PCI DSS: Trends and Benefits
/ photo Håkan Dahlström CC
Recently we conducted a survey among fifty significant players in the electronic payment market in Russia and Kazakhstan. The largest payment systems told us about the benefits of PCI DSS certification.
The PCI DSS standard was developed by the Payment Card Industry Security Standards Council. It defines the requirements for organizations related to the security of payment card data.
In total, the standard contains 12 requirements, which are divided into six categories:
Support for network security
- Computer network protection and firewall settings;
- Change the standard settings of network equipment;
- Protection of stored data on cardholders;
- Protection and encryption of transmitted data on cardholders;
- Installation and regular update of antivirus programs;
- Development and support of information security systems;
- Restriction of access to cardholder data;
- Implementation of authentication mechanisms;
- Restriction of physical access to information infrastructure;
- Logging of events and actions;
- Regular check of information security systems;
Information security management
- Information Security Management.
In total, the standard requires the passage of about 440 verification procedures.
Benefits of PCI DSS
The benefits of PCI DSS certification can be divided into two categories: image-based and technological. From a technological point of view, PCI DSS acts as a guarantor of the safety of customer data and the stability of the service in relation to external threats: virus and DDoS attacks.
Moreover, protection against attempted theft of card data by cybercriminals helps to avoid losses and fines associated with this.
/ photo by Anders.Bachmann CC
“Over the past two years, the number of attempts by hackers to crack the data of our customers has increased, and working in full compliance with the requirements of the certificate helps to reduce the intensity of the headache,” notesDmitry Popov, Commercial Director, IntellectMoney. “Plus, users who see the PCI DSS mark on our page show a large conversion of successful payments.”
There is also an image component. When a person who is far from cyber security sees the PCI DSS icon, he perceives it as an additional level of protection (similar to a valid SSL certificate). Thus, the certificate becomes another argument that allows convincing potential company customers to “jump” into the conversion funnel.
The fact of passing an audit on compliance with the PCI DSS standard tells the company customers about a really high level of card data security. In addition, PCI DSS structures the knowledge and criteria that information security officers need to strive for.
Thus, compliance with this standard is not just a formal procedure, but a matter of the security of processing and transferring data about customers using payment instruments. The introduction of PCI DSS allows you to join the best international practices, streamline business processes and improve the company's reputation, and this often opens the way to new markets.
PCI DSS Hosting
Auditing for PCI DSS compliance is primary and regular annual. Some companies encounter certain difficulties in the initial preparation, therefore they attract certified consultants to help develop documentation and create an architecture (more details about the certification process can be found in our blog).
Market participants in electronic payment systems agree that the introduction of the PCI DSS standard is a laborious task that requires time and money, therefore, to facilitate the certification process, most companies use the services of suppliers who take on the task of fulfilling part of the requirements of the standard. According to our survey, 77% of the electronic payment market participants use the services of certified suppliers.
This is because transferring part of the responsibility for implementing PCI DSS requirements to an external company greatly simplifies the work. The most common service in Russia at the moment is physical placement or colocation, when the company rents racks or individual units in a certified data center.
But with all this, there is a tendency towards a gradual transition from physical placement to higher levels of responsibility transfer - to rental server infrastructure (IaaS).
“Using certified suppliers with the necessary expertise and a guaranteed resource makes life much easier. The more resource-intensive tasks you can give to a reliable partner, an expert in your field, the better, ” saysDmitry Telenov, technical director of InPlat.
A higher level of outsourcing is the so-called managed services, or MSP services (Managed Service Provider), when the supplier provides its customers with not only rental equipment or virtual infrastructure in the IaaS model, but also the ability to administer in accordance with the requirements of the PCI DSS standard.
“Using the services of a certified provider greatly facilitates the audit. My position is this: everything that can be outsourced must be given, ” saidKonstantin Yang, CTO CloudPayments. - There are twelve partitions in the PCI DSS standard. Ideally, the supplier closes eleven of them - everything except software development, on the basis of which we provide services to our customers. ”
In other words, such technologies allow you to focus on your own business, without being distracted by administrative work, and reduce some of the technical risks.
Today, 8 out of 10 participants in the market we are considering using the services of an external certified provider are limited to outsourcing physical security requirements, that is, they use the service of hosting servers in data centers with PCI DSS. However, colocation is beginning to "back up" such promising services as PCI DSS IaaS (32%) and managed services MSP (21%).
“The data center in which our equipment is located has been certified. This closes the issue of physical protection of the information infrastructure at the data center level, ”says Ivan Sergeyev, Technical Director of CJSC MOBI.Money. “Today, physical location and virtual server infrastructure are the most promising levels of outsourcing to meet the requirements of the PCI DSS standard.”
If no PCI DSS certified hosting provider was previously observed in the territory of the Russian Federation, today the picture has changed. Last year, several of the largest cloud providers certified their platforms according to the PCI DSS standard, which gave them the opportunity to take responsibility for fulfilling PCI DSS requirements at the level of virtual infrastructure (IaaS). Certification has passed and the company IT-GRAD.
“We spent more than a year preparing for the certification audit of our cloud, and in 2015 we successfully certified our PCI DSS Compliant Hosting services using PCI DSS at all market transfer levels of responsibility: physical location, IaaS and managed services.
Our customers - banks, payment systems, gateways - get all the benefits of PCI DSS certification with minimal effort: during an audit, most of the requirements are closed by providing our PCI DSS certificate of a service provider, ” says Alexander Starodubtsev, Deputy General Director of IT Group -GRAD ".
Using a PCI DSS certified cloud in the IaaS model, organizations significantly increase the level of security of the card processing environment and reduce the risks of financial losses from various information security incidents, while at the same time gaining the opportunity to concentrate on developing their business.
Other materials from our blog: