ZENIT bank data security system brought into compliance with PCI DSS

Customer: ZENIT bank

ZENIT bank was founded in December 1994 by the Academy of National Economy, the oil company Tatneft and several other corporations. The bank largely focuses on corporate and investment services. A member of the Council of the Association of Russian Banks, ZENIT is making a major contribution to the ongoing reform of the country’s banking system.

Objective

In operating its own card processing center, ZENIT pays special attention to data security management. In particular, card processing for cardholders and partner banks must comply with data security requirements imposed by international payment systems including the PCI DSS standard.

The bank wanted the contractor to develop and introduce a data security management system that would satisfy PCI DSS. Institutions that deal with the processing and storage of cardholder information and work with international payment systems must be recertified for compliance with this standard every year.

The installation of the new system was expected to have a minimal impact on business continuity. Indeed, the bank’s card processing center operates on a 24x7 basis and conducts transactions all over the world. Any disruption in these transactions would mean frustration for clients and a possible blow to the bank’s image.

“This sophisticated project was aimed at achieving compliance with PCI DSS as well as with domestic data security regulations, - comments Evgeniy Rudatskiy, PCI DSS manager at Jet Infosystems. – However, meeting PCI DSS was a priority because of tight deadlines set by international payment systems.”

The project was contracted to Jet Infosystems, an experienced systems integrator who enjoys both the Qualified Security Assessor (QSA) and the Approved Scanning Vendor (ASV) statuses that authorize it to audit data security systems as well as certify them as compliant with PCI DSS.

Solution

The project included three stages, namely (1) a complete review for compliance with PCI DSS as well as Russian federal law and Central Bank data security regulations, (2) identification of flaws and introduction of security instruments, (3) independent certification.

At the second and largest stage of the project Jet Infosystems implemented a number of procedures and installed several systems to achieve compliance with the standard, namely:

  • a database use monitoring system;
  • a system to analyze and respond to data security events;
  • policies and manuals;
  • a major upgrade to the intrusion detection system;
  • an upgrade to the network interaction control system;
  • a system to search for vulnerabilities and manage changes in the IT infrastructure.

The suggested solution relied on the installation of new systems as well as upgrades to existing ones.

“ZENIT management’s involvement in the project has contributed to its fast implementation with hardly any disruptions in business processes”, - comments Evgeniy Rudatskiy.

Once the second stage was over, Jet Infosystems performed scanning for vulnerabilities and testing for the possibility of hacking the system.

At the final stage a special team of Jet Infosystems engineers conducted an audit of data security systems and issued a certificate of their compliance with PCI DSS.

Outcome

The endorsement of the audit report by international payment systems testifies to the high quality of the joint work.

“New procedures and systems ensure compliance with PCI DSS, which essentially means true data security, - adds Mr. Rudatskiy. – We are also planning to continue the project in order to meet the requirements of Russian federal law and Central Bank data security regulations”.

ZENIT bank was founded in December 1994 by the Academy of National Economy, the oil company Tatneft and several other corporations. The bank largely focuses on corporate and investment services. A member of the Council of the Association of Russian Banks, ZENIT is making a major contribution to the ongoing reform of the country’s banking system.

Objective

In operating its own card processing center, ZENIT pays special attention to data security management. In particular, card processing for cardholders and partner banks must comply with data security requirements imposed by international payment systems including the PCI DSS standard.

The bank wanted the contractor to develop and introduce a data security management system that would satisfy PCI DSS. Institutions that deal with the processing and storage of cardholder information and work with international payment systems must be recertified for compliance with this standard every year.

The installation of the new system was expected to have a minimal impact on business continuity. Indeed, the bank’s card processing center operates on a 24x7 basis and conducts transactions all over the world. Any disruption in these transactions would mean frustration for clients and a possible blow to the bank’s image.

“This sophisticated project was aimed at achieving compliance with PCI DSS as well as with domestic data security regulations, - comments Evgeniy Rudatskiy, PCI DSS manager at Jet Infosystems. – However, meeting PCI DSS was a priority because of tight deadlines set by international payment systems.”

The project was contracted to Jet Infosystems, an experienced systems integrator who enjoys both the Qualified Security Assessor (QSA) and the Approved Scanning Vendor (ASV) statuses that authorize it to audit data security systems as well as certify them as compliant with PCI DSS.

The project included three stages, namely (1) a complete review for compliance with PCI DSS as well as Russian federal law and Central Bank data security regulations, (2) identification of flaws and introduction of security instruments, (3) independent certification.

At the second and largest stage of the project Jet Infosystems implemented a number of procedures and installed several systems to achieve compliance with the standard, namely:

  • a database use monitoring system;
  • a system to analyze and respond to data security events;
  • policies and manuals;
  • a major upgrade to the intrusion detection system;
  • an upgrade to the network interaction control system;
  • a system to search for vulnerabilities and manage changes in the IT infrastructure.

The suggested solution relied on the installation of new systems as well as upgrades to existing ones.

“ZENIT management’s involvement in the project has contributed to its fast implementation with hardly any disruptions in business processes”, - comments Evgeniy Rudatskiy.

Once the second stage was over, Jet Infosystems performed scanning for vulnerabilities and testing for the possibility of hacking the system.

At the final stage a special team of Jet Infosystems engineers conducted an audit of data security systems and issued a certificate of their compliance with PCI DSS.

The endorsement of the audit report by international payment systems testifies to the high quality of the joint work.

“New procedures and systems ensure compliance with PCI DSS, which essentially means true data security, - adds Mr. Rudatskiy. – We are also planning to continue the project in order to meet the requirements of Russian federal law and Central Bank data security regulations”.

Download (pdf, 127.09 Kb)

ZENIT bank data security system brought into compliance with PCI DSS