any corrective action(s) within the required timeframe) is a material breach of Company’s agreement(s) with FedEx. Without limiting any other right or remedy that FedEx may have, FedEx reserves the right to terminate, for default/breach, those agreement(s) affected (directly or indirectly) by such non-compliance.
- Authorized Providers.
As used in these InfoSec Compliance Requirements, the term “Company” includes “Authorized Providers” when Company utilizes an Authorized Provider to Process FedEx Sensitive Data. Company shall cause Authorized Providers to comply these InfoSec Compliance Requirements, including, but not limited to, providing the required certifications, reports, information, assistance, and access. Company is solely responsible and liable for each Authorized Provider’s compliance with, and breach of, these InfoSec Compliance Requirements. For the avoidance of doubt, unless and until a third party has agreed, in writing, to comply with these InfoSec Compliance Requirements, such third party is not an “Authorized Provider.”
- Delegation by FedEx.
FedEx may delegate to a third party any right (e.g., inspection, audit, enforcement etc.) granted to FedEx under these InfoSec Compliance requirements. Company shall provide such access, information, data, and cooperation to such third party as Company is required to provide FedEx under these InfoSec Compliance Requirements.