Complementary User Entity Controls
for PCI Customers

As a part of Balto’s PCI-DSS controls, Client must implement and take responsibility for Complementary User Entity Controls (“CUECs”) to ensure that such controls are operating effectively. For Balto to meet its control objectives, Client is required to appropriately implement the required CUECs:

  1. Client must be in compliance with PCI-DSS and have a current Report on Compliance (RoC) or Attestation of Compliance (AoC) as verification of its organizational controls. Client must additionally inform Balto if its PCI-DSS certification lapses. 
  2. Client must ensure that each end user has a unique ID.
  3. Client must ensure that user IDs are expressly prohibited from being shared between users. 
  4. Client must ensure that a timeout mechanism exists which requires re-authentication to the Service or application level after 15 minutes of inactivity. 
  5. Client must ensure that physical and/or logical controls such as individual logins to workstations are in place prior to initializing the Service application.
  6. Client must have a process in place to inform Balto when a end user changes job roles or leaves Client and no longer requires access to the Service application.
  7. Client must have a process in place to inform Balto when Client believes an ID has been compromised.
  8. Client must protect the organizational token used to install the Service application only on computers where required.
  9. Client must promptly inform Balto regarding any malicious or suspicious activity, compromise, or incident which could affect the security of Balto’s network.