Pagotec Consultancy Ltd is a UK payment services firm with its head office based in Bloomsbury Square, London, WC1A. We offer our customers a state of the art cross border payment platform which provide payments solution for import and export and B2B trades of our customers.
Pagotec Consultancy Ltd is licensed a Small Payment Institution (SPI) by the UK’s Financial Conduct Authority (“FCA”) under license FRN 913429, and register at HMRC MLR XZML00000159723.
2. Policy Statement
The purpose of this Security Policy is to:
- identify and assess risks, including but not limited to security risks, related to payment services.
- identify the objects of protection of the information systems of Pagotec Consultancy Ltd.
- establish security measures that will ensure Pagotec Consultancy Ltd IS security and security of paymentservices.
- elaborate an action plan for possible Pagotec Consultancy Ltd IS actions to overcome the crisis situation.
- regulate the activities of Pagotec Consultancy Ltd structural units in relation to the implementation of this policy.
- support information security and provide an explanation of Pagotec Consultancy Ltd security organization.
- set the level of risk appetite.
- establish principles of appliance a ‘defense-in-depth’ approach, i.e. by instituting multi- layered controls covering people, processes and technology related to the provision of payment services,with each layer serving as a safety net for preceding layers – i.e. more than one control covering the same risk.
- establish principles of protection the confidentiality, integrity and availability of Pagotec Consultancy Ltd critical logical and physical assets, resources related to the provision of payment services and sensitive payment data of their payment service users against abuse, attacks and inappropriate access and theft.
- establish measures which will ensure a high level of technical security and data protection.
This Security Policy shall form an integral part of the Pagotec Consultancy Ltd overall operational and security risk management framework.
3. Terms and Definitions
‘ACL (access control list)’ is a list of subject permissions attached to a protected object.
‘Pagotec Consultancy Ltd’ – Pagotec Consultancy Ltd, firm reference number 541976, a company licensed by the Financial Conduct Authority (FCA) of United Kingdom to operate as a payment institution.
‘Crisis Situation’ means the effect of exceptional circumstances on the work of Pagotec Consultancy Ltd, which may result in the termination of Pagotec Consultancy Ltd operation in normal mode.
‘MLRO’ means Pagotec Consultancy Ltd’s Money Laundering Reporting Officer.
‘Data or Information’ means any data and information weather in paper or electronic form and format that is in Pagotec Consultancy Ltd possession. This definition shall also include sensitive payment data, payment services users’ data, system and process data, including but not limited IS audit trails and logs.
‘DB’ means data base – amount of information collected, processed and stored as structured data set.
‘Firewall’ is a network security system (hardware or software based) that monitors and controls incoming andoutgoing network traffic based on predetermined security rules and establishes a barrier between a Pagotec Consultancy Ltd internal network (or that segments) and untrusted external network such as Internet.
‘Hazard’ means undesirable events because of which a loss can occur for Pagotec Consultancy Ltd or payment services users.
‘Information Availability’ means security controls that guarantees data access for appropriate usage – read, write or execution.
‘Information Confidentiality’ is the state of the information where access to information is restricted for the people who do not have relevant rights and access. This definition shall also include security controls that guarantee data protection against unauthorized access.
‘Information Resources’ means Pagotec Consultancy Ltd’s information units that contain data and data files that contain the information available to Pagotec Consultancy Ltd IS and OS stored, processed and available IS and OS users, as well as all IS input and output documents, regardless of media type.
‘CTO Deputy’ means the employee responsible for the information resources and technology resources security and protection, and handling them on behalf of Pagotec Consultancy Ltd.
‘Information Integrity’ means accuracy and completeness of information and methods of its processing. This definition shall also include security controls that guarantee data accuracy, completeness and trustworthiness.
‘Information Value’ is the level of importance of the information of Pagotec Consultancy Ltd as a market participant.
‘IS’ means one or more information systems – or technically organized devices for the collection, organization, storage and process of information.
‘IS Security’ means set of security controls that guarantee confidentiality, integrity and availability of IS.
‘Monitoring’ means technical appliance with main purpose of identifying, recording and analyzing objects state and its deviation.
‘Operational Risks’ means the prospect of loss resulting from inadequate or failed procedures, systems or policies.
‘Payment services’ mean any of the following payment services which Pagotec Consultancy Ltd is authorized to provide:
a. Services enabling cash to be placed on a payment account and all of the operations requiredfor operating a payment account.
b. Services enabling cash withdrawals from a payment account and all of the operations required for operating a payment account.
c. The execution of the following types of payment transaction:
(i). execution of direct debits, including one-off direct debits
(ii). execution of payment transactions through a payment card or a similar device
(iii). execution of credit transfers, including standing orders
d. the execution of payment transactions where the funds are covered by a credit line for apayment service user—
(i). execution of direct debits, including one-off direct debits
(ii). execution of payment transactions through a payment card or a similar device
(iii). execution of credit transfers, including standing orders
e. Issuing payment instruments or acquiring payment transactions
f. Money remittance
‘Payment service users’ means a person when making use of any or all Payment services.
‘Penetration test’ is a planned and controlled attack on IS, during which a tester is authorized to exploit possible IS vulnerabilities, to evaluate the security level adequacy of the IS. The test results are used to identifyweaknesses and vulnerabilities of IS and may include administrative security measures tests.
‘Risk’ Pagotec Consultancy Ltd has defined risk as the uncertainty of outcome, that an event will occur and adversely affect the achievement of objectives. The risk has to be assessed in respect of the combination of the likelihood of something happening, and the impact that arises if it actually does happen. Risk can be measured in terms of likelihood of occurrence or impact to the organization.
‘Risk analysis’ means the systematic use of available information to determine the likelihood of specified events occurring and the magnitude of their consequences. Measured in terms of impact and likelihood. Riskanalysis shall be performed in accordance with Pagotec Consultancy Ltd AML Policy.
