The newsletter provides updates on PCI compliance and upcoming projects. It reminds associates that the annual PCI audit is occurring and lists key reminders regarding PCI compliance, such as securing physical documents with credit card information and redacting sensitive data when it is no longer needed. It also announces that work is underway to rollout a new financial reporting automation solution by the end of the period to increase controls around reporting systems. Finally, it provides the timeline for upcoming SOX compliance tasks in May and links to updated policies.
1. MARRIOTT VACATIONSWORLDWIDE CONFIDENTIAL ANDPROPRIETARY INFORMATION
Controls and Compliance Newsletter
News and Trends
In this issue,we remind associates thatthe Payment Card Industry (PCI) annual auditis occurring. See key reminders for
Compliance with PCIrequirements are listed below also to gain a more thorough knowledge ofPCI MVWC practices follow this li nk
to ISM-44 and supporting job aides. Please review this with your teams and stress its importance for MVWC security. Also see the
following Forbes article which lists the consequences offailing PCIcompliance.
Look What’s Headed Your Way!
Work is underway to rollout the Financially Reported Sales Automation Solution at the end of Period 4. With this
solution, MVWC will increase the controls around our reporting systems as well as provide enhanced controls to our
overall reporting environment. Look for more information in our May Newsletter of the further benefits to your F&A
teams.
* Questions or concerns on this New sletter, please contact Mike Kiely in Controls and Compliance.
APRIL 2016 ISSUE #4
2016 Sarbanes-Oxley Act (SOX) Compliance – Timeline*
Internal Audit
begins
walkthroughs with
Business Areas.
Planning session
with E&Y begins
for SOX.
In May we start the following key tasks:
Recently Approved
Policies and/or Standards
Key Policy Updates
Email Signature Standard
Mobil Device Policy
The follow ing is a link to our Policies
and Standards page.
Key Reminders for Associates Regarding PCI Compliance
If an MVWC process is keeping forms that contain fullPAN (Primary Account Numbers
on them) they need to make sure they can:
DocumentRetentionPolicy: In addition to the document redaction policy,
as an alternative, if a document containing PAN is no longer needed, it can
also simply be destroyed if there is no requirement to retain the document
itself. (See MVWP-15 or your departmental policies on document
retention). If a document is not destroyed after it is no longer needed, then
a w ritten procedure and localpolicy should exist that formally documents
the length of time a document may be kept until it is redacted or destroyed.
Physical DocumentSecurity:Physically securethe documents at all
times. This includes keeping them in a locked file cabinet (or safe) in a
secure area w ith limited access to those forms.
DocumentRedaction Practices: Afterthe fullcredit card Primary Account
Number (PAN) is no longer needed, the Payment Card Industry Data
Security Standard requires that PAN be redacted fromprinted documents
w ithin a reasonable timeframe.