DialogNauka confirmed compliance of Tinkoff of Bank to requirements of the PCI DSS standard

The DialogNauka company, system integrator in information security field, completed in the summer of 2015 the project on carrying out certification audit of JSC Tinkoff Bank on compliance to requirements of the international standard PCI DSS. According to the results of the carried-out complex of works the bank successfully underwent testing of information security and received the certificate of conformity of PCI DSS.

JSC Tinkoff Bank is the online provider in the field of financial services working in Russia through the hi-tech platform without retail departments. The bank is one of leaders of the Russian market of credit cards — as of March 1, 2015 more than 5 million credit cards are issued. Tinkoff Bank is called by "Bank of year in Russia" and the most profitable Russian bank in 2013 according to the The Banker magazine, the leading international financial edition entering into the Financial Times group. In 2012 the analytical bank magazine Global Finance and the Банки.ру portal recognized Tinkoff Bank the best retail Internet bank in Russia. The mobile bank and Tinkoff Bank Internet bank were already repeatedly recognized by the best independent experts in the market. In 2014 and in 2013 experts of Deloitte auditing company recognized mobile application of Tinkoff Bank the best in Russia, and the Markswebb Rank & Report rating agency was called by Tinkoff Bank Internet bank the most effective in Russia in 2014. All banking activities of JSC Tinkoff Bank are performed far off, using channels of remote banking.

For maintenance of information security at the high level representatives of Tinkoff of Bank addressed specialists of DialogNauka company for carrying out security audit of information systems of bank on compliance to requirements of the PCI DSS standard. The following tasks were set for the staff of JSC DialogNauka:

• conformity assessment to requirements of the international standard of security of payment cards;
• development of recommendations about further compliance to the PCI DSS standard;
• conducting testing for penetration on model of both the external, and internal violator;
• carrying out quarterly audit of external and internal ASV scanning;
• carrying out certified QSA of audit.

Proceeding from assigned tasks, the project consisted of four large stages:

• the analysis of the planned changes of processing of the cards given about holders;
• testing for penetration;
• carrying out external and internal ASV scanning;
• certified QSA audit.

According to requirements of the PCI DSS standard external and internal penetration test at the network layer and level of applications which was directed to the assets which are in area of applicability of the standard of security of payment cards was carried out. Models of internal and external violators were developed and approved with the description of possible attack vectors on the basis of which testing using the approved methods and means was held. According to test results on penetration the report was prepared.

Within the next stage a series of ASV scannings of external services of JSC Tinkoff Bank through which it is possible to get network media access of data processing of payment cards was executed. The list of the found vulnerabilities was presented in the form of the closing statement based on each quarterly ASV scanning.

The final stage of works was certified QSA compliance audit to requirements of the PCI DSS standard in which results in particular data of quarterly scannings were recorded, of assessment of fulfillment of requirements of PCI DSS and also the applied countervailing measures for maintenance of compliance to requirements are described. According to the results of the audit which is successfully booked by QSA DialogNauka handed to JSC Tinkoff Bank the certificate of conformity to requirements of the international standard of security of the PCI DSS payment cards.

"Information security support in bank is a continuous work as requirements of regulators are constantly updated, there are new legislative initiatives in the field of data protection, and, as a result, quality requirements of protection constantly raise. It is not the first project for Tinkoff Bank in which our company takes part. Thanks to excellent cooperation of specialists of our company and the customer's employees we harmoniously carried out an extensive complex of works on reduction of information systems of bank in compliance to the PCI DSS standard, provided the report on results of testing for penetration, prepared and transferred to specialists of bank results of ASV scanning and based on QSA of audit issued the certificate of conformity of PCI DSS. Results of the project demonstrate that information protection of JSC Tinkoff Bank is at the highest level. We thank our customer for the interesting project and we hope for further effective cooperation concerning information security in the future" — Anna Yugas, the deputy manager of department of corporate sales of JSC DialogNauka notes.

"The convenience of bank services and providing the high level of security to clients are priorities for Tinkoff of Bank. Our bank always with heavy responsibility approaches information security, and we are guided by the principle of following to the highest standards of protection of information space of the organization – services of bank correspond to both the Russian, and international standards of security. Based on this project we confirmed compliance to requirements of the PCI DSS standard and to requirements of information security of the industry of payment cards" — Stanislav Pavlunin, the vice president for security of Tinkoff of Bank notes.