The PCI DSS Certification has Helped OneAssist to Store Card Information Over Digital Channels

OneAssist is in the business of providing Credit and Debit Card fraud protection services under its WalletAssist product. Its sales model is to sell primarily through affinity channels i.e. card issuing Banks. Thus the core service of card blocking would not have been viable without the certification. Moreover, Banks mandated that OneAssist be PCI DSS certified in order to store credit/debit card data for both sales and service. Since more than 90% of the WalletAssist revenue is contributed by affinity channel, business viability was hinged on PCI DSS certification. OneAssist also encourages customers to register their credit and debit cards with them so that the cards can be blocked swiftly in case of loss of wallet. Without PCI DSS certification, OneAssist is not authorized to store card data.

Project Head: Saurabh Chandra, CIO, OneAssist Consumer Solutions

The implementation

PCI DSS is the highest level of global security standard required for cardholder data protection. There are very few companies in India that are PCI DSS certified. Therefore, a strategy was prepared to create a robust PCI DSS framework. As a precursor, a comprehensive Information Security Management Systems (ISMS) Framework was implemented in line with ISO 27001:IEC 2005 and certification was achieved in Dec 2012. The PCI DSS certification project cut across various facets of technology encompassing Application, Infrastructure, Network, and Data Storage. The ultimate security objective was to implement a framework that keeps cardholder data secure at rest and in motion.

For application level security, OneAssist used Java Cryptographic Extension framework to encrypt card data. Data transmission over untrusted network was encrypted using Extended Validation SSL from industry leader Symantec. The entire application software was built with OWASP Security Guidelines.

Latest stable version of all server components covering Apache, JBOSS, and Oracle were implemented to ensure minimum vulnerabilities. Stringent hardening guidelines were laid out from inception. A Vulnerability Management program was instituted to ensure swift deployment of latest patches from vendors.

At the Network level, Defense-in-depth security was implemented to significantly mitigate the security risks arising from insider and outsider threats. For users across the organization, Disk Encryption technology was used from industry leader McAfee. Another Data Leakage Prevention Software from McAfee was implemented to eliminate the threat of leakage of card data.

Keeping credit card data secure was one of the most important objectives of the solution. Therefore, all cardholder data was encrypted using AES encryption. Multiple encryption keys, secured under split-access and dual-knowledge control work together to decrypt cardholder data whenever needed, making it extremely difficult for hackers.

At the overall security program level, best practices from reputed bodies such as NIST and CIS were drawn upon. An SIEM solution was implemented across the Technology stack to detect unauthorized changes. The entire solution was subject to Vulnerability Assessment and Penetration Testing from Security leader Paladian Networks.

Challenges faced

There were many challenges ranging from cultural to business to technical that were faced while implementing this project.

a.  Prioritizing security over “business” at mid and lower levels in order to persuade people to adopt security as a choice, and not as force.

b.  Deploying capital efficiently towards security when funds available for “cost-center” such as Technology were very limited, given that we were a start-up

c.  Persuading big brands such as ICICI Bank, HDFC Bank, and Kotak Mahindra Bank to strike partnerships with OneAssist, convincing them that OneAssist’s Security practices are robust enough and that it will achieve the PCI DSS certification

d.  Implementing state-of-the-art technology solutions but keeping costs low by negotiating long-term partnerships with vendors. Vendors were persuaded that OneAssist’s vision will meet success and vendors will benefit in the long run by partnering with OneAssist.

Business impact

At the time of writing, OneAssist has a live base of close to 1.5 lakh customers. Of this, more than 100,000 has been contributed by the affinity channel covering HDFC Bank, ICICI Bank and others. If OneAssist had not achieved PCI DSS certification, the existence of the affinity channel would be questionable. Simply put, OneAssist would have been languishing at 50,000 customers from other products. PCI DSS was the core requirement for relationships to scale-up. So, one can conclude that PCI DSS led to 3 times jump in revenue i.e. 1.5 lakh against just 50 thousand customers.