‘Risk assessment’ means the overall process of risk analysis and risk evaluation.
‘Risk evaluation’ means the process used to determine risk management priorities by comparing the level ofrisk against predetermined standards, target risk levels or other criteria. Risk analysis shall be performed in accordance with Pagotec Consultancy Ltd AML Policy and/or Governance Arrangements.
‘Risk factor’ means potential events which may cause a hazard.
‘Risk management’ means an iterative process consisting of steps, which when taken in sequence, enable continual improvement in decision-making. It is the logical and systematic method of identifying, analyzing, evaluating, treating, monitoring and communicating risks associated with any activity, function or process ina way that will enable organizations to minimize losses and maximize opportunities.
‘Risk Mitigation’ means steps taken to control or prevent a Hazard from causing harm and to reduce Risk to a tolerable or acceptable level.
‘Security Incident/breach’ means a singular event or a series of linked events which has or will probably havean adverse impact on the integrity, availability, confidentiality, authenticity and/or continuity of Pagotec Consultancy Ltd payment-related services, this shall also include cyber threats.
‘Security Measures’ means administrative, logical and physical security controls or combinations of such to mitigate or avoid a risks that occurrence may impact assets of Pagotec Consultancy Ltd. Such measures include, for example, encryption, passwords, firewalls, virus controls, and employee screening. Encryption is the use of cryptographic algorithms to encode clear text data into cipher text to prevent unauthorized observation. Passwords, pass phrases, personal identification numbers, hardware-based tokens, and biometrics are techniques for controlling access and identifying users.
‘Security risk’ means ability of threat to exploit vulnerability to impact a security of Pagotec Consultancy Ltd and data,the risk resulting from inadequate or failed internal processes or external events that have or may have an adverse impact on the availability, integrity, confidentiality of information and communication technology (ICT) systems and/or information used for the provision of payment services. This includes risk from cyber- attacks or inadequate physical security. Mitigation of security risks are stated in this policy and in Policy on filing, monitoring, tracking and restricting access to sensitive payment data.
‘Sensitive payment data’ mean classified information, including Payment services user’s personalized security credentials, which could be used to carry out fraud and that is protected against unwarranted disclosure under applicable laws and regulations. According to the Pagotec Consultancy Ltd business model the following collected/available data is classified by Pagotec Consultancy Ltd as a Sensitive payment data:
- name and surname
- date of birth
- account number
- passport/ID data
- card data
- log-ins and passwords
- pin codes and etc.
Any payment transaction information circulating internally, at the Pagotec Consultancy Ltd, is classified as sensitive payment data.
‘SLA’ means Service Level Agreement.
‘Technological resources’ mean the component of the IS, which includes system programs, applications, auxiliary programs, system files, computers, computer networks, hardware and other equipment that provides the operation of the Pagotec Consultancy Ltd IS.
‘Traffic’ means an incoming or outgoing data stream that moves across the network. ‘TT’ means technical task.
4. General Conditions
As a general principle in drafting this Security Policy, Pagotec Consultancy Ltd assessed in detail the risks that can beassociated with the payment services provided by Pagotec Consultancy Ltd, risks of fraud and thesecurity control and mitigation measures in place to adequately protect payment service users against the risks identified.
4.1. To ensure security of payment services Pagotec Consultancy Ltd has assessed risks associated with payment services and has identified the following security targets for successful risks mitigation:
(i) Hardware, including but not limited to:
- network workstations (personal computers)
- carriers, laptops and other portable computers
- Pagotec Consultancy Ltd office’s located at 4/4A BLOOMSBURY SQUARE, LONDON, WC1A 2RP local area network equipment
servers, printers, fax machines, modems, routers and other means of communication lines
(ii) Software, including but not limited to:
- operating systems (hereinafter referred to as “OS”) and database software
- Pagotec Consultancy Ltd IS programs
- utilities, diagnostic tools and communication programs, monitoring tools
(iii) Data, including but not limited to:
- the data to be processed
- archived data
- back-up data
- logs (log files)
- trials and tests results
- data transmitted through communication channels
- paper-based data
- program documentation
- computer hardware (hardware) documentation
- Pagotec Consultancy Ltd IS (as a separate system) documentation
- Pagotec Consultancy Ltd regulatory documents and Business Continuity Plan in particular
4.2. Pagotec Consultancy Ltd has categorized the information resources and data according to following criteria – information confidentiality and information values criterions:
(i) Information confidentiality depends only on its content, irrespective of the media in which it islocated.
(ii) Information value is determined by its level of risk regarding unauthorized access to data (both insideand outside of Pagotec Consultancy Ltd) or the loss of data due to software or hardware damage, theft, etc.
Information, depending on the criteria of information confidentiality, is categorized as follows:
(i) H – restricted access information, unauthorized disclosure whereof could result in significant loss forPagotec Consultancy Ltd:
a. Banking passwords and security keys
b. passwords to IS which are related to storing or processing confidential (restricted access) information
c. system administrator’s passwords
d. encryption passwords and keys
e. getaway access keys and passwords
f. payment services users’ data and documentation
g. sensitive payment data
h. agreements between Pagotec Consultancy Ltd and any third parties
i. Pagotec Consultancy Ltd financial indicators prior to their official disclosure
j. IS log files
k. information on Pagotec Consultancy Ltd employees’ remuneration
l. program codes developed by the Pagotec Consultancy Ltd
m. strategic decisions of Pagotec Consultancy Ltd’s CEO
n. personal data of Pagotec Consultancy Ltd employees
provided that the company CEO, may at any time to take a decision on other information categorization as H information.
