Mercuryo is approaching another critical milestone in the roadmap – launch of our payment card. At this point, it is essential to make sure that all internal processes and systems are PCI DSS compliant. Serving customers is more than just offering great products and services it’s also about protecting customers’ card information.
PCI DSS stands for Payment Card Industry Data Security Standard developed by Security Standards Council and adopted by industry giants such as VISA, MasterCard, AmEx.
The standard was set up to help businesses to process card payments securely, protect sensitive to fraudulent activities cardholder data and reduce the risk of stealing. This achieves through imposing tight control measures surrounding the storage, transmission and processing of cardholder data that businesses handle.
Many companies would try to avoid PCI DSS compliance altogether and outsource the payment process entirely through a third party. This option, however, doesn’t work for Mercuryo as we are going to build our own payment system and expect the significant increase of transactions later this year. Therefore have obtained the highest Level 1 PCI DSS certificate which allows us to process up to 6 000 000 transactions per year.
Also building our own payment system will enable Mecuryo to create cascade payments flow when the transaction is subsequently authorized in a few processing centres to reduce the number of declined transactions.
What exactly Mercuryo does to protect your card payments?
From now on, Mercuryo will have to meet 12 requirements which fall into the six categories below:
1) Build and Maintain a Secure Network
- Install and maintain a firewall configuration to protect data
- Do not use vendor-supplied defaults for system passwords and other security parameters
2) Protect Cardholder Data
- Use encryption to protect stored data
- Encrypt transmission of cardholder data and sensitive information across public channels
3) Maintain a vulnerability management program
- Use and regularly update reliable anti-virus software
- Develop and support secure systems and applications
4) Implement relevant access control measures
- Restrict access to data by business need-to-know
- Assign a unique ID to each person with computer access
- Restrict physical access to cardholder data
5) Regularly monitor and test networks
- Log and control all access to network resources and cardholder data
- Regularly test security systems and processes for potential vulnerabilities
6) Implement, maintain an information security policy to addresses information
- Security concerns. Keep policy up to date
Our information security officer Alexey Vesnin speaks about our journey to PCI DSS certification.
“To comply with PCI DSS requirements, we went through gap analysis performed by information security consultancy “Advantio”. It took us about six months to address all the gaps and modify our infrastructure and processes accordingly.
One of the most challenging tasks was to ensure we log everything in our systems and audit the logs regularly. This way, we can quickly investigate and prevent any security breaches. As for the infrastructure requirements, our servers are now hosted in a secure location with restricted access and 24/7 CCTV. Any violation of security will trigger an alert immediately.
Besides the technical part, there’s also a major “human factor” when it comes to data protection meaning that we need to train our employees to keep customers’ data safe.
This includes quarterly information security training for all the employees, thorough background check for new employees, tight restrictions as to who has access to customers’ data.”
This all has to be implemented into day-to-day business processes.
Apart from that, Mercuryo will undergo an annual security audit by third parties and quarterly network scans to remain PCI DSS complaint.
As a customer, you wouldn’t notice most of the work done to protect your data, but that’s what security is all about. It goes unnoticed when done right.
Stay with Mercuryo and transfer any amount from anywhere in the world!
We do take the “S” word seriously!