Payler: PCI DSS Certification Update Updated to Version 3.0 - DONE

Dear friends,

We at Payler pay special attention to the protection of cardholder data. Even before the new year, we outlined our plans for updating the PCI DSS security certification to version 3.0 , because we understood that in the near future, the current version 2.0 will become obsolete and will no longer meet the ever-increasing security requirements.
')
We have passed the PCI DSS version 3.0 audit and we hasten to tell you how it was. But first, note the key changes in the security process that distinguish version 3.0:

• Version 3.0 prohibits the storage of critical authentication data after authorization in any, even encrypted form;
• Added the need to identify and account for all system components covered by the PCI DSS standard;
• The list of public networks has been expanded;
• A requirement has been added to periodically check all operating systems, not just “attack-prone”, as it was before;
• Added new requirement to counter the cracking authentication mechanism;
• A new term “change detection mechanism” has been introduced, designed to capture all unauthorized changes to critical system files;
• From June 30, 2015, it will become necessary to introduce a penetration testing methodology, and the testing itself, among other things, should now evaluate the effectiveness of segmentation.

In addition, version 3.0 marks the transition from passwords to identification phrases - more complex and reliable.

How it was

Like last time, the audit was conducted by the Danish company Fortconsult . In fact, the whole process is divided into two unequal parts: multi-stage preparation and, in fact, a certification audit. The second part - certification - took three working days, during which the auditor worked together with our technical director in our office.

Even before the meeting with the auditor, we did a lot of preparatory work - we went through all the procedures for identifying information system vulnerabilities, conducted a penetration test, collected and structured the necessary documentation, etc. By the way, this audit really felt some tightening of the requirements for storing data about cardholders and for the separation of powers and access rights to this data, which can be expressed in two lines:

If you can not store DDC - do not store,
If you can not share access - do not share.

Now it's up to the small - wait for the certificate.

Despite the rather large amount of work done, we are pleased with the results and the process of the audit itself. And yet: not at all by the way, but nonetheless. On the eve of April 1 - when the hysteria about the future of Visa in Russia reached its apogee - we found that all our acquiring banks are connected to the NSPK. This means that the problems and interruptions - whatever they may be - will not affect our merchants.

Stay tuned!

With love,
Payler

Join us on Facebook