(ii) M – limited access Information, unauthorized disclosure whereof cannot cause significant damage forPagotec Consultancy Ltd:
a. Pagotec Consultancy Ltd organizational structure
b. descriptions of ISs and user manuals
provided that the CEO may at any time to take a decision on other information categorization as M information.
(iii) L – general information – publicly accessible information. H and M level information is a confidential information.
Information depending on the level of Information Value is categorized as follows:
(iv) H – High-risk information resources:
b. IS log files access records
c. original agreements between Pagotec Consultancy Ltd and any third party
d. payment service users’ data and documentation
e. sensitive payment data
f. getaway access keys and passwords
provided that the CEO may at any time to take a decision on other information resourcescategorization as H information resources.
(v) M – Medium-risk information resources:
a. Pagotec Consultancy Ltd normative documentation
provided that the CEO may at any time to take a decision on other information resourcescategorization as M information resources.
(vi) L – Low risk information resources – all other resources which are not H or M categorized. H and M level information and resources is a confidential information.
In addition, Pagotec Consultancy Ltd applies the following classification of information resources according to theirdegree of availability, which means users can use IS data and functions at a specific place and time:
(i) H – information must be mandatory available 24 hours a day.
(ii) M – the information must be available from 08:00 to 21:00.
(iii) L – information where possible should be available at least from 08:00 to 21.00.
By default, all information containing or related to payment services users’ data and sensitive payment data shall be treated as an “HHH level information”.
Data and data storage devices or envelopes containing confidential information can be transferred to eligible recipient only personally and should be marked as “STRICTLY CONFIDENTAL”.
It is restricted to send confidential information outside the Pagotec Consultancy Ltd local network in clear text (open)form, even in cases where confidential information is necessary to due provision of payment services or beingrequested by FCA or other authorities or external audit companies, or the transmission of information is approved by the IT Security specialist.
Pagotec Consultancy Ltd securely stores all necessary classified information related to payment services users and employees even after the end of relations for a period determined by applicable laws and regulations (5years+). When that hold period is ended, Pagotec Consultancy Ltd performs information destruction according to the below procedure:
(i) information resources holder must confirm that information can be destructed.
(ii) for data written or printed on paper, Pagotec Consultancy Ltd uses a shredding machine. Then remains are properly mixed with other paperwork waste and passed to public recycling services.
(iii) for digital data, Pagotec Consultancy Ltd uses a specially designed algorithm of triple data sector random bitoverwriting (sanitization), after which data cannot be reconstructed.
(iv) all other type of media (hard drive, flash cards, etc.) are digitally wiped (if possible) first, then destructed physically, by ensuring that media cannot be reconstructed.
4.3 In designing, developing (including testing) and providing payment services, Pagotec Consultancy Ltd shall ensure that segregation of duties and ‘least privilege’ principles are applied. This shall especially apply to IS.
4.4 Pagotec Consultancy Ltd has selected CEO, who is responsible for the functioning and safety of the relevant resource.
Mr. Olugbenga is responsible for:
(i) classification of the information on the Information resource and ensuring the integrity, availabilityand confidentiality of the data to be processed.
(ii) the granting of rights to access information.
(iii) risk analysis.
(iv) development of rules for the use of the Information resource.
(v) cooperation on IS safety and functioning issues.
(vi) determine the procedure for the creation and storage of audit trails.
(vii) performing a semi-annual audit of the assigned permissions of Pagotec Consultancy Ltd IS users.
(viii) ensuring the physical and logical protection of technological resources.
(ix) cooperation on the protection of information security and access to issues.
(x) participation in risk analysis.
(xi) cooperation regards Pagotec Consultancy Ltd IS safety and functioning issues.
Pagotec Consultancy Ltd has identified the following requirements for risk assessment and risk management:
(i) risk assessment is mandatory for each new project, as well as in the case of any significant changes to the existing Pagotec Consultancy Ltd IS.
(ii) risk management methods are selected by assessing the relationship between the costs of the measures to be taken and the potential losses in the event of a risk.
(iii) special attention shall be paid to operational and security risks.
4.5 Pagotec Consultancy Ltd has defined the following methods of IS protection:
(i) drafting, updating Pagotec Consultancy Ltd normative documents and introducing those to Pagotec Consultancy Ltd employees.
(ii) IS and hardware operational software periodical vulnerability checks and patching.
(iii) Pagotec Consultancy Ltd employee training and security awareness program.
(iv) continuous IS monitoring.
(v) Pagotec Consultancy Ltd implements IS defense-in-depth (layered protection) by using separate security appliances, for IS security high redundancy.
(vi) cryptographic algorithms are continuously monitored and updated, to keep the strongest Cipher to be used in IS.
(vii) upon hiring new personnel Pagotec Consultancy Ltd extracts from criminal offenses database confirming absence of criminal record.
4.6. Pagotec Consultancy Ltd has identified potential loss criteria:
(i) direct losses – relate to the loss of Data resulting from an operation or security system errors that result in theft of certain amounts or losses of Payment services users.
(ii) indirect losses – related to decrease of Pagotec Consultancy Ltd reputation lever and are not related to the loss of certain amounts.
4.7. Pagotec Consultancy Ltd has made the following classification of Pagotec Consultancy Ltd employees’ rights to access information levels and data, observing that such access rights are based on the principle of “least privilege” and “need to know” whereby authorized users will only be granted access to information system and network which are necessary for them to carry out their responsibilities and functions:
- IS users who have the right to access read-only information.
- employees who, in accordance with their duties, have the right to read/write/modify and delete information, but always provided that need to know principle is being observed.
- IS administrators who have unrestricted access rights to a specific IS.
- common IS administrators who have unrestricted access rights to all network resources.
- IS developers who have the right to modify the software on the development server.
- IT Security specialist to whom the right to access any Pagotec Consultancy Ltd IS for audit purposes is temporarily granted.
