17.04.2019 – Successful PCI-DSS 3.2 recertification
PCI DSS – these six letters stand for secure credit card payments via the internet. The Payment Card Industry Data Security Standard is a security-related requirement for the secure transfer, processing and storage of credit card data. Appropriate certification of all companies involved – both the service provider and the IT service provider – shows that your sensitive data is safe. Since 2018, INS has been a PCI DSS certified company, which is subject to the highest security standards and thus actively protects our customers against any misuse of their data. We want to offer our customers the highest possible protection in payment transactions and have therefore decided in favor of the extensive measures of this certification audited by the independent auditors of Adsigo AG. In April 2019, following a complex multi-stage audit process, we were once again certified without any deviation according to all 12 concrete requirements of the standard – we are very pleased by this.
In principle, when you commission IT services offered by INS they become an extension of your own business. Therefore, you must be absolutely sure that they comply with the standards which you committed yourself to. INS’ certifications ensure that logical and physical security, service delivery, and support meet industry-leading standards. In order to do so, INS follows the worldwide standards of ISO 9001 (Quality Management), ISO 27001 (Information Security), and ITIL® (IT Service Management). Thus providing proof that our infrastructures, data processing, and data security always comply with the latest requirements for compliance and security.
“Providing a secure infrastructure which operates 24 hours per day and 365 days per year at the highest level is not an easy task. Moreover, our clients expect us to meet the highest standards for handling personal and payment-related data,” commented Giovanni Serpi, Information Security Officer and member of the management of INS Systems GmbH, while emphasizing the difference between the PCI DSS certification and a simple PCI compliance: “INS has subjected itself to the rigorous evaluation by an external auditor who was authorized by the PCI Council. In contrast, a simple PCI compliance more often than not only requires a form of self-assessment. Therefore, we’re all the more pleased that we have the PCI DSS certification.”
INS continues to invest in the implementation of numerous security measures based on the requirements of the ISO / IEC 27001: 2013 and the implementation of recommendations according to the ISO / IEC 27002. In January 2018, an additional component was added in the form of the PCI DSS 3.2 certification. This certification certifies that INS fulfills the maximum security criteria in regards to handling credit card data. In order to do this, INS not only had to undergo a comprehensive audit process but has to be repeat it every year.
To achieve a transparent security framework for the protection of payment card information, five of the largest credit card organizations joined forces to form the PCI Security Standards Council (PCI SSC), and released a common security standard: the “Payment Card Industry Data Security Standard (PCI DSS)”. If a customer makes a direct payment to an organization via credit or debit card, the PCI-DSS requirements apply automatically.
These provisions consist of a list of twelve concrete requirements regarding the processes and the IT infrastructure of a company:
- Installation and maintenance of a firewall for data protection
- Implementation of a password change and security settings after the factory delivery
- Protection of the stored data belonging to credit card holders
- Encrypted transmission of sensitive data belonging to credit cardholders
- Utilization and regular updates of anti-virus programs
- Development and maintenance of secure systems and applications
- Restriction of the data access to necessities
- Each person with computer access is assigned a unique user ID
- Restriction of physical access to data belonging to credit cardholders
- All access of data belonging to credit cardholders is recorded and verified
- Regular reviews of all safety systems and processes
- Introduction and adherence regarding the policies for information security
The standard was developed on order to promote and improve data security of cardholders, and to further a broad application of consistent data security measures worldwide.
PCI DSS is globally binding for all companies participating for payment card processing – including merchants, financial institutions and service providers, as well as any other entity that stores, processes or transfers cardholder data and / or sensitive authentication data.