Interswitch has received the highest level of re-certification for the Payment Cards Industry Data Security Standards (PCI-DSS), making it one of the first non-banking institutions in Kenya to receive the high level PCI PIN Security Certification.
A PCI Report on Compliance is required by any organisation that handles large volumes of branded card transactions for credit, debit and prepaid that includes MasterCard, American Express, VISA, JCB and Discover. Companies handling smaller volumes are required to complete a Self Assessment Questionnaire.
Following the annual audit by the PCI-certified assessor, a Report on Compliance was issued to Interswitch in April 2016. No other East African bank or institution has yet completed this level of assessment.
Bernard Matthewman CEO, Interswitch East Africa says, “PCI DSS provides a comprehensive framework for securing cardholder and transaction data. Interswitch has the only data centre in Kenya to have passed this level of PCI-DSS assessment on two occasions now. As a specialised payments and commerce company, the industry rightly looks to us to lead on data security.”
The PCI Standards help protect the safety of card data at multiple locations – from the point of sale (POS) to the processing centre. They mandate measures to protect data from both internal and external threats.
Victor Ndlovu, Kenya Country Manager at VISA says, “Unfortunately, the majority of data fraud still originates from internal staff at a merchant, issuer or payment processor. PCI-DSS requires compliant institutions to implement sophisticated encryption, software and physical security to mitigate against this.”
PCI-DSS mandates that unmasked card data is only handled inside a Card Data Area, which has additional technological and physical security measures. Otherwise card data should always be partially masked in any communications or databases.
Matthewman says, “We use physical security and software to monitor if complete credit card details can be detected outside our Card Data Area. And we hire ethical hackers to regularly stimulate attacks on our card centre.
“It is a constant battle to stay ahead of fraudsters. Interswitch initiated the Great Migration to EMV in 2013 to help push Kenya to EMV, we were clear at the time that securing the card was the first step but the channels and data centre would become the new focus. PCI-DSS has been part of our program to ensure that these are secured to the highest global standards.”
Kenya was the third country in Africa to undertake a migration to chip and pin cards. This has seen skimming fraud reduce substantially, although new fraud patterns are emerging.
Stephen Mwaura Head, National Payments says, “As a regulator we will continue to work with key stakeholders to support cutting edge approaches in enhancing safety and efficiency in payments. I commend the Interswitch team for leading the way in adopting fraud management tools that are of the highest standards for the payment cards industry.”
Interswitch is a certified member of the PCI Security Standards Council, which prepares the standards. The five major card companies MasterCard, American Express, VISA, JCB and Discover, formed the Council in 2006.