29.01.2018 – Maximum security for credit card information: PCI DSS certification for INS

Time and again, reports that large amounts of confidential credit card data have fallen into the wrong hands cause a stir. What’s more, the risky behavior practiced with the personal data of credit card holders leads to an increased risk of data misuse. IT service providers who do not protect their customer’s card information professionally, make it easy for scammers to steal or misuse data, and cause significant damage. Therefore, we take our responsibility regarding the normative and legal requirements on the subject of the security of credit card data very seriously. This was confirmed by independent and accredited auditors of the Adsigo AG in January 2018.

After a rigorous review of INS’s platform, security systems, organization and data centers, the company received the “Certificate of PCI compliance” according to the current PCI Data Security Standard v3.2 on the 29^th of January 2018.

In principle, when you commission IT services offered by INS they become an extension of your own business. Therefore, you must be absolutely sure that they comply with the standards which you committed yourself to. INS’s certifications ensure that logical and physical security, service delivery, and support meet industry-leading standards. In order to do so, INS follows the worldwide standards of ISO 9001 (Quality Management), ISO 27001 (Information Security) and ITIL® (IT Service Management). Thus providing the security that our infrastructures, data processing, and data security always comply with the latest requirements for compliance and security.

“Providing a secure infrastructure which operates 24 hours per day and 365 days per year at the highest level is not an easy task. Moreover, our clients expect us to meet the highest of standards for handling personal and payment-related data,” commented Giovanni Serpi, Information Security Officer and member of the management of INS Systems GmbH,  while emphasizing the difference between PCI DSS certification and simple PCI compliance: “INS has subjected itself to the rigorous evaluation by an external auditor who was authorized by the PCI Council. In contrast, a simple PCI compliance more often than not only requires a form of self-assessment. Therefore,  we’re all the more pleased that we now have the PCI DSS certification.”

INS continuous to invest in the implementation of numerous security measures based on the requirements of the ISO / IEC 27001: 2013 and the implementation recommendations according to the ISO / IEC 27002. In January 2018, an additional component was added in the form of the PCI DSS 3.2 certification. This certification certifies that INS fulfills the maximum security criteria in regards to handling credit card data. In order to do this, INS had to undergo a comprehensive audit process which has to be repeated every year.

To achieve a transparent security framework for the protection of payment card information, five of the largest credit card organizations joined together to form the PCI Security Standards Council (PCI SSC), and released a common security standard: the “Payment Card Industry Data Security Standard (PCI DSS)”. If a customer makes a direct payment to an organization via credit or debit card, the PCI-DSS requirements apply automatically.

These provisions consist of a list of twelve concrete requirements regarding the processes and the IT infrastructure of a company:

• Installation and maintenance of a firewall for data protection
• Implementation of a password change and security settings after the factory delivery
• Protection of the stored data belonging to credit card holders
• Encrypted transmission of sensitive data belonging to credit cardholders in public computer networks
• Utilization and regular updates of anti-virus programs
• Development and maintenance of secure systems and applications
• Restriction of the data access to necessities
• Each person with computer access is assigned a unique user ID
• Restriction of physical access to data belonging to credit cardholders
• All access of data belonging to credit cardholders is recorded and verified
• Regular reviews of all safety systems and processes
• Introduction and adherence regarding the policies for information security

The standard was developed on order to promote and improve data security of cardholders, and to further a broad application of consistent data security measures worldwide.

PCI DSS is globally binding for all companies participating for payment card processing – including merchants, financial institutions and service providers, as well as any other entity that stores, processes or transfers cardholder data and / or sensitive authentication data.