Simple PCI – from burden to benefit

Facts

Level 1 PCI-DSS compliance is the highest level of compliancewithin the payment card industry’ssecurity standards for credit card data.
Since we maintain strict PCI-DSS compliance, it helps to reducethe overhead for ourcustomers by eliminating the time, costand riskassociated with achieving independent PCI-compliant status.

Loss of highly confidential card data results in reputational and financial damage. The Payment Cards Industry Data Security Standard (PCI-DSS) is applicable to all parties involved in the card-payment process.
Our clients are automatically PCI-DSS-compliant when they use our services.

In order to mitigate the burden of complex and cost-intensiveissuesfor merchants, we constantly inform you of relevant changes and offers payment interfaces that makea PCI-DSS certification unnecessary and that offer the highest-available degree of security.

Benefits

  • You act PCI-DSS-compliant from day one
  • No compliance issues with credit card payments
  • No extra effort for secure transactions with credit card payments
  • You can focus on your business
  • You save up to €300,000 per year on PCI compliance
  • Highest-available degree of security

Compliance core processes

  • System and security engineers are on duty 24/7to react immediately to any kind of service or security event
  • The processing system has to be located in PCI-compliant data centres that have video surveillance and access control through the use of a badge, PIN code and hand/palm scanner
  • Implementation of an incident response plan, which describes procedures to be taken in the event of a security or data breach

Compliance core principles

  • The ‘four-eyes principle’ is enforced throughout the company, including in the development and operations departments
  • Cross-department workflows to ensure ‘four-eyes principle’ is implemented
  • Need-to-know principle, in which all information is kept confidential
  • Separation of operations and development to enforce need-to-know principle and strict security: for example, developers have no access to any live system nor do they know of any of the passwords used in the production environment
  • Ongoing, company-wide security-awareness training
  • Daily, ongoing processes like log-file monitoring, security and audit-logging reviews
  • Regular security assessments and penetration tests by certified security engineers
  • Standardised cross-department system-change-management processes

Technical compliance

  • Redundant, multilayer external and internal firewalls
  • Redundant Web application firewalls
  • More than 25 security-monitoring servers in the production environment
  • Passwords are one-way encrypted
  • Instant notification of alerts via SMS and email to all operations members
  • Segregation of duties (need-to-know principle)
  • Multiple internal networks to segregate system components according to security levels
  • Active–active load-balancer setup to optimise system performance and reliabilities
  • Encrypted communication channels (VPN, SSLv3, etc.) between data centres
  • DDOS mitigation solution to automatically detect and mitigate DDOS attacks on the payment system
  • Encrypted storage of sensitive information like credit card numbers –encrypted, secure and verified backups
  • Network intrusion detection systems (NIDS) on every network perimeter to detect dangerous and malicious traffic between every single system component
  • Host intrusion detection systems (HIDS) on every single server node, for instance, to detect file manipulation and unlawful access attempts
  • Real-time antivirus scanning on all APIs
  • System components are always kept secure and up-to-date by means of regular system maintenance(security updates and patches) without downtime or impact on customers
  • One functionality per server – decentralization of services to maximize security and transparency
  • Internal security specialists (TISP, OPST etc.) to validate all system changes
  • Real-time security monitoring, weekly internal and external security scans and penetration tests to ensure maximum security
  • OWASP security training for developers to enforce secure programming based on standards set by
    security engineers around the world
  • Pair programming to ensure high-quality application source code
  • Every single line of source code is verified by a second engineer before it is applied to the system

image042