DSS Compliance Measures

Learn AI LLC (“the Company”) is committed to safeguarding cardholder data and ensuring that all payment transactions comply with the Payment Card Industry Data Security Standard (“PCI DSS”). In furtherance of this commitment, the Company hereby adopts and implements the following measures:

1. Scope and Applicability.
   The Company shall ensure that any system, network, or process that stores, processes, or transmits payment card information is subject to PCI DSS requirements. The scope of PCI DSS compliance shall be limited to those systems directly involved in handling cardholder data, and the Company shall rely on third-party payment processors that are demonstrably PCI DSS compliant for all payment transactions.

2. Data Encryption and Transmission.
   All cardholder data transmitted over public or untrusted networks shall be encrypted using robust cryptographic protocols (e.g., TLS 1.2 or higher). Encryption keys shall be managed securely, with access restricted to authorized personnel in accordance with best practices and applicable industry standards.

3. Data Storage and Protection.
   The Company shall not store sensitive authentication data (e.g., full magnetic stripe data, CVV/CVC codes) after authorization. Any cardholder data that is stored shall be rendered unreadable through strong encryption and shall be subject to strict access controls. Data storage practices shall be reviewed periodically to ensure compliance with PCI DSS mandates.

4. Network Security and Vulnerability Management.
   The Company shall maintain a secure network architecture, including the implementation of firewalls, intrusion detection systems, and other protective technologies to safeguard systems that handle cardholder data. Regular vulnerability assessments and penetration testing shall be conducted in accordance with PCI DSS guidelines, and remedial actions shall be promptly implemented upon identification of any vulnerabilities.

5. Access Control Measures.
   Access to systems and data containing cardholder information shall be restricted solely to personnel with a legitimate business need, in accordance with the principle of least privilege. The Company shall enforce strong authentication measures, including multi-factor authentication where applicable, and shall regularly review and update access rights.

6. Monitoring and Logging.
   The Company shall maintain comprehensive logging and monitoring mechanisms to track access to and usage of cardholder data. Logs shall be regularly reviewed and retained in accordance with PCI DSS requirements, thereby enabling the prompt detection and investigation of any suspicious activity or potential security incidents.

7. Incident Response.
   An incident response plan shall be established and maintained to address any breaches or suspected compromises involving cardholder data. This plan shall include procedures for the timely notification of affected parties, containment and remediation of the incident, and post-incident analysis to prevent recurrence.

8. Training and Awareness.
   All personnel with access to payment card data or who are involved in processing payment transactions shall receive periodic training on PCI DSS requirements, data protection practices, and the Company’s security policies. This training is intended to ensure that employees are fully aware of their obligations to protect sensitive cardholder information.

9. Third-Party Service Provider Compliance.
   The Company shall ensure that any third-party service providers engaged in processing, storing, or transmitting cardholder data on its behalf are contractually obligated to adhere to PCI DSS requirements. Such providers shall furnish evidence of their compliance status upon request and on an ongoing basis.

10. Ongoing Compliance and Auditing.
    The Company shall conduct periodic internal audits and reviews of its PCI DSS compliance measures to verify that all policies, procedures, and technical controls remain effective and current. The Company shall also engage external auditors as required to validate its compliance posture and address any non-compliance issues in a timely manner.