Security Compliance Requirements
1. Security Compliance Requirements
These Security Compliance Requirements (“SCR”) apply to all FedEx Sensitive Data which is: (a) processed by Company; (b) provided by or on behalf of FedEx and/or its Affiliates to Company; (c) learned or otherwise used by Company during or in connection with the performance of Services; or, (d) otherwise collected or gathered from FedEx or third parties in connection with the Services.
Notwithstanding any contrary terms or conditions in the Mutual Nondisclosure Agreement (“MNDA”) or any other agreements between Company and FedEx, any exclusion in the MNDA or such agreements to the definition of Confidential Information shall not apply to FedEx Sensitive Data.
The following terms have the indicated definitions and meanings:
“Affiliate” means any current and future entity that, directly or indirectly, controls, is controlled by or is under common control with FedEx, where “control” is defined as the ownership of at least fifty percent (50%) of the equity or beneficial interests of such entity.
“Authorized Provider” means any agent, consultant, auditor, contractor, distributor, subcontractor, outsourcer or other third party, acting on behalf of Company (whether direct or indirect and at any tier) who has agreed, in writing, to comply with these SCR.
“Breach” means any (a) unauthorized processing of FedEx Sensitive Data or (b) any act or omission that compromises or undermines the physical, technical, or organizational safeguards put in place by Company regarding processing FedEx Sensitive Data or otherwise put in place to comply with these SCR. For the avoidance of doubt, “unauthorized processing” includes, but is not limited to: misuse, loss, destruction, alteration, compromise, or unauthorized disclosure/access to or collection of [including retention, storage, or transfer] personal data transmitted, stored or otherwise processed.
“Card” means a credit card, debit card, charge card or stored value card bearing the service marks of any Card Organization.
“Cardholder” means the person to whom the Card has been issued.
“Cardholder Data” means all information provided by or about a Cardholder in the course of a transaction or obtained through the use of a Card or otherwise relating to a Card transaction [including, without limitation, name, address, PIN, CVV number, credit card account numbers, expiration dates, magnetic stripe data and any other similar information identifying the Cardholder or the related account].
“Card Organization” means a Card organization [including but not limited to Visa, MasterCard, JCB, American Express, Discover] that promulgates operating rules and operates an interchange system for exchanging charges between FedEx and the Payment Card Processor. In the case of debit cards, “Card Organizations” includes Debit Networks.
“Company” any supplier or other third party that in the course of doing business with FedEx, processes FedEx Sensitive Data.
“Debit Networks” means the telecommunications and processing system of shared electronic funds transfer networks.
“FedEx Personal Information” means any information that relates to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person [including, but not limited to: (i) individual user passwords [including but not limited to challenge/response answers, personal identification numbers (“PIN”) and any other access codes that correlate to a person]; (ii) Social Security number; (iii) driver’s license number; (iv) state identification number; (v) date of birth; (vi) government or federal identification number; (vii) financial information [including but not limited to financial account number, credit card number or debit card number in combination with any required security code, access code, or PIN that would permit access to an individual’s account]; (viii) health coverage ID number; (ix) biometric data [including but not limited to thumb print, retina scan, palm scan]; (x) employee data [including but not limited to performance reviews, medical information, health information, family information, salary, performance pay, stock options]; and, (xi) electronic handwritten signature.
“FedEx Sensitive Data” means (i) Cardholder Data; (ii) corporate financial data that has not been released to the public; (iii) customer data [including but not limited to shipping account number, meter number, business name/email/phone, ship/bill address, rewards balance, FCL uuid/username]; (iv) customer invoice data [including but not limited to invoice number, amount, billing info]; (v) data regarding critical systems/configuration [including but not limited to route planning, data subscriptions [including but not limited to security intel]; (vi) FedEx Personal Information as defined above and includes but is not limited to name, identification number, contact information, location data, online identifier; (vii) fedex.com embedded dependency/provider data [including but not limited to mapping, analytics, experience/user behavior tracking, internationalization/translated content]; (viii) marketing materials [including but not limited to campaign configuration, customer notification/offer emails]; (ix) passwords other than individual user passwords [including but not limited to application passwords, database passwords, and share account passwords]; (x) session identifiers that represent or potentially represent an authenticated identity [including but not limited to single sign-on cookies] used by systems that contain any data element considered FedEx Sensitive Data; (xi) shipment data [including but not limited to tracking number/status, origin/destination address, shipper/recipient name/contact, shipment history, POD, duties taxes]; (xii) support artifacts [including but not limited to: screen shots, conversation/chat history, instructions/how-to, training videos]; (xiii) system information [including but not limited to URLs, IPs, owners]; (xiv) vulnerability data [including but not limited to scan results, pen test findings, remediation information], and any information or data developed, derived, converted, translated, or otherwise created from any of the foregoing categories (including but not limited to subsequent variables or data files] and any other data or information in any form which is identified by FedEx as FedEx Sensitive Data. For the avoidance of doubt, FedEx Sensitive Data includes any of the foregoing even when categorized under a different name [including but not limited to a person’s social security number is also a person’s “pilot certification number”].
