Achieving compliance with the PCI data security standard

Customer: UniCreditBank

About the client

United Card Service is the largest processing company in Russia dealing with the issuance and acquiring of credit cards from international payment systems such as VISA International, MasterCard Worldwide, Diners Club International and JCB International. The company has been one of the market leaders in the Russian market for over 30 years. As a specialized processor, UCS provides services to all issuers and merchants who depend on credit card payments.

Objectives

The PCI DSS standard was created to improve security in the credit card industry. It consists of twelve requirements and applies to all organizations that hold or process cardholder information and work with international payment systems. Compliance must be validated every year.

When international payment companies had mandated PCI DSS compliance for their clients, UCS was one of the first companies to start improving its data security arrangements to bring them in line with PCI standards.

Deviations from the standard included:

  • lack of certain data protection functions required by PCI DSS;
  • lack of some hardware needed to meet the standard;
  • inadequate documentation for data security management processes.

Jet Infosystems was hired to deliver the project as one of the few experienced integrators with the Qualified Security Assessor (QSA) status for assessing PCI DSS compliance and the Approved Scanning Vendor (ASV) status for network scanning. The company also had a history of successful cooperation with UCS on a turnkey data center project.

The project consisted of three stages: (1) an initial assessment of compliance, (2) achieving compliance by means of appropriate managerial and technical responses and (3) a certification audit.

The first stage was a preliminary review of UCS practices including the IT-system, technical processes, business processes and their interaction.

Igor Lyapunov, manager, Data Security Center, Jet Infosystems: “The review conducted at UCS was elaborate indeed. To be ready for the second stage we needed to collect an enormous amount of data, interview dozens of personnel and sort out all the information".

This review identified several instances on non-compliance with PCI DSS; for example, changes made to the payment system could cause it to malfunction. Jet Infosystems prepared a list of recommendations and an action plan to address each of these issues.

The second stage started with the analysis of risks that were preventing the IT infrastructure from meeting some of the PCI standards. Jet Infosystems experts made several cost-effective suggestions to achieve compliance without compromising security.

At this stage Jet personnel designed and deployed a number of integrated managerial and technical solutions to protect cardholder information. They prepared all the supporting documentation, and introduced PCI DSS-compliant processes for risk, incident and vulnerability management. Technical solutions deployed according to PCI DSS or as compensatory measures included:

  • an intrusion-detecting system;
  • an end-to-end security event monitoring system;
  • an integrity control system covering every stage of data processing;
  • network segmentation;
  • incident management process.

The issue of access to network resources and cardholder data was treated with special care.

Much work had to be done on “live” equipment, without stopping even individual components, since processing center operations can not be interrupted.

Notes Dmitriy Sidorov, manager, IT Directorate, UCS: “We were using a safe approach whereby a new process was introduced in parallel with the old one. Only if both processes produced identical outcomes, the old one was replaced. This scheme worked without any major failures.”

Whenever a project affects routine business processes, outreach to personnel, particularly by top management, is critical. UCS executives took an active part in the project, which helped boosting team spirit and ensured a smooth transition to new procedures.

The third stage of the project, i.e. the independent audit for compliance with PCI DSS, was performed by a separate team of certified Jet Infosystems specialists. The auditors distributed questionnaires, conducted interviews, checked the company’s internal documents and the settings of data security systems. The audit established that the UCS processing center was compliant with PCI DSS standards.

The audit report was sent to VISA and Mastercard experts who subsequently confirmed UCS’s compliance with PCI DSS.

USC was one of the fist companies in Russia to be issued a certificate of full compliance with the PCI DSS 1.2, the most recent version of the international standard. Now UCS meets the increasing expectations of its customers and can freely operate in the Western market.

Moreover, in many areas PCI data security standards overlap with mandatory requirements for all organizations dealing with personal data by the Central Bank of Russia and the federal Personal Data Act. This means some of the technical and managerial solutions – apart from providing true cardholder data security – also help meet the Russian federal and central bank standards.

Dmitriy Sidorov, manager, IT Directorate, UCS: «The certificate of compliance with PCI DSS confirms the high level of personal data security in our company. Such compliance is a major advantage for UCS and, more importantly, our clients including many large banks. UCS stands ready to serve them at every stage of development. For instance, absolute confidence in the security of our processing system makes us capable of outsourcing bank account databases. Jet Infosystems specialists have helped us achieve compliance with a key international standard. We would recommend them to any company as top professionals.”

Download (pdf, 148.16 Kb)

Achieving compliance with the PCI data security standard