Interswitch becomes first non-banking institution in Kenya to be PCI-certified

No photo availableCIO Africa authorByBaraka Jefwa
3 min read

Interswitch has received the highest level of re-certification for the Payment Cards Industry Data Security Standards (PCI-DSS),making it the first…

untitled_article_full

Interswitch has received the highest level of re-certification for the Payment Cards Industry Data Security Standards (PCI-DSS),making it the first non-banking institution in Kenya to receive the high level PCI PIN Security Certification. It was also the first non-banking institution to receive the certification in East Africa.

A PCI Report on Compliance is required by any organisationthat handles large volumes of branded card transactions for credit, debit and prepaid that includesMasterCard, American Express, VISA, JCB and Discover. Companies handling smaller volumes are required to complete a Self Assessment Questionnaire.

Following the annual audit by the PCI-certified assessor,a Report on Compliance was issued to Interswitch in April 2016. No other East African bank or institution has yet completed this level of assessment.

Bernard Matthewman CEO, Interswitch East Africa says, “PCI DSS provides a comprehensive framework for securing cardholder and transaction data. Interswitch has the only data centre in Kenya to have passed this level of PCI-DSS assessment on two occasions now. As a specialised payments and commerce company, the industry rightly looks to us to lead ondata security.”

The PCI Standards help protect the safety of card data at multiple locations – from the point of sale (POS) to the processing centre.They mandate measures to protect data from both internal and external threats.

Victor Ndlovu, Kenya Country Manager at VISAsays, “Unfortunately, the majority of data fraud still originates from internal staff at a merchant, issuer or payment processor. PCI-DSS requires compliant institutions to implement sophisticated encryption, software and physical security to mitigate against this.”

PCI-DSS mandates that unmasked card data is only handled inside a Card Data Area, which has additional technological and physical security measures. Otherwise card data should always be partially masked in any communications or databases.

Matthewman says, “We use physical security and software to monitor if complete credit card details can be detected outside our Card Data Area. And we hire ethical hackers to regularly stimulate attacks on ourcard centre.

“It is a constant battle to stay ahead of fraudsters. Interswitch initiated the Great Migration to EMV in 2013 to help push Kenya to EMV, we were clear at the time that securing the card was the first step but the channels and data centre would become the new focus. PCI-DSS has been part of our program to ensure that these are secured to the highest global standards.”

Kenya was the third country in Africa to undertake a migration to chip and pin cards. This has seen skimming fraud reduce substantially, although new fraud patterns are emerging.

Stephen Mwaura Head, National Payments says, “As a regulator we will continue to work with key stakeholders to support cutting edge approaches in enhancing safety and efficiency in payments. I commend the Interswitch team for leading the way in adopting fraud management tools that are of the highest standards for the payment cards industry.”

Interswitch is a certified member of the PCI Security Standards Council,which prepares the standards. The five major card companies MasterCard, American Express, VISA, JCB and Discover, formed the Council in 2006.

Leave a Reply

Your email address will not be published.

Do you have a story that you think would interest our readers? Write to us editorial@cioafrica.co