4.8 List of Information resource holders and list with access rights shall be approved by the CEO in accordance with the principle that access to systems containing H-level information should be allowed to employees only on the “need to know” basis and when strong authentication solutions are used in accordance with relevant IS.
4.9 Upon entering into a legal employment with an employee Pagotec Consultancy Ltd ensure that:
(i) he/she is being introduced to this Security Policy summary and the other Pagotec Consultancy Ltd documents constituting the Pagotec Consultancy Ltd general operational and security risk management framework.
(ii) the clause on the non-disclosure of confidential information is included in the employment contract.
(iii) the new Pagotec Consultancy Ltd employee shall obtain access to the information resources and network only after the relevant application is signed and the training course has been completed
to the satisfaction of Pagotec Consultancy Ltd.
(iv) he/she is aware of his/her personal responsibility to comply with this Security policy as part of the induction process.
4.9.1. In cases where an employee moves to another department of Pagotec Consultancy Ltd, all of his/herpreviously allocated IS access rights shall be reviewed. Renewal of access rights shall be made on thebasis of a new application and depending on the employee’s functions.
4.9.2. In the case of changes in the duties of a staff member within a department, the MLRO shall assess the right of access to the functions performed by the employee.
4.9.3. By terminating the employment relationship with Pagotec Consultancy Ltd, all the privileges assigned to the given user and access rights shall be deleted.
4.10. Appointed person shall be responsible for regular intelligence submission to the CEO on who may be targeting Pagotec Consultancy Ltd, their methods and their motivations.
4.11. In the design, development, and provision of the payment services and design, development, and maintenance of relevant associated ISs, the responsible staff should ensure that collection, routing, processing, storage, and/or archiving and visualization of sensitive payment data and payment services user’s data is adequate, relevant and limited to what is necessary for the provision of its payment services.
4.12. IT Security specialist shall be responsible for regular intelligence submission to the CEO on who maybe targeting Pagotec Consultancy Ltd, their methods and their motivations.
5. Pagotec’ physical and logical protection
5.1. Physical protection
a. Storage and use of personal media.
(i) Employees are prohibited from installing and using the flash memory, USB memory key, CD-RW, etc. on their own.
(ii) Employees who are authorized to use personal data carriers (flash memory, USB memory key,CD-RW) are approved by the CEO.
b. Computer network line cabling system.
(i) Computer network is trapped in closed boxes or in a free space between partitions and ceilings,thus protecting it from external physical exposure.
(ii) The computer network is structured as a structured network.
(iii) To increase security, all connecting cables are duplicated.
(iv) To limit access to data, sensitive payment data and critical data, segments of the computernetwork with these data are isolated from the main computer network.
(v) Expansion and upgrading of the computer network should not impair the key performance ofthe computer network.
c. Deployment of Information Resources:
(i) All Pagotec Consultancy Ltd payment services are deployed on separate servers and, cluster solutionsare used; disturbances in one service can not affect the work of other services.
(ii) All the electronic documents, including confidential information are store in the file- serversecurely.
(iii) Local discs are only allowed to store un-classified information.
d. Destruction of information.
When selling or transferring computers to third parties, or removing IS, all classified information on that devices must be destroyed (sanitized).
e. Destruction of Physical Information, Media Containing Confidential Information:
(i) It is at Pagotec Consultancy Ltd prohibited to discard physical media (paper, discs etc.) without previously destroying them.
(ii) The way of destruction is to ensure that any known reasonable possibility of restoring information is excluded.
5.2. IS logical protection
(i) All servers are implemented with high redundancy principles, including RAID.
(ii) IT department System administrator is responsible for server maintenance, to ensure it stable operation.
(iii) IT department System administrator manages the passwords for accessing the servers. The passwords must comply with the parameters specified in this Policy.
(iv) IT department System administrator is responsible for IS monitoring.
b. Work with a personal and a portable computer:
(i) Each personal computer (hereinafter referred to as PC) is affiliated with a particular employee.
(ii) The employee is responsible for the security of the information at his/her disposal.
(iii) The employee should immediately inform the IT department about the disturbances of normal functioning of the PC.
(iv) Employees are prohibited from owning and installing any kind of program updates – this shouldbe performed only by IT department employees.
(v) IT department develops and maintains the PC list with a description of their configurations.
(vi) For all types of computers, Pagotec Consultancy Ltd uses the same protection methods with the following additional conditions: compulsory encryption of confidential documents using whole disk encryption using AES cypher and access protected by password.
(vii) It is prohibited to leave computers in public places; when using in public places it has to be ensured that no classified data (including sensitive payment data) is accessible to the unauthorized person at any time.
c. Control of the right of access to Data (including Sensitive Payment data) and ISs:
(i) Access to information resources and ISs for employees is provided only after the submission ofa special application. This submission is necessary to be approved by the CEO.
(ii) IT department ensures the protection again unauthorized configuration changes (BIOS set up password) according to the password generation requirements for this Policy.
(iii) Using the computer network domain resources after a certain time access to the inactive computer is automatically blocked (auto-logout).
(iv) The employee himself cannot assign a password to access certain documents.
(v) Before leaving working place staff must ensure the computer lock (logging off) or shut down.
(vi) IT Security specialist shall be responsible for access control to ISs, including but not limited to logging and reviewing the systems activities and monitoring for anomalies. Access logs shallbe retained for a period of 5 years. The information mentioned above shall be used by Pagotec Consultancy Ltd including but not limited to facilitating the identification and investigation of anomalous activities that have been detected in the provision of Payment Services.
(vii) IT Security specialist shall be responsible for the creation and storage of audit trails for Pagotec Consultancy Ltd IS containing classified Information resources and activities on a computer network that has access to Pagotec Consultancy Ltd IS containing classified Information resources.
