PRESS RELEASE
Almaty
March 15, 2010
Nurbank has received an Attestation of Compliance with the international PCI DSS v.1.2 payment card security standard, taking another step towards creating a comprehensive information security system that meets the best global standards.
The project for Nurbank's preparation and certification was conducted by the Russian company PACIFICA in cooperation with IBM Corporation.
Thus, Nurbank became the first in Kazakhstan, and one of the few in Russia and the CIS countries, to achieve such a high level of data security for its clients' payment cards.
Remarkably, despite the significant scope of work, the project to prepare the bank's information system for certification was implemented in just 6 months and included three stages. In the first stage, a preliminary analysis of the payment card data security system was conducted by a QSA auditor (IBM), deficiencies were reported with recommendations, and a detailed remediation plan was developed. Adviser to the Chairman of the Board on Information Technology Andrey Chuchelov noted that “the preparation process for certification itself was of great value to the bank—it revealed the 'hidden pitfalls' in organizational, regulatory issues, in the operation of information systems, telecommunication, and system software settings, which unfortunately often become apparent only after an incident has already occurred.”
In the second stage, specialists from PACIFICA, along with Nurbank specialists, conducted a series of measures to align the information infrastructure with PCI DSS requirements, resulting in the development of a package of internal regulatory documents, installation of monitoring and event analysis tools, a security scanner, and an intrusion detection system. Necessary protection measures for the bank's business processes were also implemented, and a penetration test was conducted.
In the third stage, a certification audit was carried out, during which no non-compliance with the standard's requirements was found, and the bank deservedly received the PCI DSS Compliance certificate.
Importantly, within this project, the bank not only enhanced the security level of its information systems but also optimized the work on technological support for processing.
According to Mr. Chu celov, obtaining the PCI DSS compliance certificate was not initially a goal in itself for the bank. For the last 3 years, the bank has been purposefully and actively developing the direction of information security. This was driven, firstly, by the preparation and market introduction of new technological products for the bank's clients, related to the use of internet and mobile technologies. Secondly, within the framework of enhancing the bank's technological level, and developing its information and technical complex—which has repeatedly been stated by the bank as one of its priority directions—the aspect of information security has been and remains one of the most important for the bank.
“Obtaining PCI DSS Complied status, I consider a legitimate intermediate result, confirming the high level of development of both the information security system and the entire information-technical complex of the bank. Intermediate, because information security is not a state, it's a process that requires constant development and control,” emphasized Mr. Chu celov.