TABLE OF CONTENTS

• Purpose
• Introduction
• GO Distributor - PCI DSS
• Safety Instructions
  • Data storage security
  • Data transmission security
  • Data access security
  • Compliance Statement
  • Credit card information security process
  • API Key and Endpoint security process
  • Valid period

Purpose

The document is here for reference only and as an example of how DerbySoft is aware and staying on top of such things in the industry.

Introduction

The Payment Card Industry Data Security Standard (PCI DSS) is an information security standard for organizations that handle branded credit cards from major card schemes.

The PCI Standard is mandated by the card brands but administered by the Payment Card Industry Security Standards Council. The standard was created to increase controls around cardholder data to reduce credit card fraud.

Validation of compliance is performed annually or quarterly, by a method suited to the volume of transactions handled:

• Self-Assessment Questionnaire (SAQ) — smaller volumes.

• external Qualified Security Assessor (QSA) — moderate volumes; involves an Attestation on Compliance (AOC).

• firm-specific Internal Security Assessor (ISA) — larger volumes; involves issuing a Report on Compliance (ROC).

GO Distributor-PCI DSS

PCI provides a series of requirements designed to enhance the security of cardholders, including cardholder data storage security, data transmission security, and data access security. This standard helps reduce risks such as data theft, identity fraud, and unauthorized transactions.

DerbySoft uses a variety of technologies and processes to protect the information stored on DerbySoft servers, encrypt data transmitted by customers, restrict access to system components and customer credit data, and effectively track and monitor credit data links. Based on AWS services, A data environment that fully complies with PCI security compliance requirements has been constructed. Among them, in restricting access to system components and customer credit data, the company adopted firewall rules to strictly control effective customer IP to ensure data access security.

With the gradual improvement of product functions, The number of customers using this product has gradually increased, so the demand for customer self-service is also gradually increasing, In order to ensure the security of customer credit data, improve product service efficiency and reduce manual intervention, DerbySoft proposes to build a New PCI environment that not only meets PCI security compliance requirements but also meets the needs of product development.

Safety Instructions

Data storage security

The data storage security of the New PCI environment is still guaranteed by the SDC service of the system department.

Data transmission security

In the process of open or public network access, all system requests adopt the HTTPS protocol to ensure encrypted data transmission between the client and the server and ensure that client data will not be intercepted or eavesdropped on during the network transmission.

Data access security

Data access security is mainly divided into data Entrance security and data Exit security, The New PCI environment will authenticate the data sender by issuing an API Key with a specified validity period to verify the true identity of the data sender(Distributor) to ensure the security of the data Entrance. As for data Exit security, it relies on the safe and effective settings of the data receiver’s(Supplier) Endpoint to ensure that customer data is clearly delivered to the designated receiver. The above data access security depends on the operation security of the API Key and Endpoint. Only by ensuring that the operations involving API Key and Endpoint are reliable and certifiable, can data access security be truly guaranteed.

Compliance Statement

All customer operations in the GO Console will be recorded through the log system to ensure that the operation history can be queried, traced, and verified to meet the PCI compliance audit.

Credit card information security process

API Key and Endpoint security process

All security operations (creation, modification, etc.) involving API Key and Endpoint are initiated by the customer on the GO Console outside the POA environment. After verification, they are processed by the Security Gateway in the POA environment.

Valid period

API Keys of all customers are generated by the designated Hash algorithm, and the validity period is six months.