(viii) When processing Data, including Sensitive payment data, Pagotec Consultancy Ltd ensures the creation of audit records for certain events Pagotec Consultancy Ltd IS (access, data entry, modification,deletion, output, etc.); IT Security specialist shall be responsible for ensuring that electronic access by applications to data and IS will be implemented in accordance with “least privilege” principle.
(ix) When dealing with sensitive payment data, Pagotec Consultancy Ltd shall follow PCI DSS standard compliance at all times.
(x) Activity logs from IS are sent to a dedicated accounting system – “Log server”, that is separated from the core network. Access to the logs is supervised by an IT Security specialist to preserve theintegrity of the content.
d. Local area networks:
(i) The local area network equipment is concentrated in the server room.
(ii) The cabling system is structured and constructed in accordance with this Policy.
(iii) It is necessary to ensure the fulfilment of the conditions specified in this Policy at the network ofconnected PCs (network workstations).
(iv) Each employee has a separate account to connect to the local network resources.
(v) IT department organizes and performs continuous monitoring of the local network state.
(vi) The IT department maintains the following documents in an appropriate manner: the layout of the local area network cabling system, and the local area network plan.
e. Passwords and login names:
(i) All IS users will be required to have a unique Login name and password for access to systems. The user’s password should be kept confidential and MUST NOT be shared with management & supervisory personnel and/or any other employee whatsoever and any other person. All users must comply with the following rules regarding the creation and maintenance of passwords:
- Password must not be found in any English or foreign dictionary. That is, do not use any common name, noun, verb, adverb, or adjective. These can be easily cracked using a standarddictionary attack.
- Passwords should not be posted on or near computer terminals or otherwise be readily accessible in the area of the terminal.
- Password must be changed every 90 days.
(ii) User accounts will be frozen after 5 failed login attempts.
(iii) Employees are not allowed to access password files on any network infrastructure component. IT specialist is responsible for arranging continuous monitoring and alert system to protect password files against unauthorized access. Copying, reading, deleting or modifying a password file on any computer system is prohibited. No passwords are stored in clear (open) text, salted hashes are used instead.
(iv) Employees will not be allowed to log in with administrator rights.
(v) Employees who forget their password must call the IT department to get a new password assigned to their login name. The employee must identify himself/herself to the IT department.
(vi) Employees will be responsible for all operations occurring during login sessions initiated by the useof the employee’s password and login name. Employees shall not log in to a computer and then allow another individual to use the computer or otherwise share access to the computer systems.
(vii) Login names shall be generated by IT department by the following principle: 1 first letter of name + surname, or using another principle with prior permission from the CEO.
f. Corporate Network Security:
(i) Distributed lines, private networks or public networks (DSL, ISDN, GSM etc.) can be used as communication lines.
(ii) IT Security specialist is responsible for the security of the corporate network.
(iii) IT Security specialist is responsible for corporate network continues protection.
g. External network security:
An external network can be a public/private network.
(i) Requirements for the public and private network:
a. for each gateway a separate risk assessment and analysis are performed.
b. technical, logical and administrative security of private networks is governed by contracts and SLA with the service provider.
c. additional security measures should be considered by the IT Security specialist, before any connection establishment – in the planning stage; the «defense in depth» principle should be taken into account.
d. any use of the public network is considered untrusted. Security measures must be taken to ensure IS safety and information security. Approval/Authorization from an IT security specialist is required and using such network information to be transmitted in a secure way – encrypted or using secure virtual tunnelling or secure virtual networking protocols.
(ii) Cross-network access control implemented (Firewall):
a. anti-malware protection
b. authentication and authorization of the user who implements the connection
c. for maintenance connections (Administrator only) to the IS VPN and Two-factor authentication are used
d. IDS – Intrusion Detection System implemented
h. Use of the web at workplaces.
The web brings together various services and protocols, such as WWW (World Wide Web), e-mail, FTP (FileTransfer), and other ancillary protocols (DNS, ICMP, etc.).
A proxy server is installed in order to be able to control the use of the web.
(i) By default, users of the corporate network workstations are only allowed access to the necessary web services (corporate e-mail and the web only).
(ii) Use of firewall.
(iii) IT Security specialist arranges control over the use of web services (log file creation andstorage).
(iv) All e-mails shall be malware-checked on the e-mail server.
(v) Employees are prohibited from visiting illegal and non-voluntary content links.
(vi) Employees are prohibited from installing any programs on their own.
(vii) It is prohibited to use any free e-mail servers without written permission of the IT Security specialist; such permissions shall be reviewed by the IT Security specialist every 6 months to evaluate the necessity of granted permissions.
(viii) IT Security specialist arranges the daily monitoring of incoming/outgoing web traffic.
i. Telephone network:
(i) All telephone network hardware and communications are protected against unauthorized physical effects.
(ii) Access to communications and equipment can be performed by the CEO only.
(iii) The employees of Pagotec Consultancy Ltd are responsible for maintaining their telephone lines and telephone sets. This applies to both fixed and mobile phones.
j. Firewall and other security protection
Any Firewall configurations should be approved by the CEO in advance.
(i) Perimeter Firewall is one of the components of the security strategy of the “defence in depth”.
(ii) As a Firewall always should be used a suitable device which according to its operating principlesis a firewall. A Firewall also may be considered any software provided only for the function of the Firewall as any software required to operate the Firewall (anti- malware, Web filters, etc.). Other devices, such as routers or switches that perform the functions of a firewall, cannotbe used in place of a Perimeter Firewall.
(iii) Perimeter Firewall monitors the flow of incoming/outgoing data (Traffic).
(iv) A Perimeter Firewall have physical protection (limited physical access).
(v) The configuration of the Firewall must be documented. IT Security Specialist is responsible for proper Firewall configuration documentation arrangements as per PCI DSS standards.
