From the Blog

An icon for a calendar

2021-03-18

Adeptia and PCI Compliance

Adeptia and PCI Compliance

The financial services industry crafted PCI DSS (Payment Card Industry Data Security Standard) to help ensure the integrity and security of digital transactions that enable the use of credit, debit and other forms of payment cards and digital payments.

Adeptia software enables world-class data integration including the secure, scalable, and reliable exchange of data pursuant to digital payments. Adeptia enables PCI compliance by providing the capabilities and features needed to meet and exceed PCI DSS requirements. PCI DSS is an established information security standard which applies to any organization involved in the processing, transmission, and storage of credit card information. PCI DSS are standards all businesses that transact via payment cards must abide by. Originally created by Visa, MasterCard, Discover, and American Express in 2004, the PCI DSS has evolved over the years to also ensure that online sellers have the systems and processes in place to prevent a data breach.

PCI DSS consists of twelve primary requirements and these requirements apply differently to organizations based on their role such as whether they are a merchant, a payment processor, service provider or a software vendor. The 12 requirements of PCI DSS are:

  1. Install and maintain a firewall configuration to protect cardholder data
  2. Do not use vendor-supplied defaults for system passwords and other security parameters
  3. Protect stored cardholder data
  4. Encrypt transmission of cardholder data across open, public networks
  5. Use and regularly update anti-virus software or programs
  6. Develop and maintain secure systems and applications
  7. Restrict access to cardholder data by business need to know
  8. Assign a unique ID to each person with computer access
  9. Restrict physical access to cardholder data
  10. Track and monitor all access to network resources and cardholder data
  11. Regularly test security systems and processes
  12. Maintain a policy that addresses information security for all personnel

In this article, we address Adeptia customer deployment scenarios where the Adeptia Connect application is installed, run, and managed by an Adeptia customer for example in their own data center, cloud environment, or hybrid cloud environment. Thus, in this scenario, Adeptia does not have access to the client data and so the PCI DSS requirements specific to Adeptia personnel are limited. Adeptia is required to ensure its software application supports all the features and capabilities needed to enable its clients to meet PCI DSS requirements.

PCI Requirement 6 focuses on Secure Systems and Applications and the software development lifecycle, or SDLC. PCI Requirement 6.3 states that all internal and external software applications must be securely developed, in accordance with the PCI DSS, industry best practices, and with information security incorporated. A securely developed software application should have several capabilities. It should be able to function in a hardened application or operating system. The application must encrypt sensitive data both in storage and in transmission. It should operate on a system that supports antivirus. Securely developed software supports authentication controls. It should also have the ability to be patched and continuously updated.

Adeptia meets these requirements of PCI DSS as they relate to developing a highly secure application and providing the features to enable PCI DSS compliant services. 

  • Protection against vulnerabilities
    • Adeptia has trained its developers on secure software development
    • Coding reviews are done to ensure secure coding practices are followed
    • Penetration testing is done on every release to identify vulnerabilities
    • Independent 3rd Party OWASP penetration scanning is done, and with resulting reports provided here
    • Adeptia uses WhiteSource to check all its code and libraries to identify any known issues
    • Application Security overview and other documents are available online
  • Data Management and Data Encryption
    • Adeptia application protects customer data by providing end-to-end encryption
    • Encryption at Rest – All data that is being processed or stored temporarily on hard drive is encrypted
    • Data field level encryption and data-masking features are available to protect sensitive data 
  • Runtime Data Security
    • Adeptia supports all the security standards and protocols to enable encryption for data in transit
    • Provides easy management of security keys and certificates in secure vault
    • Application and pre-built connectors leverage the security provided by the endpoint it is connected to whether using a HTTPS-based REST or SOAP API or a secure JDBC connection to a database as part of the integration pipeline. If the endpoint supports data encryption, Adeptia can be configured to send and receive encrypted data
    • Account credentials used to access endpoints from Adeptia are also stored in an encrypted way to ensure security
  • Access Controls
    • Password Security Management – Password reset, strong passwords and password expiry can be configured to meet security requirements
    • LDAP / SAML / SSO support – Adeptia connect with your Identity Management application of choice such as Active Directory or anything else
    • Granular Access Control – Adeptia enables role-based security to manage which users have access to what data and functions in the Adeptia Connect application
  • Audit trails
    • Adeptia has built in audit trails that feature all actions performed by users and timestamped including but not limited to logging into the application, editing objects, triggering data flow execution, and completing entry forms.
    • Reports and interactive search is available to quickly and easily identify, among other thing, changes to objects and activities performed by users

Some of the largest companies in the world with carrier-grade-scale production environments rely on Adeptia software to meet rigorous data security, reliability and scalability requirements. Adeptia has implemented the processes, procedures, training and technology required to meet and exceed the high expectations of its clients. If you need additional information, please contact the Adeptia sales team at [email protected].