At a glance
The Payment Card Industry Data Security Standard (PCI DSS) is an information security standard for organizations that handle branded credit cards from the major card schemes. SISA helped VIDIVA achieve compliance with PCI DSS standards.
VIDIVA Technology JSC, Vietnam
A major technology company VIDIVA Technology JSC (henceforth called VIDIVA), a service provider in Vietnam delivering card issuance and e-wallet functions for its customers, was embarking on a large full potential transformation with a pipeline of new products.
To get there, VIDIVA developed an in-house Mobile Application (iOS and Android) known as “Ting” to deliver its services. This mobile-only financial platform that complemented VIDIVA’s existing business in mutually beneficial ways was in the scope of PCI DSS assessment.
Assuring strong payment security foundations
A window of opportunity opened when the team at VIDIVA realized that facilitating the e-wallet functions, card issuance, and maintenance using its Ting Application for VISA branded debit cards issued on behalf of partner bank needed rigorous security assessments and was well aligned with the PCI DSS framework.
VIDIVA is only transferring the customer details along with the Card Token ID, Truncated Card number to the partner Bank (VietBank). Among other things, VIDIVA processes card-not-present transactions using the issued cards on behalf of their partner bank (Viet Bank).
The PCI DSS assessment
Initially, during the gap assessment, we found that the Ting system was very well structured and safeguarded. Only a few minor amendable complications were identified in the Ting Mobile Application as well as in the backend infrastructure hosted on Google Cloud which had lapses in configuration. This insight provided the impetus for VIDIVA to undergo mitigations from Application Penetration test findings by SISA, as well as the findings from Gap Analysis. VIDIVA produced rigorous evidence (policies and procedures, Firewall Rule Review, Infrastructure hardening, Segmentation PT, Source code review, Cardholder Data discovery scans, etc.) for revalidation until it attains compliance.
To foster the collaboration, SISA designed multiple sprints as a part of the complete scrum to have milestone reviews for the remediation of the action points, mainly for the insecure firewall configuration, Google Cloud infrastructure hardening, Ting application source code review, and application pen test findings, and additional policy and procedure support for the stringent PCI DSS requirements.
In the end, VIDIVA appreciated SISA for recommending the security measures focusing not only on compliance but also on the support for implementing industry best practices. By the close of a 4-month engagement, VIDIVA had strengthened its security posture and achieved the certificate of compliance for PCI DSS at the highest level (Level 1). As a part of its future releases, VIDIVA is prepared to uphold the paramount level of payments security.
SISA is a forensics-driven global cybersecurity company, with offices in 14 countries, including Bangalore, India, and Irving, Texas. We are trusted by organizations across the globe for securing their businesses with the robust preventive, detective, and corrective security services and solutions.