By Dhahabu Writer
Interswitch has received the highest level of re-certification for the Payment Cards Industry Data Security Standards (PCI-DSS), making it the first non-banking institution in Kenya to receive the high level PCI PIN Security Certification. It was also the first non-banking institution to receive the certification in East Africa.
A PCI Report on Compliance is required by any organisation that handles large volumes of branded card transactions for credit, debit and prepaid that includes MasterCard, American Express, VISA, JCB and Discover. Companies handling smaller volumes are required to complete a Self Assessment Questionnaire.
Following the annual audit by the PCI-certified assessor, a report on Compliance was issued to Interswitch last April. No other East African bank or institution has yet completed this level of assessment.
Interswitch East Africa chief executive Bernard Matthewman said,
“PCI DSS provides a comprehensive framework for securing cardholder and transaction data. Interswitch has the only data centre in Kenya to have passed this level of PCI-DSS assessment on two occasions now. As a specialised payments and commerce company, the industry rightly looks to us to lead on data security.”
The PCI Standards help protect the safety of card data at multiple locations – from the point of sale (POS) to the processing centre. They mandate measures to protect data from both internal and external threats.
Kenya Country Manager at VISA Victor Ndlovu said
“unfortunately, the majority of data fraud still originates from internal staff at a merchant, issuer or payment processor. PCI-DSS requires compliant institutions to implement sophisticated encryption, software and physical security to mitigate against this.”
PCI-DSS mandates that unmasked card data is only handled inside a Card Data Area, which has additional technological and physical security measures. Otherwise card data should always be partially masked in any communications or databases.
Mr Matthewman said that they use physical security and software to monitor if complete credit card details can be detected outside their Card Data Area. They also hire ethical hackers to regularly stimulate attacks on our card centre.
“It is a constant battle to stay ahead of fraudsters. Interswitch initiated the Great Migration to EMV in 2013 to help push Kenya to EMV, we were clear at the time that securing the card was the first step but the channels and data centre would become the new focus. PCI-DSS has been part of our program to ensure that these are secured to the highest global standards.”
Kenya was the third country in Africa to undertake a migration to chip and pin cards. This has seen skimming fraud reduce substantially, although new fraud patterns are emerging.
Stephen Mwaura Head, National Payments says,
“As a regulator we will continue to work with key stakeholders to support cutting edge approaches in enhancing safety and efficiency in payments. I commend the Interswitch team for leading the way in adopting fraud management tools that are of the highest standards for the payment cards industry.”
Interswitch is a certified member of the PCI Security Standards Council, which prepares the standards. The five major card companies MasterCard, American Express, VISA, JCB and Discover, formed the Council in 2006.