(vi) Maintenance of the Firewall should be carried out at the highest SLA level with a periodicity ofat least quarterly.
(vii) The connection of the Firewall should be carried out in such a way as to ensure the level of SLA.
Principles of the safety of the Firewall work:
(i) Any necessary changes to Firewall configurations must be previously approved by IT Security specialist, and qualified IT department staff must be delegated by the CEO to make such changes. Back-ups of configurations must be previously securely stored.
(ii) All Firewall log files should be stored in a safe place, outside the Firewall device (e.g.: on the Log Server).
(iii) availability and integrity of the Firewall log files must be guaranteed.
(iv) Firewall should be constantly monitored by IT department staff.
(v) By default, the Firewall must block the Traffic of any network that is not clearly listed in the ACL white list.
(vi) Before making any changes to the Firewall, it is necessary to perform a Risk assessment.
(vii) The configuration of the Firewall must be documented by the delegated IT administrator Backups of Firewall log files must be done at least daily.
(viii) The configuration of the Firewall must be such that the Firewall generates events in real time for the monitoring system.
(ix) All verification records must be logged and accepted by IT security specialist.
(x) Penetration tests plan shall be developed by IT security specialist and approved by the CEO. “External” and “internal” penetration tests of the IS including firewall should be conducted based on the requirements specified in this Policy and PCI DSS standard, with the periodicity of at least annually, in order to ensure that the Firewall functions in accordance with the principlesof this Policy.
(xi) IT security specialist shall be responsible for continuous malware protection – establishing andmaintaining malware defenses to detect and respond to known attack code.
(xii) IT security specialist shall be responsible for the continuous patch management – patch known vulnerabilities with the latest version of the software, to prevent attacks which exploit softwarebugs. Security patches should be applied in an appropriate time frame – 1 days for critical patches. In cases where it is not possible to patch a vulnerability steps should be taken to makeit very difficult to exploit.
CEO shall be responsible for the inventory of all authorized hardware and software used across Pagotec Consultancy Ltd at least every 6 months. Such inventory should capture the physical location, business owner and purpose of hardware together with the version and patch status of all software.
(i) The encryption strength and specific algorithms for each service are determined separately, based on the relevant need, best practices, and regulatory requirements and taking into account the level of risk. For information protection, Pagotec Consultancy Ltd uses cryptographic software approved by PCI standards.
(ii) The data sent using corporate network channels and the web must be encrypted.
(iii) All Confidential information that is stored electronically must be encrypted.
(iv) When transferring confidential data outside the corporate network to internal financial networks, cryptography is performed in accordance with the rules adopted by the network owners.
(v) The validity of encryption keys for each service is determined separately, based on the relevantneeds and taking into account the level of risk. Recommended Key Expiration – 3 months.
(vi) The owner of the encryption key is responsible for its use and security. The key owner has toreceive the new key if it has expired or it has become known to anyone other than the owner.
(vii) The order of the public encryption keys is determined for each particular service separately,subject to the following conditions:
- check the key attributes – type, complexity, form date, serial number, duration, and digital stamp.
- the key exchange protocol signed by the key owners is developed.
- copies of critical (Master) cypher keys are stored in a secure manner with MLRO.
- backup copies occur every time when key created (if needed – depends on service) orreplaceable using Master key in case of loss.
- IT security specialist periodically organizes monitoring of the use of employee encryptiontools.
Rules for using encryption tools for employees:
(i) Employees may use encryption/decryption tools to ensure the security of data stored ortransmitted. To this end, they need to obtain approval from the IT security specialist.
(ii) Installing and testing of encryption/decryption tools is approved and delegated by the ITsecurity specialist to the IT department.
(iii) Pagotec Consultancy Ltd employees are prohibited from installing and using any type of encryption/decryption software.
(iv) All secret/private keys for the encryption/decryption of Pagotec Consultancy Ltd employees’ e-mailsare generated by delegated IT department specialists.
7. Remote Access
(i) Only authorized persons may remotely access the Pagotec Consultancy Ltd network. Remote access shall be provided to those Pagotec Consultancy Ltd employees, contractors and business partners that have a legitimate business need to exchange information, copy files or programs, or access computer applications. Such access rights shall be reviewed every 6 months. Additionally, the IT security specialist shall review the requested connection, analyze the security requirements, and depending on the analysis results may offer different security connection tactics.
(ii) Remote administrative access to critical IS shall be only granted on-to-need to know basis and when strong authentication and strong connection security solutions are used.
8. The Security of Assets, Payment’s and Transactions’ Processes in Respect of Payment Services:
(i) Pagotec Consultancy Ltd provides payment services which are provided via PCI DSS – compliant system provider and has set the following general terms to ensure the security of assets, payment and transaction processes inrespect of payment services:
a. IT security specialist shall be responsible for the following security measures support to preventincomplete or fraud transmission, misrouting, repudiation of transaction, unauthorized message alteration, unauthorized disclosure, unauthorized message duplication and replay:
1. Validate and verify user credentials.
2. for internet bank access payment services users’ strong authentication using two-factorauthentication principle (DigPass – what you have and PIN number – what you know).
3. using cryptography to protect data and information in rest and movement.
4. detailed logging of transaction data, including the action/operation sequential number, timestamps, parameterization changes as well as access to transaction data; in case of unauthorized access log files should also allow any addition, change or deletion of transaction data to be traced.
5. establish secure communications protocols.
6. store online transaction details on servers within the appropriate network security zone.
