QIWI certified software of payment terminals

On September 2, 2014 the Informzashita company certified the e-wallet of Visa QIWI Wallet on compliance to the PCI DSS 3.0 standard. Passing of certification confirmed the high level of protection of user data of Visa QIWI Wallet and also proved reliability of measures of providing and information security management of a payment service.

According to the data provided by the QIWI Group in the second quarter 2014 the number of the active accounts Visa QIWI Wallet exceeded 15.8 million. At the same time annually the number of transactions on cards increases many times. It imposes high obligations on a payment service on security of payment transactions, so and requirements of international standards to such companies become more tough.

Certification audit was carried out in four steps: a preliminary estimate of the systems of the customer, ASV scanning (scanning on vulnerability of external perimeter of network), the complex penetration test and audit which affected tens of business processes and divisions of a payment service. Ilya Alexandrov, the head of banking systems of Informzashita company, emphasized that at such scales and heterogeneity of IT infrastructure as in QIWI, it is important not just to conform to the latest requirements of international payment systems but also to ensure real safety of business processes.

"By the management of Council for standards of security of the industry of payment cards (Payment Card Industry Security Standards Council, PCI SSC) it was mentioned more than once that the new version of the PCI DSS 3.0 standard places serious emphasis on security process, – he explained. – So now the audit purpose – it is not simple to be convinced that the company has a certain security technology, and to constantly estimate the available risks and to monitor the continuity of security of business processes".

"Our main objective – ensuring the maximum safety of payment transactions and means in purses of Visa QIWI Wallet. We regularly improve algorithms of security systems, – the risk manager of the QIWI Group Denis Persanov noted. – The audit and certification which are carried out by Informzashita company allowed us to confirm reliability and efficiency of the applied protective measures directed to prevention of unauthorized access to data of holders of payment cards of QIWI".

The following steps on maintenance of due level of compliance to requirements of PCI DSS will become permanent updating of the register of system components in the field of assessment (PCI-Scope), accomplishment of regular procedures and kontroly cybersecurity and regular increase in awareness of staff of QIWI in the field of data security provision of payment cards.

Project Development

On July 27, 2015 the Informzashita company announced compliance of the e-wallet of Visa QIWI Wallet to requirements of the new version of the PCI DSS 3.1 standard, having prolonged the certificate issued earlier for one year.

Qiwi, 2013

In the 2015th year auditors of Informzashita executed the project according to the updated requirements of PCI Security Standards Council (council for standards of security of the industry of payment cards). The PCI DSS 3.1 standard essentially a little in what differs from the previous version 3.0, with only that difference that now the companies should depart from the protocol of web enciphering Secure Sockets Layer (SSL). It is connected with the fact that today it is not considered rather reliable because of a number of the detected vulnerabilities.

At the same time by the management of Council for standards of security of the industry of payment cards (Payment Card Industry Security Standards Council, PCI SSC) it was mentioned more than once that new versions of the PCI DSS 3.0 and 3.1 standard place serious emphasis on security process. It means, now the audit purpose – it is not simple to be convinced that the company has a certain security technology, and to constantly estimate the available risks and to monitor the continuity of security of business processes.

"The payment service of QIWI allows millions of Russians easily and to quickly make all necessary payments. The growing segment of electronic payments inevitably attracts the malefactors trying to get access to funds of users therefore our main priority remains the same – ensuring the maximum safety of payment transactions and means in the Visa QIWI Wallet system. We perform regular risk analysis of security and we improve algorithms of the systems of protection of our services. Implementation of approach to regular accomplishment and control of work of procedures of security in the operational business-as-usual mode will become one of the following tasks of maintenance of the due security level of card data and compliance to requirements of PCI DSS, - the risk manager of the QIWI Group Ilya Alexandrov noted.

2015: Certification of terminals

On December 22, 2015 the QIWI company announced software certification for terminals  according to the PA-DSS standard.

The payment application for QIWI-TERMINALS underwent certification on compliance to the standard of data security of payment applications of PA-DSS (Payment Application Data Security Standard). The project is executed together with QSA company auditors Informzashita.

QIWI (2013) payment terminal

Transfers to bank cards in all QIWI-TERMINALS are provided by the software of "Maratl"  participating in processing of payment authorizations according to cards and carrying out necessary  calculations through processing of QIWI.

According to requirements of international payment systems of Visa and MasterCard, the maximum level of security of such applications is reached on condition of their full compliance to the PA-DSS standard.

  The Informzashita company acted as the partner of the project of the QIWI Group on certification of the application. At the first stage specialists executed preliminary audit – primary analysis of the application and development processes on fulfillment of requirements of the standard. Then created the actions plan allowing QIWI to eliminate defects and to build necessary processes of safe creation of software.

At a final stage auditors of Informzashita checked final certification as a result of which established that software completely conforms to requirements of PA-DSS. The report is approved with Council of PCI SSC.

The QIWI company traditionally pays special attention to security and maintenance of compliance of the products and services to the best international and industry practices. As a result of the carried-out certification on the PA-DSS standard we once again confirmed the high level of security of the payment transactions and client data processed through network of QIWI-TERMINALS. Thanks to it our clients received the maximum level of security and protection of the payments via various interfaces of QIWI. Ilya Alexandrov, risk manager of QIWI