Bar-Cons Federal Credit Union E-Commerce Policy and Procedure
(Privacy Statement Included)
Bar-Cons Federal Credit Union realizes the importance of maintaining a solid on-line presence for informational and e-commerce purposes in attracting new members and retaining existing members. For purposes of this policy and procedure document, e-commerce is defined as the ability of members to access personal account information and general Credit Union information, to perform transactions and to access Credit Union approved vendor sites to conduct Credit Union business.
- Privacy Statement
Bar-Cons Federal Credit Union realizes the importance of protecting the privacy of our members’ personal information. It is our goal to protect member information in every method of contact with members, whether it is in a branch, at one of our Automatic Teller Machines (ATM), on the telephone or on the Internet.
- Information collected automatically through our website
Bar-Cons Federal Credit Union collects information only in instances where we feel it will be of assistance in providing members with quality service. Bar-Cons FCU routinely collects information used to create summary statistics in determining ways to improve on-line services. Information collected is vital to identifying system performance and/or problematic areas. No information that identifies a member personally is automatically collected.
- Information collected through e-mails and web forms
When personally identifying information is submitted, such as e-mail correspondence containing a question or comment, we use the supplied information to fulfill or respond to request(s) as well as provide members with superior quality service. This information is also stored for reference when making improvements and/or adjustments to our website and on-line services. It should be noted that e-mail is a form of communication that is not within a secure environment. Please visit Bar-Cons FCU in person to relay any information that may contain sensitive personal information.
Use of Information
Bar-Cons FCU will not provide, sell or share your personal information to any non-affiliated third party for independent use. We share member information only in one of the following circumstances; you authorize it; you have requested a transaction requiring it; we are reporting your information to a credit reporting agency; or we are required or permitted by law to disclose such information. Information is share with affiliated organizations when involving products and/or services of value to members, which would otherwise not be available through the Credit Union. If a member desires such information not be made available to affiliated organizations, they are advised to contact Bar-Cons FCU to make their wishes known. Additionally, to preserve vital member information, employees of Bar-Cons FCU sign confidentiality agreements at the time of hire to maintain the secrecy of proprietary information.
Ensuring members have secure on-line banking experiences is a priority. Top-level security is achieved by protecting member privacy and confidentiality of communications to and from Bar-Cons FCU. Several security provisions are in place by our on-line banking provider, Bradford-Scott Data Corporation to protect all sensitive data from direct access to the Internet. The following measures are employed:
- GeoTrust has issued a QucikSSL™ certificate for Bradford-Scott server security. Encryption is provided up to 256 bit providing a high level of security and encryption between browser and Bradford-Scott web servers. Secure Socket Layer (SSL) Encryption provides a secure channel for data transmission across computer networks using public key cryptography.
- Two-part Password Protection to ensure even greater security.
- User Options allow account holders to change passwords and time-out periods as desired.
- SecureState is an independent firm that is employed to routinely perform external and internal scans, penetration and security testing to ensure there are no holes in Bradford-Scott’s security procedures. SecureState also reviews firewall rule sets and performs Grey Box tests on Bradford-Scott applications. The tests are performed at different intervals throughout the year.
- Compliance with an SSAE16 Audit, and an SOC Type II performed by Kirkpatrick Price.
- Member Data
- The Firewall
The firewall must always be kept up-to-date with the latest software available. The Credit Union routinely monitors for vulnerabilities in our firewall software and download any and all patches to resolve such vulnerabilities as soon as they are detected. If a vulnerability with the potential to compromise any sensitive data were detected and no patch is attainable to resolve an immediate threat, the Credit Union will disconnect the firewall from the World Wide Web access and remain disconnected until update software is attainable. In instances where attempted unauthorized intrusion is detected, the FBI is contacted in addition to the above countermeasures.
- Computer Virus Protection
Bar-Cons FCU acknowledges the existence of individuals who attempt to gain access to sensitive data for personal gain or attempt to destroy data files through the use of computer viruses transmitted via various means through the Internet and the World Wide Web. In response to this threat, all Credit Union computer systems routinely receive virus protection software upgrades. Updated virus definitions used by the software to detect viruses are routinely updated within the software.
- Vendor Management
Bar-Cons FCU contracts with outside vendors to provide maximum capabilities in meeting the growing member demand and need for e-services. Prior to contracting with these vendors, the Credit Union will require they agree to the following:
- Agreement that all member sensitive data will be used only in providing specific services. No sensitive member information may be transmitted or sold in any manner to any outside entity.
- Any sensitive data transmitted to/from members to the vendor over the World Wide Web must be done using Secure Socket Laying (SSL) connections employing the maximum available encryption (currently 128-bit military grade).
- Provisions for proper authentication methods are in place to confirm they are indeed transmitting data to/from the member and no one else. Such methods include account numbers and password combinations and digital ID’s that authenticate senders and receivers of data.
- Bar-Cons FCU must be given the first opportunity to offer loans/fund on any products/services that are purchased on-line by members through the vendor.
- Periodic audits of all vendors will be conducted to ensure the above criteria are met. If a vendor fails such an audit, all e-commerce operations with said vendor will cease immediately.
- Transmission of Sensitive Data to Vendors
It may be necessary for Bar-Cons FCU to periodically transmit sensitive data to contracted vendors. The Credit Union will employ proper transmission methods that ensure the data cannot be intercepted and used for personal gain (or any other purpose) by any persons not authorized to receive the data. The credit union will employ the following methods:
- Regulatory Compliance
As directed by the Supervisory Committee, the Credit Union will conduct annual audits of all e-commerce policy and procedure to ensure compliance with any Federal and/or State statutes, regulations, and/or laws. This audit will include review with internal policy and procedure as well.
- System Topography (not included for security reasons)
Bar-Cons Federal Credit Union
1142 N. Marr Road | Columbus, IN 47201