UCS Solutions, a provider of IT services to the retail industry, has achieved Payment Card Industry Data Security Standard (PCI DSS) v3.1 audit certification and earning a license from Payment Association of South Africa (PASA).
It’s an important accomplishment for UCS Solutions, who is responsible for the security of the data of some of the biggest retailers in South Africa, including Massmart, Makro, Cashbuild, and Dischem – companies that do thousands of transactions daily.
Says Glen Khan, IT executive at UCS Solutions: “Cybercrime has become the number one crime globally. The certification assures UCS Solutions’ clients that best practice security measures are in place to protect sensitive cardholder and other data.”
UCS’ role as an outsource provider of IT and payment processes is to provide security for the entire system managing its client’s transactions, and for the entire data transfer process, from the point of sale where the card is swiped to the bank and back to the client. There are many potential weak points along the way that the PCI DSS standards address.
“It is difficult to quantify the size of our security incident management system,” says Khan. “To put it in perspective, consider that we manage 55-illion critical events for a single client every day, with multiple events relating to a single transaction.”
Simeon Tassev, director and qualified security assessor (QSA) at Galix, comments: “The PCI DSS standard covers every system within UCS relating to credit card information – the people, processes, technology (software, hardware, network security) and physical facility – as well as every other system that intersects with these systems. Galix assisted UCS to achieve its first audit certification in April 2015 and has since helped it keep up a rigorous maintenance schedule to meet the 2016 audit requirements.”
PCI DSS encompasses 12 specified requirements and 240 sub-requirements. The 12 requirements are categorised into six control objectives, namely:
* Build and maintain a secure network;
* Protect cardholder data;
* Maintain a vulnerability management programme;
* Implement strong access control measures;
* Regularly monitor and test networks; and
* Maintain an information security policy.
To achieve certification, the organisation needs to be 100% compliant. Yearly validation, which comprises a full audit of all sub-requirements, is done by a QSA, such as Galix.
Achieving this certification requires considerable effort. Notes Khan: “It has taken consistent effort over the last 12 months by the UCS technology teams to do the monthly scans, provide evidence and do perform the required testing. Our security, audit, network and systems teams worked together closely to complete the audit with the guidance of Galix.
This, UCS Solutions’ second audit certification, was more demanding than the first. “We had to relook and re-architect systems to improve controls and procedures. However, Galix brought its usual high standards to fore, providing the skills and experience needed for us to get the audit right efficiently.”