ChronoPay B.V. is pleased to announce that we have successfully passed audit inspection which included questionaire, penetration network test as reported in our news earlies and what's more important on-site inspection and tour performed by SRC Security Research and Consulting Gmbh, Germany - the first network security auditor to perform both MasterCard Site Data Protection (SDP) and VISA Account Information Security (AIS) program, known as CISP in USA.

Objective of these two programs is the reduction of fraud and the prevention of card data compromise at contracting companies. While the MasterCard SDP certification must follow shortly in June 2004, since the standard according to our information is changing right now, the VISA AIS certification for PSPs has been successfully passed by ChronoPay B.V. and is probably the most prestigious security certification in Europe a PSP can obtain. The list of requirements is published on the VisaEU website and has 15 vital standards requirements:

• Establish a hiring policy for staff and contractors
• Restrict access to data on a need-to-know basis
• Give individual identity codes to people with access to data
• Track all data access
• Use firewalls - electronic barriers - if data can be accessed from the Internet
• Encrypt data accessible from the Internet
• Encrypt data sent across networks
• Protect your systems and data from viruses
• Keep security patches for software up-to-date
• Do not use vendors’ default passwords
• Ensure any data on paper, disks, PCs and so on is kept secure
• Ensure data is properly destroyed when it is no longer needed
• Test security systems and procedures regularly
• Investigate and report any suspected loss of data immediately
• Only use service providers that meet these standards

All of them are explained in detail here as well , in order to pass the certification all of the requirements must be strictly compliant including all third party relations (hosting companies, scrubbing outsourcing) , including all employees screening procedures, access controls and so on which is throughly checked by an independent auditor.

At ChronoPay B.V. and it's subsidiary IT platform company JSC "ChronoPay" Russia we as a team really value the security since it's one of key points in creating the stable e-commerce environment. All of key 15 rules and procedures are strictly maintained compliant according to standards and even certain procedures in our company certainly exceed required minimum levels such as 24/7/365 video monitoring of our software development facilities and system administrators facilities and external "out of office" video records keeping , GSM alarms on all access controls on top of WTC security alarms, government level of employees screening for our IT department and precise procedures of corporate information exchange confidentiality level and CRM systems used within the company with every step logged. Our network enviroment is tuned up to the maximum possible security with hardware IDSs , hardware loadbalancers and hardware firewalls in place, servicing our dedicated cluster of servers all of which are already behind a first line of network hardware defense systems.

While several reputable EU PSPs have already acquired VISA AIS certification as well , ChronoPay B.V. has in fact created a unique situation since the IT infrastructure of ChronoPay B.V. is placed in Moscow, Russia by the JSC "ChronoPay" Russia. The audit process by SRC Security Research and Consulting GMBH requires the onsite audit for the IT departments of course and thefore the SRC specialists have visited JSC "ChronoPay" Russia and have performed an onsite audit there. Thus ChronoPay B.V. is the first EU PSP company in the world to place the IT infrastructure in Russia and to get it certified by hard EU standarts of security (VISA AIS is based on ANSI Information Security for Financial Organizations Guidelines, X9/ TG-5 (1992) and the ISO/TR 13569 Banking and Related Financial Services Information Security Guidelines, Second Edition).

It is interesting to note that while AIS certification does not seem to be a must for PSPs the lack of one can be quite harmful since according to SRC FAQ in relation to AIS/SDP certifications, in case that card data are stored in systems of e-commerce merchants, PSPs, MSPs or DSEs are compromised via the internet the acquirer has to expect high contractual penalty unless he can prove that the company is in compliance with the security standards of MasterCard and/or Visa at the time of compromise.

SRC Security Research and Consulting, GMBH has issued a certificate and an official audit report which is available on request to all our banking and processing partners and other reputable parties.

SRC is the first auditor allowed to perform both the MasterCard Site Data Protection (SDP) and the VISA Account Information Security (AIS) program. SRC is the leading network security company in Germany which list of clients includes some of worlds most recognized banks, brands and companies.

More information can be found at: http://www.src-gmbh.de.

Also ChronoPay B.V. would like to announce that VisaEU has included ChronoPay B.V. in it's website official list of VISA AIS standard compliant PSPs which as we believe is really excellent news.

We wish to thank all of our employees, partners and friends who are together with us and helping us to succeed in our common business.

Main sources:

http://www.visaeu.com/acceptingvisa/accreditedpsps.html
http://www.visaeu.com/acceptingvisa/pdf/accreditedpsps.pdf