Payler: PCI DSS audit passed!

Dear friends!

We continue to acquaint you with the Payler news and we hasten to tell, perhaps, about the most important event for us - the passage of the PCI DSS audit. Preparation for this significant event was going on for three months and now, literally last week, the two-day audit procedure from the well-known Danish company Fortconsult was completed. Now we are waiting for a detailed report and a certificate, but for now we would like to share our experience with you.
')
We will not describe all the technical details of the procedure, especially on the pages of Habr wrote about it more than once (the article we liked ). A little touch on the features of our experience.

So, as already mentioned, it all started three months ago. After contacting Fortconsult with an application for an audit, a full-time two-day procedure for collecting information about the Payler software product began. Also, attention was paid to the organization of internal processes in the company. Having received a report with a list of requirements, the technical group continued to develop and configure the network infrastructure with their account. We really liked the fact that it was possible to consult with representatives of the company on all issues at any time. We understand that this is their work, because they are responsible for the quality and completeness of the test, but every time you encounter such a high-quality service, it gets warmer in your soul. By the way, we actively noticed how Fortconsult politely and thoroughly parses each request, and we will demand the same from our support service Payler.

Preparation for the final audit included both technical and legal aspects. In the legal part, it is necessary to establish a separate company, which in turn receives licenses for the storage and processing of personal data. Further, an agreement with an officially certified auditor is concluded with it.

In technical terms, it was necessary to build a secure network infrastructure taking into account segmentation, to establish processes for safe software development, as well as to regulate the actions of employees in the event of different situations - from deploying changes to servers to hacking or dropping service components. The fulfillment of all PCI DSS requirements in addition to the implementation was also recorded in the electronic documentation that was presented to the auditor during the final inspection. This has saved us some time, so we recommend that all those undergoing the audit should fix everything documented.

Various tests and scans turned out to be an important point in the passage of PCI DSS audit: ASV, scans of the presence of open card data in the logs and server file system, penetration tests (internal and external). Therefore, before giving the readiness to auditors about readiness, you should definitely carry out the first two types of scans yourself. The penetration tests are carried out by the auditors remotely themselves and provide a detailed report with a summary security index. Payler has a high level!

At the face-to-face meeting, the carrying out of transactions through a real bank was demonstrated, the necessary screenshots on the servers were made, documentation was provided (description of the API, schemes, official instructions, regulations, etc.). I would like to highlight the requirement for the storage of data on cardholders, which should be limited only by the necessary minimum. This means developing policies, procedures, and processes for storing and destroying data. As part of the audit, workers' computers with access to the system were also affected. By the way, the presence of VPN, two-factor authentication, firewall, antivirus is required.

The auditor paid attention to the system development process, safe practices and recommendations. Refined our processes, ways of training employees. It was noted more than once that any company passing PCI DSS should periodically monitor new vulnerabilities, news from the world of security. For these needs, we have created a whole section in Confluence (Wiki), plus a training plan and team meetings have been introduced.

As a result, the audit was completed with a final bundle of logs, screenshots, and scan reports.

In total, Payler has overcome more than two hundred product requirements combined into 12 sections.

But we coped with it and we will be starting soon! We will inform you about it in the next post. Stay tuned!

With love,
Payler