Information security is something we take very seriously, and we know our clients do to. This is why we are proud to announce that we are now PCI DSS v3.0 certified.
This is great news, especially for our clients working with electronic payment systems and bank cards: finance and banking sector representatives, online marketplaces, etc.
In this article, we’ll talk about what exactly PCI DSS is and what advantages this certification gives our clients and partners.
PCI DSS: General Overview
PCI DSS stands for Payment Card Data Security Standard. It is a document that defines the security requirements for service providers and merchants handling payment cards. The first version of the standard was published in January 2005. Today, the standard is already in its third version (click here for the full text). It contains 241 requirements divided into 12 sections.
- Protection of computing networks.
- Configuration of IT infrastructure components.
- Protection of stored cardholder data.
- Protection of cardholder data transferred over a network.
- Protection of IT infrastructure from viruses.
- Development and maintenance of information systems.
- Managed access to cardholder data.
- Authentication mechanisms.
- Physical protection of IT infrastructure.
- Record-keeping of events and activities.
- Monitoring security of IT infrastructure.
- Information security management.
Issues regarding the implementation and application of the PCI DSS are handled by a special organization called the PCI SSC (Payment Card Industry Security Standards Council). The council was created in 2006 on the collective decision of the five major payment brands–Visa, MasterCard, American Express, JCB, and Discover.
The PCI SSC also developed the following documents:
- PCI PA DSS (Payment Card Industry Payment Application Data Security Standard) – defines the requirements for applications that process cardholder personal data and the processing procedure;
- PCI PTS (Payment Card Industry PIN Transaction Security) – contains requirements for devices that process payment card PIN codes (POS terminals, encrypting PIN pads, security devices).
PCI DSS is intended for organizations whose IT infrastructure processes or transfers payment card data. It also applies to companies whose processes involve cardholder personal data. These companies include data centers that may host equipment for payment systems, ecommerce companies, etc.
Implementing PCI DSS: Main Stages
According to the official documentation, the PCI DSS implementation process is divided into the following stages:
- analysis of compliance;
- raising compliance to meet requirements;
- verifying compliance;
- maintaining compliance.
Let’s take a closer look at this process. To assess compliance, an audit is performed. It’s conducted by a third-party organization that has received special certification from the PCI SSC. We invited the German company SRC Security Research and Consulting GmbH to perform the audit.
The audit includes interviews with the inviting company’s employees, an inspection of information systems, and an inspection and analysis of internal normative documentation. The results of this stage determine the level of compliance of the inviting company’s IT infrastructure with PCI DSS requirements.
Once the level of compliance has been determined and all necessary information has been collected, recommendations for implementing PCI DSS are made.
Changes are made to the infrastructure based on these recommendations: equipment is upgraded, software is modified, data protection systems are introduced, and the necessary documentation is written up.
A specialized audit is carried out at the next stage. If the company passes the audit, a Compliance Report is written up. The inviting company fills out a Self-Assessment Questionnaire (SAQ), which relates to the particulars of how the company processes card data.
The certification process isn’t over after the necessary documents have been received, though. Compliance must be regularly checked. Service providers (including data centers) must fill out a Self-Assessment Questionnaire once annually and perform an ASV scan (an automated inspection of all the information structure’s Internet connection points for vulnerabilities) once quarterly.
PCI DSS: What We’ve Done
Our data centers have been certified at the physical security level. In terms of the PCI DSS certificate, we have satisfied requirements 9, 11 (in part), and 12. Let’s take a closer look at these requirements.
Section 9: Physical Protection of IT Infrastructure
Our data centers are guarded 24/7/365. All of our data centers are equipped with security systems to prevent unsanctioned access to both the building and server areas. Armed guards are stationed at the building entryway. For extreme situations, a remote alarm switch has been provided.
PCI DSS assumes strict access control to the premises. Personnel and third-party representatives may only access the data center using magnetic (proximity) cards. Employees are issued their cards by the chief security officer. Third-party representatives must make arrangements in advance and provide proper identification.
Data center access may also be arranged for certain clients (whose equipment is installed in our data centers) and contractors (representatives of maintenance companies performing work on the premises). We are particular about identifying visitors: all full-time employees, clients, and visitors are provided identification badges. Information on every visitor is recorded in a log and kept for no less than six months.
Video surveillance is conducted around the clock on the premises of every data center. Cameras are installed in all server, technical, and office areas. Recordings from each camera are analyzed by employees who have passed special IT security training. In accordance with our internal regulations, all surveillance camera data and recordings are saved for six months.
Section 11: Monitoring Security of IT Infrastructure
Electronic payment transactions and cardholders’ personal data should be processed on a secure IT infrastructure.
We only partially fulfill the requirements of section 11, but the measures we implement are more than enough to reliably protect cardholder data and minimize vulnerability when transferring it over the network.
We regularly scan our network for unauthorized access points. We perform all scans ourselves.
Section 12: Information Security Management
Our information security policies are what we call the rights, procedures, methods, and principles in the field of information security that are observed and implemented by the company in all its activities.
All of the necessary documentation on information security has been developed and implemented in our company and is kept up-to-date.
PCI DSS compliance certification verifies that we strive to maintain a high level of security for our clients.
By renting or hosting equipment in a certified data center, our clients get not only a high level of security, but the reputational advantage that already instills a high level of confidence in our clients and partners.
Receiving full PCI DSS compliance is a long and complicated task, and we still have a long road ahead of us. We will certainly write about all the latest developments in our blog.