Information Security Requirements

Last Updated: October 2022

CSG’s security program is compliant with all legal and industry mandated information security requirements. CSG abides by all laws, regulations, and industry-mandated information security standards applicable to its duties and obligations related to information security for products and services provided by CSG.

CSG maintains a comprehensive security program based on ISO/IEC 27001, under which CSG implements and maintains appropriate physical, administrative, and technical safeguards designed to protect the confidentiality, integrity, availability, and security of the Service and customer PII (as defined below) (the “Security Program”).

CSG’s Security Program is subject to technical progress and development. CSG may update and modify its Security Program from time to time; however, those updates and modifications will not degrade or diminish the overall security of the Services.


1. CSG’s Audits & Certifications

  • CSG follows industry best practices with regards to Security. Please refer to MyCSG for details regarding the certifications obtained by CSG.

  • Information related to CSG-identified controls for which the customer is responsible in connection with Payment Card Industry Data Security Standard (PCI-DSS) and Health Insurance Portability and Accountability Act (HIPAA) is available upon written request by the customer.

  • The customer is responsible for performing an independent assessment of their responsibilities.


2. Security of Consumer Information

  • CSG has implemented and maintains a Security Program that includes appropriate administrative, technical, and physical safeguards reasonably designed to:

    • ensure the security and confidentiality of customer PII,

    • protect against any anticipated threats or hazards to the security or integrity of customer PII; and

    • protect against unauthorized access to or use of customer PII that could result in substantial harm or inconvenience to any consumer; and

    • dispose of customer PII in a secure manner.

  • CSG stores and maintain customer PII collected or obtained by CSG in a secure environment and transmitted by CSG in a secure form that meets industry-mandated data security standards.

  • To comply with obligations described Section 2.1, CSG has designated an employee or employees to coordinate its Security Program.  Further, CSG will:

    • Identify reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer PII that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromise of such information, and assess the sufficiency of any safeguards in place to control these risks.  At a minimum, such risk assessment will include consideration of risks in each relevant area of CSG operations, including:

      • Employee training and management;

      • Information systems, including network and software design, as well as information processing, storage, transmission, and disposal; and

      • Detecting, preventing, and responding to attacks, intrusions, or other systems failures, which will include the use of commercially reasonable efforts to establish procedures and logging mechanisms for systems and networks that will allow tracking and analysis in the event there is a compromise, and maintain an audit trail history for at least three (3) months for review by the customer.

    • Design and implement information safeguards to control the risks identified through risk assessment, and regularly test or otherwise monitor the effectiveness of the safeguards’ key controls, systems, and procedures;

    • Use commercially reasonable efforts to ensure data security when disposing of any customer PII; and

    • Upon written request from the customer and subject the customer’s confidentiality obligation(s) to CSG, CSG will provide the customer with a written summary of its Security Program.


3. Annual Assessment of Adherence to Security Standards

  • Upon the customer’s request, CSG will provide the customer with executive summaries from completed assessment reports and certifications to validate CSG’s compliance with the Information Security Requirements as described in Section 1.