More detailed description of payment transactions security process as well in sensitive payment data flows description specified in the relevant annex to Pagotec Consultancy Ltd Policy on filing, monitoring, tracking and restrictingaccess to sensitive payment data.
b. Pagotec Consultancy Ltd limits the number of log-in or authentication attempts to IS after which accessto relevant IS is being temporarily or permanently blocked. IS has also defined rules for ‘time out’ and time limits for the validity of authentication, provided that. The CEO reviews the above rules on annual basis or more frequently upon recommendation of the MLRO.
c. All transaction information passed between payment services users interface and Pagotec Consultancy Ltdsystems and between banks/payment cards systems and Pagotec Consultancy Ltd is encrypted using 2048/4096-bit SSL certificates.
d. IS used by Pagotec Consultancy Ltd allows in appropriate manner to trace transactions.
e. Pagotec Consultancy Ltd has multiple private links into the banking network that are securely separated from the Internet and any publicly accessible networks. Any payment services users’ information sent to the banks and any authorization message coming back is secure by SSL certificates/encryption and cannot be tampered with.
f. A description of the systems and procedures that Pagotec Consultancy Ltd has in place for transaction analysis and the identification of suspicious or unusual transactions is stated in Pagotec Consultancy Ltdfraud detection and transaction monitoring principles.
g. Any Pagotec Consultancy Ltd employee who became aware about any operational or security incident or will receive a security-related payment users’ complaint should immediately provide a relevant report to the CEO.
h. Employees of IT department are responsible for regular checks that the software used for the provision of payment services, including the payment users’ payment- related software (if any),is up to date and that critical security patches are deployed.
i. Employees of IT department are responsible for integrity-checking mechanisms are in place inorder to verify the integrity of software, firmware and information on Pagotec Consultancy Ltd payment service.
j. Ensures that the payment services users able to notify Pagotec Consultancy Ltd on other personalized credentials loss or compromise in the 24/7 regime; upon receipt of mentioned notification and performing payment services users’ identification according to relevant Pagotec Consultancy Ltd procedures, the relevant personalized credentials being blocked/suspended.
k. Pagotec Consultancy Ltd segregates payment services users’ funds from Pagotec Consultancy Ltd own funds inits books and holding payment services users’ funds on separate bank account notifying the relevant bank that these funds are payment services users’ funds. MLRO performs on-going review of such banks and follows the available information about the banks.
(ii) Tools deployed/used for the prevention of fraud at Pagotec Consultancy Ltd:
a. Address verification service. The address verification service is a security system designed to combat one of the most common forms of online credit card fraud. It compares the billing address information provided by the customer with the billing address on file at the customer’scredit card issuer. The payment gateway receives a response code and then either accepts or declines the transaction according to configured settings.
b. Card verification value. A customer’s card code is a three- or four-digit security code printed on a credit card’s signature panel in reverse italics, or following the full number on the front of the card. Similar to address verification service, CVV compares the customer’s card code with the card code on file at the credit card issuer. The payment gateway receives the card verification value response code from the customer’s bank and either accepts or declines the transaction according to your configured settings. Since the card code should only be known to the person in possession of the physical credit card, these additional numbers provide an extra measure of security against unauthorised credit card transactions.
c. The multiple user accounts feature which allows to strengthen account security and streamlinetransaction management by creating unique user accounts with distinct login IDs and passwords for each employee who accesses the Merchant Interface. Each user’s account is assigned a specific set of permissions or actions that the user is permitted to perform within the merchant interface. These permissions restrict access to Merchant Interface features on a need-to-use basis, making business operations more secure and efficient.
d. Password-required mode. When placed in password-required mode, the payment gateway requires an authentication value for each transaction submitted for payment gateway account. Any transaction submitted without proper authentication will be rejected by the payment gateway.
e. If integration to the payment gateway is via a shopping cart or third party solution, payment services user should be instructed to contact his/her solution provider to confirm that he/she is passing his/her payment gateway transaction key or fingerprint with every transaction.
f. 3D secure – is a payment card bank issuer’s side fraud controlling feature that is integrated with Pagotec Consultancy Ltd payment gateway and is used by request by payment card bank issuer. Also 3D secure check maybe set by Pagotec Consultancy Ltd as mandatory attribute to be requested from bank issuer for predefined merchants, countries, amounts etc. for additional security and if that attribute is not available, do not meet requirements or fail the checks – transaction will be rejected or not even initiated.
g. Certain Pagotec Consultancy Ltd IS functionality contains fraud detection (anti- fraud) solutions/modules.
Fraud and security incidents shall be followed up in accordance with the Pagotec Consultancy Ltd Cyber Incident Response Policy.
9. Monitoring, detection and testing of technological security measures and technical equipment
(i) Pagotec Consultancy Ltd performs continuous IS monitoring for certain parameters in order to ensure uninterrupted operation and availability of Pagotec Consultancy Ltd IS as well as to detect physical or logical intrusion as well as breaches of confidentiality, integrity and availability of the information assets used in the provision of Payment services in accordance with the requirements of this policy.
(ii) During monitoring an increased attention is paid to the IS user’s activity, particularly access to sensitive payment data and confidential information and the use of privileged account actions as well as all remote connections and the systems being accessed. IT Security specialist should immediately inform MLRO about activities which are outside of normal, expected bounds (such as access to large amounts of sensitive information outside of standardworking hours).
(iii) This policy defines that all servers and services should be under continuous monitoring, and immediate reporting system is set to be able to warn IT department on 24/7 basis.
(iv) The parameters in the monitoring system can be changed as necessary in the following cases:
- if responsible person concludes that it is necessary to delete or add a new parameter from the parameter list, then he/she agrees to change the parameters and make the necessary changes.
- If it is necessary to add additional parameters or to delete existing ones by default in order to perform monitoring, taking into account the functional characteristics of the IS/ service – upon decision of MLRO.
(v) For IS with a high critical level additional monitoring parameters being defined by the MLRO.