“Payment Card Processor” means an entity engaged by FedEx Sensitive Data irrespective of the purposes and means applied including, without limitation, access, collection, recording, organization, structuring, adaptation or alteration, retrieval, consultation, disclosure by transmission, retention, storage, dissemination or otherwise making available, disclosure, use, erasure, destruction, alignment or combination, restriction and any other operation regarding FedEx Sensitive Data.
“Services” means, including without limitation, Professional Services, Maintenance and Support and any other services provided to, or to the benefit of, FedEx and as defined in the Service Agreement.
“SCR” means these Security Compliance Requirements.
For the avoidance of doubt, derivations of the foregoing [including but not limited to processed, breached] are included in the defined term.
3. Generally Applicable Requirements
In all events, with respect to FedEx Sensitive Data, Company shall implement technical and organizational measures to ensure an appropriate level of security, and as a minimum the measures set out in these SCR:
(A) comply with the most recent version of ISO 27002, Information Technology – Security Techniques – code of Practice for Information Security Management (“ISO Security Standard”).
(B) logically and/or physically segregate FedEx Sensitive Data from the data of any third party.
(C) encrypt (utilizing strong encryption) FedEx Sensitive Data if it is stored on laptops or portable media devices [including but not limited to USB drives, CD-ROMs, DVDs, backup tapes].
(D) unless a longer retention period is required by law, destroy all FedEx Sensitive Data and copies thereof in a manner to ensure that no restoration of such data is possible upon the earlier of (i) termination of the agreement in relation to which the FedEx Sensitive Data was used; or, (ii) the purpose for which the FedEx Sensitive Data is being used has been completed (and, prior to disposal of any equipment on which FedEx Sensitive Data has been stored or processed, Company shall comply with “NIST Guidelines for Media Sanitization (Draft SP 800-88)”).
(E) contact the FedEx Information Security organization promptly (but in no event more than twenty-four (24) hours) after a Breach is discovered by sending an e-mail to both email@example.com and firstname.lastname@example.org. When reporting a Breach, Company will provide the following information, in as much detail as possible:
- When the Breach occurred
- When and how the Breach was discovered
- What exactly happened
- Who is involved in the Breach
- What kind of information, including any FedEx Sensitive Data, is involved in the incident
(F) Process FedEx Sensitive Data only in accordance with applicable laws, the terms of the applicable agreement between FedEx and Company (including, without limitation, these SCR), and on the basis of any authorized additional instructions from FedEx and its authorized agents and subcontractors. Company shall not process FedEx Sensitive Data for its own purposes and confirms that it does not sell any FedEx Sensitive Data, and will not retain, use or disclose FedEx Sensitive Data for any purpose other than for the specified purpose of performing services under any applicable agreement Company has with FedEx. Company shall immediately inform FedEx if, in Company’s opinion, any requirement in these SCR infringes applicable law. Company shall assist FedEx in ensuring compliance with its legal obligations (including but not limited to privacy law obligations such as performing data protection impact assessments and prior consultations with privacy authorities).
(G) not transfer, provide or otherwise disclose FedEx Sensitive Data to any third party, other than an Authorized Provider, unless required to by applicable law.
(H) not permit any third party, other than an Authorized Provider, to process FedEx Sensitive Data.
(I) take prompt corrective action(s) to remedy a Breach and to prevent any future Breach.
(J) take prompt corrective action(s) to remedy violation of (and to prevent any future violation of) any SCRs.
(K) take prompt corrective action(s) to remediate any vulnerabilities or security concerns identified by FedEx.
(L) implement corrective action(s) in a timeframe commensurate with the risk or as agreed upon with FedEx.
(M) cooperate fully with FedEx in facilitating investigation and remediation of a Breach. For avoidance of doubt, Company shall provide such access, information, and assistance as is necessary for FedEx and/or its designee(s) to complete the investigation of the Breach.
(N) not inform any third party of any Breach except as may be strictly required by applicable law, without first obtaining prior written consent from FedEx.
(O) promptly notify its primary FedEx business contact of any complaint or request received related to processing of FedEx Sensitive Data and assist FedEx with responding to such requests.
(P) ensure that all its employees, agents and/or Authorized Providers engaged in processing FedEx Sensitive Data have signed a confidentiality agreement and/or are under any other binding obligation of confidentiality.
