Jet Infosystems estimated security of payment systems of "Ural Bank for Reconstruction and Development"

2018: Information security audit of payment systems

On December 18, 2018 the company "Jet Infosystems" announced end complex audit information security payment systems "Ural Bank for Reconstruction and Development". Results of audit can become a basis for acceptance of short-term measures and development of long-term strategy for risk reduction fraud and improvement CYBERSECURITY- processes of bank.

The information security audit covered 10 payment systems of bank, configurations their applied and the system software and also the rules of access control applied on firewalls in the protected segments of payment systems.

"Providing high-quality and reliable services to clients of our bank – key activities on information security support. For this purpose we continuously monitor the level of information security. We pay special attention to the payment technology processes implemented in our bank. We are convinced that only pro-active detection of vulnerabilities gives the chance timely to minimize threats of cybersecurity and by that to prevent potential financial risks. For this reason we initiated audit on the mixed scheme, having estimated not only formal compliance to requirements of regulators, but also having carried out a deep inspection of all payment process". Alexander Paderin, managing director of Information Security Center of Ural Bank for Reconstruction and Development

The project lasted for 2018 and included three stages. At the first stage cybersecurity specialists of bank got advice on passing of the procedure of a self-assessment on compliance to requirements of the international interbank SWIFT system. At the second stage experts Jet Infosystems prepared credit institution for assessment on compliance to requirements of the Central Bank of the Russian Federation to data protection at money transfer (Provision 382-P). At the third stage testing for penetration during which specialists of integrator simulated the real hacker attacks for confirmation of risks of operation of the detected threats of potential malefactors was held.

Within the project experts of integrator in details analyzed structure and components of payment process and also aspects of interaction of the parties by transfer of money.

"The Russian banks face a common problem: payment systems are not customized for seamless integration in IT infrastructure of credit institution that leads to growth of the risks connected with a fraud by transfer of payment orders. So, for example, in case of successful operation of vulnerability in infrastructure IT components data on payment can be changed at a transfer stage from ABS (the automated banking system) to components of payment infrastructure that will lead to plunder of money". Ilya Volozhanin, consultant of Information Security Center of Jet Infosystems company

Increase in level of awareness of bank on a status of information security of payment systems became result of audit. The credit institution received a complex of practical recommendations which implementation will allow to reduce risks of bank fraud and to raise degree of compliance of protection of payment systems to requirements of the Russian and international regulators.

2013

The Ural Bank for Reconstruction and Development together with Jet Infosystems company is announced end of the complex project on reduction of payment systems of Bank in compliance to requirements of the international standard of data security of the PCI DSS 2.0 payment cards. The project affected both payment systems of Bank, and the different infrastructure systems for which a number of necessary means of protecting was implemented. Then the final certification audit which was completed with issue of the certificate of conformity was booked. When implementing the project not only requirements of the PCI DSS standard, but also other relevant requirements of Bank in the field of providing Information Security were considered.

Ural Bank for Reconstruction and Development – one of the largest domestic banks provided in 19 regions of Russia. Among services of Bank the considerable share is made with which cornerstone use of plastic cards is: design of credit and debit cards, corporate cards, salary projects, etc. By the number of the plastic cards which are in circulation, the Bank last year was included into the twenty of the largest in Russia. Volumes of the data processed in payment systems do ensuring their security, including reduction of payment systems in compliance to requirements of the PCI DSS standard, a problem of the first level.

"We realize direct interrelation between reliability of Bank, customer confidence and its general success, ─ Alexander Paderin, the head of department of security of information systems of JSC UBRIR comments. ─ And the project on ensuring compliance of our payment systems to the PCI DSS standard is regarded by us not only as obligatory certification in the financial sphere, but also as the most important component of cybersecurity of Bank supporting the trust level to us from clients and partners at permanently high level. The project completed today allows us to correspond to the leading trends in the field of cybersecurity of the financial sector".

At the first stage of the project examination and assessment of payment systems of Bank on compliance to requirements of the PCI DSS standard and also – the level of their security in general were conducted. Based on this inspection experts of Jet Infosystems company created the actions plan on reduction of payment systems of Bank in compliance to requirements of the standard on the basis of which the engineering design was developed further and necessary means of protecting are implemented. In the actions plan on reduction in compliance such requirements as preserving of performance of information systems of Bank at implementation of means of protecting were considered and economic justification of the used solutions. For the first time the means of protecting implemented in Bank were among:

• complex control facility of integrity (Tripwire Enterprise);
• control facility of access to network equipment (Cisco ACS);
• monitor of the user activity of databases (Imperva Secure Sphere);
• means of two-factor authentication.

"In compliance and the performed works we in details studied each point of the plan of reduction together with IT and cybersecurity specialists of Bank, and each implemented technical solution was tested and configured previously by us according to business requirements of Bank, – Evgeny Akimov, the associate director of Information Security Center of Jet Infosystems company says. – We as much as possible involved the technical means of protection which are already available in Bank, used the reliable and approved earlier means of protecting, building in them infrastructure of Bank so that they did not complicate work of Bank in general, provided compliance to the PCI DSS standard, and, above all – had practical value for providing real information system protection of Bank. In particular, the implemented solutions can be scaled further, including taking into account requirements of the Russian regulators in the field of cybersecurity of financial institutions".

Certification audit which was booked by QSA company auditors Jet Infosystems became the final stage of the project. Results of audit were provided and accepted by international payment systems of Visa and MasterCard then to Bank the certificate of conformity to requirements of the PCI DSS 2.0 standard was issued.

Audit is complete in March, 2012.

2014: Certification of PCI DSS 2.0

On January 17, 2014 the Ural Bank for Reconstruction and Development announced completion of the procedures of audit and obtaining the certificate of conformity of security of information systems of data processing of clients to the standard of the international security of Payment Card Industry Data Security Standard (PCI DSS v.2.0).

"The PCI DSS standard is the requirement of payment systems with which works UBRIR. Accomplishment of conditions of the standard allows bank to ensure information security at data processing of payment cards according to the international requirements. UBRIR the third year in a row the high level of security confirms during the work with data of clients", - Alexander Paderin, the head of department of security of information systems of Ural Bank for Reconstruction and Development noted.