Information Security Policy
TAL handles sensitive information daily including customer data, cardholder data and
employee data. TAL must have adequate safeguards in place to protect this sensitive
information, protect privacy, and to ensure compliance with various regulations.
TAL reserves the right to monitor, access, review, audit, copy, store, or delete any electronic
communications, equipment, systems and network traffic for any purpose.
Physical Security of Data
TAL commits to respecting the privacy of all its customers and employee, protecting all
sensitive data from outside parties and maintaining a secure environment for sensitive
information. To do so, TAL expects to following of all employees.
1. Handle Company, personal and customer account data including cardholder
information in a manner that fits with their sensitivity.
2. Do not use e-mail, internet and other Company resources to engage in any action that
is offensive, threatening, discriminatory, defamatory, slanderous, pornographic,
obscene, harassing or illegal.
3. Do not disclose personnel information unless authorized.
4. Protect all sensitive information.
5. Always leave desks clear of sensitive data and lock computer screens when unattended.
6. Information security incidents must be reported, without delay, to the individual
responsible for incident response locally – Generally the local Branch Manager.
7. Access to sensitive information in both hard and soft media format must be physically
restricted to prevent unauthorized individuals from obtaining sensitive data.
8. Employees should ensure that they have appropriate credentials and are authorized for
the use of technologies.
9. POS devices (POI/Terminals) surfaces should be periodically inspected to detect
tampering or substitution.
10. Personnel using the devices should be trained and aware of handling the POS devices
11. Personnel using the devices should verify the identity of any third-party personnel
claiming to repair or run maintenance tasks on the devices, install new devices or
replace devices.
12. Personnel using the devices should be trained to report suspicious behavior and
indications of tampering of the devices to the appropriate personnel.
13. Media containing sensitive information must be handled and distributed in a secure
manner by trusted individuals.
14. Strict control is maintained over the external or internal distribution of any media
containing card holder data and has to be approved by management. Employees should take all necessary steps to prevent unauthorized access to confidential data which includes cardholder data.
Access to Sensitive Data
1. Any display of the sensitive data should be restricted to the first 6 or the last 4 digits of
a related number (i.e. credit card, social security, etc.).
2. Access to sensitive information such as PAN’s, personal information and business data
is restricted to employees that have a legitimate need to view such information.
a. No other employees should have access to this confidential data unless they have
a genuine business need-to-know.
Acceptable Use Policy
TAL is committed to protecting employees, partners and the Company from illegal or
damaging actions by individuals, either knowingly or unknowingly, including actions resulting
in sharing or transfer of sensitive information. Therefore, in addition to the physical security
above, the following are required of all employees:
1. All employees must keep passwords secure and do not share accounts (except at Kiosk
stations).
2. Authorized users are responsible for the security of their passwords and accounts.
3. Do not install unauthorized software or hardware, including modems and wireless
access unless you have explicit management/BIS approval.
4. All PCs, laptops, tablets and workstations should be secured with a password-protected
screensaver with the automatic activation feature.
5. All POS and PIN entry devices must be protected and secured so they cannot be
tampered with or altered.
6. Information contained on portable computers can be variable vulnerable, special care
should be exercised.
7. Employees must use extreme caution when opening e-mail attachments received from
unknown senders, which may contain viruses, malware, e-mail bombs, or Trojan horse
code.
Updated 4.28.25