(Q) In addition to, and without limiting, other applicable requirements, in the event Company processes FedEx Personal Information, Company shall only engage in transfers of FedEx Personal Information originating from the European Economic Area (“EEA”) to a country outside of the EEA without an adequate level of protection with prior written approval from FedEx.) In addition, if appropriate and necessary, in the reasonable opinion of FedEx, Company shall enter into a separate data processing agreement that is satisfactory to both parties.
4. Connectivity Requirements
In addition to, and without limiting, other applicable requirements, in the event Company is permitted remote access [including but not limited to VPN, direct connection] to any internal FedEx systems [including, without limitation, hardware, software, data, servers, personal computer or control devices, software or other system], services, or networks (collectively, “FedEx Systems”), Company shall:
(A) connect to FedEx Systems only in the manner and through the means authorized by FedEx.
(B) not connect to, access or use (or attempt to do any of the foregoing) any FedEx Systems without the prior authorization of FedEx.
(C) not enable bridging. Bridging of any FedEx network [including but not limited to FedEx intranet] and any other network is prohibited.
(D) use strong encryption access methods for network-based command and control or monitoring activities.
(E) not use shared personal accounts.
(F) not attempt to gain unauthorized access to any systems, infrastructure, or other user’s account.
(G) not store the PIN or password in the VPN client configuration when using two-factor authentication to the FedEx network.
(H) not physically store hardware-based authenticators for remote access with the device used to connect to the FedEx network.
(I) report to the sponsoring manager or designee when a hardware or software-based authenticator is lost, stolen, or otherwise compromised.
(J) restrict duration of access to only such period as when access is required.
(K) not use any FedEx System in any way that (i) is illegal; (ii) is abusive; (iii) is harmful to or interferes with other network systems at FedEx, or the network or systems of any other entity, or the use thereof; (iv) infringes, misappropriates or otherwise violates the intellectual property, privacy or other proprietary rights of any party, including FedEx; (v) creates a security risk or vulnerability; or, (vi) attempts to do any of the foregoing.
5. Requirements related to testing and/or development services
In addition to, and without limiting, other applicable requirements, in the event Company provides any development or testing services, prior to providing such services to FedEx:
(A) Company’s [including its subcontractors at any tier] developers shall have completed successfully secure code training based on the Open Web Application Security Project ("OWASP"). Certification of completion of such training shall be provided to FedEx upon its request.
(B) Company’s subcontractors, at any tier, shall have successfully completed training in Security Testing practices to ensure that testing performed by Company meets PCI DSS. Certification of completion of such training shall be provided to FedEx upon its request.
6. Cardholder Data Requirements
In addition to, and without limiting, the other applicable requirements, in the event Company has any access to or use of Cardholder Data, Company shall comply with the following:
(A) Cardholder Data Protection
Company shall implement, maintain and use such proper security control and measures as is necessary to ensure the secure processing of Cardholder Data and to protect Cardholder Data from unauthorized processing or other compromise. In all events, Company shall comply with the Card Organizations’ Payment Card Industry (“PCI”) Data Security Standard (“DSS”) v.3.2.1, or such later version or replacement standard required by PCI to maintain its certification (PCI and DSS). In addition to PCI DSS, Company shall comply with such other programs, policies, procedures, obligations, duties, rules, regulations and requirements of the Card Organizations (now or in the future) regarding Cardholder Data [including but not limited to the Visa Cardholder Information Security Program, the MasterCard Site Data Protection Program, the American Express Data Security Operation Policy] (collectively, “Card Organizations Rules”). Company acknowledges receipt and review of the Card Organization Rules and will review a Card Organization’s Rules at such Card Organization’s website and at the Payment Card Industry website.
(B) Cardholder Data Breach
In the event any Breach affecting, directly or indirectly, Cardholder Data is suspected, alleged or confirmed (an “Event”), Company will notify FedEx promptly (in all events, within twenty-four (24) hours) of such Event. Within forty-eight (48) hours of the Event, Company shall conduct an internal investigation to determine whether unauthorized processing of Cardholder Data may have occurred and shall report the results of such investigation to FedEx. If such investigation is inconclusive, or upon request by FedEx or a Card Organization, Company, at Company’s sole expense, will engage a forensic investigator vendor, selected or approved by FedEx and/or the Card Organizations, no later than 48 hours following Company’s notice of the Event to FedEx, to investigate the Event. Such forensic investigator shall conduct promptly an examination of Company’s systems, procedures and records and issue a written report of its findings. For avoidance of doubt, Company shall provide such access, information, and assistance as is necessary for the forensic investigator, FedEx and/or Card Organizations to complete the investigation of the Event. Company will not alter or destroy any records related to the Event. Under all circumstances, Company shall maintain complete and accurate documentation regarding processing of Cardholder Data and the circumstances surrounding an Event. Company will provide to FedEx information related to Company’s or any Card Organization’s investigation related to any unauthorized processing of Cardholder Data [including but not limited to forensic reports and systems audits].
