§ 501.14Postage Evidencing System inventory control processes.
(a) Each authorized provider of Postage Evidencing Systems must permanently hold title to all Postage Evidencing Systems that it manufactures or distributes, except those purchased by the Postal Service or distributed outside the United States.
(b) An authorized provider must maintain sufficient facilities for and records of the business relationship, distribution, control, storage, maintenance, repair, replacement, and destruction or disposal of all Postage Evidencing Systems and their components to enable accurate accounting and location thereof throughout the entire life cycle of each Postage Evidencing System. A complete record shall entail a list by serial number of all Postage Evidencing Systems manufactured or distributed showing all movements of each system from the time that it is produced until it is scrapped, and the reading of the ascending register each time the system is checked into or out of service. These records must be available for inspection by Postal Service officials at any time during business hours.
(c) To ensure adequate control over Postage Evidencing Systems, plans for the following subjects must be submitted for prior approval, in writing, to the office of Payment Technology.
(1)Service procedures for all Postage Evidencing Systems—these are procedures to address the process to be used for new Postage Evidencing Systems as well as those previously leased to another customer.
(2)Transportation and storage of Postage Evidencing Systems—these are procedures that provide reasonable precautions to prevent use by unauthorized individuals. Providers must ship all postage meters by Postal Service Registered Mail® service unless given written permission by the Postal Service to use another carrier. The provider must demonstrate that the alternative delivery carrier employs security procedures equivalent to those for Registered Mail service.
(3)Postage Evidencing System examination/inspection procedures and schedule—the provider is required to perform postage meter examinations or inspections based on an approved schedule. Failure to complete the postage meter examination or inspections by the due date may result in the Postal Service requiring the provider to disable the meter's resetting capability. If necessary, the Postal Service shall notify the customer that the postage meter is to be removed from service and the authorization to use a Postage Evidencing System revoked, following the procedures for revocation specified by regulation. The Postal Service shall notify the provider to remove the postage meter from the customer's location.
(4)Out-of-service procedures for a nonfaulty Postage Evidencing System—these procedures must be used when the system is to be removed from service for any reason.
(5)Postage Evidencing System repair process—any physical or electronic access to the internal components of a postage meter, as well as any access to software or security parameters, must be conducted within an approved facility under the provider's direct control and active supervision. To prevent unauthorized use, the provider or any third party acting on its behalf must keep secure any equipment or other component that can be used to open or access the internal, electronic, or secure components of a postage meter.
(6)Handling procedures for faulty meters—the provider must maintain handling procedures for faulty meters, including those that are inoperable, mis-registering, have unreadable registers, inaccurately reflect their current status, show any evidence of possible tampering or abuse, and those for which there is any indication that the postage meter has some mechanical or electrical malfunction of any critical security component, such as any component the improper operation of which could adversely affect Postal Service revenues, or of any memory component, or that affects the accuracy of the registers or the accuracy of the value printed.
(7)Lost or stolen postage meter procedures—the provider must promptly report to the Postal Service the loss or theft of any postage meter or the recovery of any lost or stolen postage meter. Such notification to the Postal Service will be made by completing and filing a standardized lost and stolen meter incident report within 10 calendar days of the provider's determination of a meter loss, theft, or recovery.
(8)Postage meter destruction—when required, the postage meter must be rendered completely inoperable by the destruction process and associated postage; printing dies and components must be destroyed. Manufacturers or distributors of meters must submit the proposed destruction method; a schedule listing the postage meters to be destroyed, by serial number and model; and the proposed time and place of destruction to Payment Technology for approval prior to any meter destruction. Providers must record and retain the serial numbers of the meters to be destroyed and provide a list of such serial numbers in electronic form in accordance with Postal Service requirements for meter accounting and tracking systems. Providers must give sufficient advance notice of the destruction to allow Payment Technology to schedule observation by its designated representative who shall verify that the destruction is performed in accordance with a Postal Service-approved method or process. To the extent that the Postal Service elects not to observe a particular destruction, the provider must submit a certification of destruction, including the serial number(s), to the Postal Service within 5 calendar days of destruction. These requirements for meter destruction apply to all postage meters, Postage Evidencing Systems, and postal security devices included as a component of a Postage Evidencing System.
(d) If the provider uses a third party to perform functions that may have an impact upon a Postage Evidencing System (especially its security), including, but not limited to, business relationships, repair, maintenance, and disposal of Postage Evidencing Systems, Payment Technology must be advised in advance of all aspects of the relationship, as they relate to the custody and control of Postage Evidencing Systems and must specifically authorize in writing the proposed arrangement between the parties.
(1) Postal Service authorization of a third-party relationship to perform specific functions applies only to the functions stated in the written authorization but may be amended to embrace additional functions.
(2) No third-party relationship shall compromise the Postage Evidencing System, or its components, including, but not limited to, the hardware, software, communications, and security components, or of any security-related system with which it interfaces, including, but not limited to, the resetting system, reporting systems, and Postal Service support systems. The functions of the third party with respect to a Postage Evidencing System, its components, and the systems with which it interfaces are subject to the same scrutiny as the equivalent functions of the provider.
(3) Any authorized third party must keep adequate facilities for and records of Postage Evidencing Systems and their components in accordance with paragraph (b) of this section. All such facilities and records are subject to inspection by Postal Service representatives, insofar as they are used to distribute, control, store, maintain, repair, replace, destroy, or dispose of Postage Evidencing Systems.
(4) The provider must ensure that any party acting on its behalf in any of the functions described in paragraph (b) of this section maintains adequate facilities, records, and procedures for the security of the Postage Evidencing Systems. Deficiencies in the operations of a third party relating to the custody and control of Postage Evidencing Systems, unless corrected in a timely manner, can place at risk a provider's approval to manufacture and/or distribute Postage Evidencing Systems.
(5) The Postal Service reserves the right to review all aspects of any relationship if it appears that the relationship poses a threat to Postage Evidencing System security and may require the provider to take appropriate corrective action. By entering into any relationship under this section, the provider is not relieved of any responsibility to the Postal Service, and such must be stated in any memorialization of the relationship.