(vi) ISs for which mandatory additional monitoring parameters are required must be identified by responsible person before the IS is put into service or after significant changes. For specified additional monitoring parameters, responsible person shall be notified electronically to IT departmental staff who make the necessary changes to the monitoring system.
(vii) The monitoring of the necessity of applications, automated processes, and other components of the information systems used by Pagotec Consultancy Ltd is determined by responsible person notifying IT department.
(viii) The MLRO shall be responsible for IS testing framework which would be adapted to consider new threats and vulnerabilities, identified through risk monitoring activities, as well as to ensure that tests are conducted to assess the robustness andeffectiveness of the Security measures in cases of changes to the infrastructure and proceduresand changes resulting from major incidents. Test should include vulnerability scans and penetration tests as well as simulated cyber-attacks adequate to the level of risk identified with the payment services.
(ix) MLRO shall monitor and evaluate the results from the tests conducted, and shall , without undue delay, prepare a relevant action plan for security measures update.
(x) IT department shall be responsible for ongoing monitoring of technological developments to ensure that Pagotec Consultancy Ltd is aware of security risks.
(xi) While performing monitoring, the IT security department shall be responsible for identifying possible information leakages, malicious code and other security threats, publicly known software and hardware vulnerabilities, and checking for corresponding new security updates.
(xii) Testing shall be also conducted in the event of changes to infrastructure, processes or procedures and if changes are made as a consequence of major operational or security incidents.
10. Communication with Payment services users
(i) CEO shall be responsible for informing payment services users upon first possibility about possible security risks linked to the Payment services and shall provide to Payment services users necessary assistance and guidance.
(ii) Compliance Officer and IT security specialist shall in a timely manner inform MLRO/CEO, and Account manager about any changes in currently identified security risks.
(iii)IT department shall be responsible for timely updating the relevant information in Pagotec Consultancy Ltd web-site in the light of new threats and vulnerabilities and changes in security risks.
(iv) Account manager shall be responsible for continuous support and updating framework agreements in such manner that it shall contain information on the Payment services users reporting procedure to Pagotec Consultancy Ltd for suspected security breaches, suspicious incidents or anomalies during the payment services session; as well as information on how Pagotec Consultancy Ltd will respond to the Payment services users upon receiving its above notifications and description of the procedures how Pagotec Consultancy Ltd will notify the payment services users about (potential) security breaches or the non-initiation of payment transactions, or warn the Payment services users about the occurrence of attacks.
(v) Pagotec Consultancy Ltd shall ensure that payment services users will be provided, on an ongoing basis via appropriate means, with clear and straightforward instructions explaining their responsibilities regarding the secure use of the relevant payment service.
(vi) Pagotec Consultancy Ltd shall notify payment services user by any of available payment services user’scontact details, in case Pagotec Consultancy Ltd has blocked a specific transaction or payment instrument (if such notification is not prohibited) Pagotec Consultancy Ltd shall also inform payment services user on the procedure of payment transaction or payment instrument unblocking, unless this is not prohibited by any applicable statutory regulation.
(vii) Pagotec Consultancy Ltd shall provide the payment services users with assistance on all questions, complaints, requests for support and notifications of anomalies or incidents regarding internetpayments and related services. Account manager shall be responsible for appropriate informing of payment services user’s about above assistance obtaining possibilities.
(viii) Pagotec Consultancy Ltd shall keep payment services users informed about updates in security procedures regarding payment services.
(ix) Where product functionality permits, Pagotec Consultancy Ltd shall allow payment services user to disable specific payment functionalities related to the payment services.
(x) Pagotec Consultancy Ltd IS also provides Payment services users with the option to receive alerts on initiated and/or failed attempts to initiate payment transactions.
11. Employees Education and Awareness on Security risks
It is important for Pagotec Consultancy Ltd that its employees are aware of and understands security risks this can follow to help also prevent a malware extension. For this purpose, Pagotec Consultancy Ltd shall on ongoing basis, but not less than once in year, perform employees’ awareness, trainings or test their knowledge about this Security policy, including but not limited to about employees’ actions in the event of any unusual activity andincidents, including but not limited to about Security risks (including cyber security risks). This will allow further training improvements and the opportunity to clarify any possible misunderstandings.
IT Security department shall be liable for immediate informing of employees about any new cyber threats andabout employees’ actions in this respect.
IT Security specialist shall every month send to all Pagotec Consultancy Ltd employees a short instruction which among other should contain the following:
- try to stop and think before clicking on links, but don’t worry if you think you’ve clicked on something harmful, but please as soon as possible inform about this IT security department.
do not connect any unapproved removable media or personally owned device to the network devicesor corporate pc, laptops, servers, workstations, printers etc. and report any suspicious or unexpected behavior on IS to IT security department.
- please maintain your awareness of security incident reporting. The reporting process is stated in Pagotec Consultancy Ltd Cybercrime Incidents and Reporting Policy. Please bear in mind that you also can always voice any of your concerns about Pagotec Consultancy Ltd security practices and security incidents to MLRO.
12. Security Risks Management Evaluation
(i) CEO shall on an ongoing basis and not less than every 3 month, prepare a report on the Policy terms fulfilment. The relevant reports shall contain the following information:
a. information on potential and existing deviations from Pagotec Consultancy Ltd documents defining operational and security risk management issues.
b. information on the quantitative and qualitative indicators of operational and safety exposure.
c. a report on adequacy of resources for personnel providing operational and security riskmanagement functions.
d. information on other relevant facts and events that affect or may affect the efficientmanagement of operational and security risk.
(ii) Pagotec Consultancy Ltd use software and technology tools that allow users to record user activity using IS or equipment.
13. Responsibility and Competence
Risk management is the responsibility of all Pagotec Consultancy Ltd employees who work towards a common goal of ensuring all the objectives are achieved. This Policy is embedded within the current structure and follows existing communication channels.