Company will comply with Card Organizations’ registration requirements [including, but not limited to: site inspections, background investigations, provision of financial statements] and reporting requirements. In addition, each year, and as otherwise requested by FedEx, Company shall provide proof of compliance to PCI DSS by: (i) being published in Visa Global List of PCI | DSS Validated Service Providers; or (ii) providing FedEx a copy of Company’s signed and dated PCI Security Standards Council approved documentation of either (a) its PCI DSS Report on Compliance (“ROC”) of (b) PCI DSS ROC Attestation of Compliance (“AOC”), or (c) Self-Assessment Questionnaire (“SAQ”), or (d) SAQ Attestation of Compliance (“AOC”), executive summary of either (a) its ROC or (b) SAQ, whichever is applicable based on Company’s PCI vendor or merchant level, as determined by the Card Organizations. And provide annually a completed and validated copy of the FedEx PCI Responsibility Matrix.
7. Certification Requirements
(A) comply with both the general certification requirements set forth in this section and any other applicable certification requirement(s) set forth elsewhere in these SCR or Company’s agreement(s) with FedEx.
(B) provide certification of compliance with the applicable SCR by either obtaining such certification from an independent information security service company or through an annual self-assessment and certification, as approved by FedEx.
(C) provide FedEx with a copy of Company’s applicable security standards, policies, procedures, and guidelines upon request of FedEx.
(D) provide written certification to FedEx that FedEx Sensitive Data has been destroyed in accordance with these SCR.
These certifications shall be sent to: (i) the contact listed in the notices provision of the agreement in relation to which the FedEx Sensitive Data is used; and, (ii) Data Protection Management, Vendor Compliance, 80 FedEx Parkway, Collierville, Tennessee 38017, or such other address(es) as FedEx may designated from time to time.
8. Audit Right
(A) Company shall, upon reasonable notice, allow its data processing facilities, procedures and documentation to be inspected by (i) FedEx, (ii) supervisory authority of FedEx to the extent permitted by applicable law and/or (iii) Card Organizations and Payment Card Processor (or designee(s) of any of the before mentioned under (i) through (iii)), in order to ascertain compliance with applicable law, these SCR’s, the MNDA and any agreements between FedEx and Company.
(B) Company shall fully cooperate with such audit requests by providing access to relevant knowledgeable personnel, physical premises, documentation, (IT) infrastructure and application software.
(C) In addition, upon notice, FedEx, Card Organization, Payment Card Processor (or designee of any of them) may conduct remote electronic scans, associated security testing scans or other associated security testing for Company’s systems, similar to those conducted under PCI DSS, to confirm compliance with the requirements of these SCR [including, without limitation, Card Organization Rules and PCI DSS]. Company shall promptly cooperate to allow such scans.
(D) In the event Company maintains an internet facing application or web site which processes FedEx Sensitive Data or through which FedEx Sensitive Data is otherwise accessible, Company shall conduct annual penetration tests with quarterly vulnerability scans. Company must provide the results of such testing and scans upon the request of FedEx, but in any event, at least annually.
(E) In all events, the results of audits and scans [including but not limited to any written reports] shall be made available to FedEx and, notwithstanding any contrary confidentiality, use or disclosure restrictions in any agreement between Company and FedEx, FedEx may make such results available, as applicable, to Card Organizations and Payment Card Processor.
Company’s failure to comply with any SCRs [including, without limitation, failure to implement any corrective action(s) within the required timeframe] is a material breach of Company’s agreement(s) with FedEx. Without limiting any other right or remedy that FedEx may have, FedEx reserves the right to terminate, for default/breach, those agreement(s) affected (directly or indirectly) by such non-compliance.
10. Authorized Providers
As used in these SCR, the term “Company” includes “Authorized Providers” when Company utilizes an Authorized Provider to process FedEx Sensitive Data. Company shall cause Authorized Providers to comply with these SCR [including, but not limited to, providing the required certifications, reports, information, assistance, and access]. Company is solely responsible and liable for each Authorized Provider’s compliance with, and breach of, these SCR. For the avoidance of doubt, unless and until a third party has agreed, in writing, to comply with these SCR, such third party is not an “Authorized Provider”.
11. Delegation by FedEx
FedEx may delegate to a third party any right [including but not limited to inspection, audit, enforcement] granted to FedEx under these SCR. Company shall provide such access, information, data, and cooperation to such third party as Company is required to provide FedEx under these SCR.