Rechercher
Contactez-nous Suivez-nous sur Twitter En francais English Language
 

Freely subscribe to our NEWSLETTER

Newsletter FR

Newsletter EN

Vulnérabilités

Unsubscribe

ATCA, a pioneer in the implentation of PCI DSS aided by S21SEC

March 2008 by Pedro Sánchez Cordero, Head of ATCA Security & Vanesa Gil S21sec Consultancy Manager

Hand in hand with the advances in today’s information society comes an increase in the use of debit and credit cards to make payments and higher rates of internet purchasing. In this context card holder data security has become a fundamental aspect of the card payments industry. When it comes to carrying out different types of transaction one of the main concerns among users is how securely related information will be treated. The methods used to commit fraud become more sophisticated as technology advances. The theft of card details is often the first step in a crime of fraud.

Aware of this fact, the main card companies (Visa, MasterCard, American Express, JCB and Discover) have come up with a Payment Card Industry Data Security Standard (PCI DSS). The PCI DSS establishes a set of measures that aim to raise the level of security in the context of card payments and related information. These measures apply to every system that stores, processes and transmits card holder details.

ATCA and its aim: to comply with the PCI DSS standard

Asociación Técnica de Cajas de Ahorros (ATCA), was the first Spanish company to carry out a PCI DSS compliance audit with the help of S21sec, a leading company in the field of digital security. ATCA, a financial interests group made up of Caja Inmaculada, Caja Rioja, Caixa Sabadell and La Caja de Canarias, aims to offer its members fast, high quality and cost effective products and services.

ATCA is fully aware of how important it is to guarantee that the information it handles is safe. ATCA is a pioneer in the implementation of security measures and internationally recognised best practice measures, evidenced by the fact that it operates a Quality Control System, and an Information Security Management System certified by AENOR. In addition it holds the CMMI-SW/SE level 5 standard in all its software development and maintenance processes.

A successful process thanks to S21sec

ATCA provides services to four associated banks. Therefore based on Visa and MasterCard compliance programs ATCA is obliged to comply with the PCI DSS. As a consequence it decided to contract the services of S21sec, a leading Spanish company in the digital security sector, which is certified as a Qualified Security Assessor Company (QSAC) (initially by Visa and MasterCard and currently by PCI Security Standards Council) to carry out annual in-situ audits. S21sec also carries out quarterly network scans to validate compliance with the PCI DSS, in its role of Approved Scanning Vendor (ASV).

The first thing S21sec analysed in the context of the PCI DSS compliance audit was the scope of the audit, including all the systems that store, process and transmit card holders’ details.

Once it determined the scope of the audit S21sec evaluated ATCA’s level of compliance with PCI DSS requirements. The control objectives and requirements appear in Figure I (See appendix).

As you can see the requirements established for the PCI DSS are aligned with widely recognised codes of best practice, such as the ISO Norm 27002, “Code of Best Practice to Control Information Security” and COBIT, “Control Objectives for Information and related Technologies”.

The PCI DSS philosophy centres on the protection of card holder details. One element that differentiates it from other security standards is the level of control established to guarantee protection, including a series of restrictions on the storage of specific information. Specifically it prohibits so-called “sensitive verification details” from being stored after transactions have been authorised.

In order to verify compliance with this requirement S21sec reviewed information ATCA stores in relation to card operations carried out through the four intervening banks.

The next step in the process was an exhaustive review of the level of compliance with other PCI DSS requirements. S21sec evaluated compliance based on test procedures detailed in the “PCI DSS. Security Audit Procedures” document. The main aspects evaluated were:

* Review of network configuration to determine if the system’s entire set of components is securely configured (review the configuration of firewalls and the system’s security parameters).

* Check the weakness control program, focusing on the use and updating of antivirus software and the secure development of systems and applications. Having the CMMI-SW/SE level 5 certification placed ATCA in a privileged position with regard to compliance with the system development requirements.

*Review access control measures for physical and logical access to information systems in order to prevent possible unauthorized access. Given that ATCA was already equipped with a certified Information Security Control System, most of these measures had already been implemented.

* Review measures established to monitor network resources and card holder information: maintain audit records for all systems covered by the scope of the review, as well as records on specific events and specific information for each of these events. Review aspects related to periodical record security and revision.

* Review the results of the network scans that are performed each quarter, and the results of intrusion tests, which should be done at least once a year. Also review intrusion detection systems that monitor network traffic.

* Review the ATCA Information Security Policy and aspects related to training and employee awareness, control of security incidents and formalisation of contractual relations with third parties.

After carrying out an in-situ audit, ATCA is the first service provider in Spain deemed “PCI DSS-Compliant”. This undoubtedly confers a competitive advantage in the market and helps the organisation’s positioning as a service provider for financial institutions.

By implementing the PCI DSS, ATCA aims to minimise the threat of unauthorised intrusion, increasing card holders’ trust in card transactions and mitigating the risk of a possible compromising situation in relation to card information (financial impact, negative impact on pubic opinion as regards the organisation’s clients, research cost of a possible compromising situation, etc.). ATCA’s actions have strengthened the fight against supplantation and other types of card related fraud.

Financial institutions and card companies are the main parties responsible for promoting the PCI DSS and encouraging service providers and associated businesses to implement it.

S21sec aims to occupy a fundamental position in the process of compliance with the PCI DSS. The company operates a log management tool called Bitacora that guarantees compliance with requirements on monitoring systems. In addition it can help companies set up a compliance strategy and help implement a large proportion of the measures needed to guarantee compliance, such as the creation of policies, norms, and procedures, the provision of a weakness information service (Vulnera), review of application code and remote control of equipment, as well as other aspects.

The generalised implementation of PCI DSS requirements by financial entities, service providers and businesses in the market, guarantees the end objective, that is, implementation of the standard: to improve the level of security of card payments, promoting a secure environment for this type of information.


See previous articles

    

See next articles


Your podcast Here

New, you can have your Podcast here. Contact us for more information ask:
Marc Brami
Phone: +33 1 40 92 05 55
Mail: ipsimp@free.fr

All new podcasts