Security Practices & Policies

CSAware vendors accepting online EBT payments will be required by FNS to include security practices and policies in their CSAware store policies page. Note that this page is editable by navigating to: Home / Settings / Edit HTML Blocks / Policies

Overview of FNS Requirements:

FNS expects that the policy section of your website will explain to the customer, in easily understood language, the precautions that the website has taken to secure customer data and the site’s liability should there be a breach that results in customer loss.

FNS further expects all pilot participants to accept responsibility for any monetary loss or other damage to EBT customers that results from employee or subcontractor fraud, or external hacking resulting from  failure to adequately secure the website and databases under the  control of the retailer or any subcontractor. FNS requires applicants to agree that, if selected, they will replace all SNAP benefits that are stolen as a result of such breaches.

FNS expects that each applicant website will have published privacy policies with a clearly identified, easy to find link from the home page.  This must meet the requirements described here, and describe any exceptions  for data use or sharing (which might include such reasons as fraud protection and credit risk reduction, purchase of the company and its assets, or compliance with law, e.g., by subpoena).

The policy should  describe exactly how the website itself will or will not use information about individual customers, and with whom the data is and is not  shared. Applicants must provide a copy of or link to the website’s  privacy practices and policies for FNS review.

Applicants must identify whether they use cookies, and if so, whether they:

  • Retain PII data
  • Can be easily deleted or avoided
  • No PII data may be recorded by the retailer on any user access devices. This is intended as a protection for customers who use public computers.

CSAware vendors may include and/or refer to the following language in their store policies:

CSAware Payment Systems Security Policy:

  1. Our website adheres to the Payment Card Industry Data Security Standard (PCI DSS) to ensure that all customer payment card information is kept secure.
  2. We maintain PCI certification, validated with quarterly scans by our vendors.
  3. All application traffic via public or private networks, including that containing cardholder information, is always encrypted while in transit using strong cryptography.
  4. All processing of cardholder data, with the exception of the payment page, is entirely outsourced to the and Forage Inc, as PCI DSS validated third-party payment processors;
  5. We do not store cardholder data, but outsource our eCommerce website hosting, including the payment page, to LocalHarvest, Inc, which just controls how cardholder data gets redirected to the PCI DSS validated third-party payment gateways;
  6. All third parties handling storage, processing, and/or transmission of cardholder data are PCI DSS compliant;
  7. Cardholder data is never retained in any of our systems or processes.
  8. Our site never compromises, sells, rents, or gives away personal information such as name, address, or email address to any third party without authorization.

User Authentication:

  1. We use strong user authentication methods and encryption to ensure that only authorized individuals have access to sensitive data. This includes requiring strong passwords, implementing two-factor authentication, and limiting access to sensitive data on a need-to-know basis.


  1. We use cookies for session authentication and cart  persistence across sessions. None of these cookies retains any personally identifiable information (PII.) 
  2. We also use cookies provided by the following trusted third parties: Google Analytics: used for traffic analysis and conversion tracking. Facebook: used for traffic analysis, ‘likes’, and conversion tracking.


  1. Our web application vendor (LocalHarvest) backs up all data on a daily basis, and RDBMS data on a real-time basis, to protect against data loss in the event of a security breach or other unforeseen circumstances.

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request


Article is closed for comments.