IT service management best practices

Dedicated SNP service organisation ensures the service quality and continuity for all outsourcing contracts.

We are a consulting company specialising in SAP services, IT outsourcing and software development. We support our clients' businesses. That is the reason for our motto to be: IT makes business better

We are part of SNP Group, world leader in transformation of SAP environments

Since 1995 we have successfully accomplished hundreds of IT project in many countries worldwide.

Our experts present the most interesting solutions of IT world.

See the webinar archive, register for upcoming webinars.

Dlaczego uważamy, że SNP jest dobrym pracodawcą? Bo łączymy cechy rzadko spotykane w jednej organizacji - duże możliwości rozwoju, a zarazem dobrą atmosferę i elastyczność środowiska pracy. Dowiedz się więcej, na czym to polega w praktyce!

TAG Systems: Penetration tests for the personalization of payment cards industry

Simulation of a hacker attack

Share
In the payment card industry, the security of IT systems is crucial. As sensitive data is processed in them, they must meet the requirements specified in the standards dedicated to them. The required level of security is guaranteed by regular penetration tests conducted to ensure the compliance with PCI Card Production standards.

Offering comprehensive services in the field of card production and delivery as well as their personalization, TAG Systems has access to particularly sensitive data, such as: personal data, payment card numbers and authorization data in the form of PIN codes. This makes it necessary to ensure a high level of security. The primary method of its verification is the regular performance of penetration tests. This requirement is defined in section 5.8 of the PCI Card Production standard – Logical Security Requirements. It requires internal and external penetration tests to be carried out at least once a year and after any major change in the infrastructure.
The tests must cover all the components of the personalization network, including the operating systems. Additionally, the application layer should be checked for the following vulnerabilities:

  • data injection (e.g. SQL injection),
  • buffer overflow,
  • inadequate cryptographic protection,
  • incorrect handling of errors.

PCI Card Production

All companies and systems involved in the production, personalization and distribution of credit cards, including the processing and sending of authentication information (e.g. PIN codes), are required to comply with the guidelines described in the PCI Card Production standard. The standard is divided into sections regarding the security at the physical level  (Physical Security Requirements) and logical level (Logical Security Requirements). Compliance with the requirements described in the above documents is a prerequisite for obtaining PCI certification.

The role of BCC

The optimal method of system security verification has turned out to be ethical hacking proposed by BCC – a service consisting in detailed, methodical testing of networks and systems for errors and vulnerabilities. In practice, it is a simulation of a real attack on the infrastructure, carried out from the Internet or from an internal network by a disloyal employee. Thanks to the high competence of BCC consultants and the use of specialist tools, this practical attempt to break the system security allowed for a comprehensive verification of the level of security of TAG Systems infrastructure.

Testing

The penetration tests were carried out according to the following methodologies:

  • National Institute of Standards and Technology Special Publication (NIST SP 800-115)
  • Offensive Security
  • OWASP TOP 10 ( Open Web Application Security Project)

BCC consultants have been gaining knowledge in the field of security for years and have obtained certificates recognized in the IT environment. The combination of their knowledge and experience along with specialized software and the application of internationally recognized professional methodologies for conducting penetration tests guarantees the verification of security at a high level.

Three stages of testing

At the first stage, a remote penetration test of the contact point of the tested environment with the Internet was carried out. The work was carried out in a black box scenario without any knowledge of the system.

The work began with the identification and enumeration stage. Then the systems were scanned using vulnerability scanners. Each of the vulnerabilities found was verified in the next step so as to reject false-positive results. Where an exploit was available for a given vulnerability, an attempt was made to use it to attack the tested infrastructure.

At the second stage, the security level of the HSA (High Security Area) internal network was locally verified.  At this stage, a network plan and information on the addresses and roles of critical systems were made available to the consultant. In this scenario, the separation between individual VLANs of the internal network was additionally verified.

At the third stage, the security level of applications and databases used in the process of payment card personalization was tested. Applications containing the user interface were subjected to additional tests to examine the possibility of obtaining direct access to the data processed. The level of safeguards applied to protect the data processed was also verified.

During the tests, the consultant was in constant contact with administrators and reported critical vulnerabilities found in the tested systems on an ongoing basis.

Summary

The tests were summed up in a comprehensive report documenting the course of work and containing information on found vulnerabilities together with recommendations for their removal. It also contained information allowing the configuration of tested devices and systems to be hardened. The appendices included reports with the results of operation of the specialized software – vulnerability scanners.

Security of systems above all

In our industry, penetration testing is an indispensable practice. Our systems must be secure, which is why we regularly conduct security tests. By simulating a hacker attack, BCC comprehensively checked our company’s security and provided us with a final report that helped us better secure our systems.
Jacek Nowacki, Managing Director, Tag Systems

Pentests at BCC

BCC provides services related to IT security in its broad sense, including penetration tests. Our team of certified security consultants is able to take the role of a group of hackers (pentesters) and check the security of a company by performing pentests according to the scope and scenario agreed with a customer. We also carry out configuration audits regarding security settings, hardening, good practices and other guidelines and methodologies.
We work according to our own methodology of carrying out penetration tests and audits of the security configuration based on:

  • experience of BCC and several dozen projects in the field of IT security,
  • techniques prepared by reputable organizations dealing with the security of IT systems (including OSSTMM, EC-Council, OWASP, COBIT).

TAG Systems offers comprehensive services in card production and delivery, card personalization (including additional services) and preparation of dedicated microprocessor-based applications (e.g. identification and loyalty applications, electronic tickets, and PKI). The card production company is equipped with the latest card production devices operating in a very secure environment. The annual production capacity exceeds 80 million cards. The cards are produced in Andorra and personalization offices are located in Spain, Colombia and Poland. TAG Systems also has offices in Russia and Norway

See the case study in other language version

The same content is available in other language:

See the case study - Polish

Share
Contact form





  1. Personal data is processed pursuant to Article 6 (1) (a) of the Regulation of the European Parliament and of the Council (EU) 2016/679 of April 27, 2016 – the General Data Protection Regulation.
  2. The data controller is SNP Poland Sp. z o.o. with its registered office in Złotniki, ul. Krzemowa 1 62-002 Suchy Las. Contact data of the Data Protection Supervisor: dpo.pl@snpgroup.com.
  3. Consent to data processing is voluntary, but necessary for contact. Consent may be withdrawn at any time without affecting the lawfulness of the processing.
  4. The data will be processed for the purposes stated above and until this consent is withdrawn, and access to the data will be granted only to selected persons who are duly authorised to process it.
  5. Any person providing personal data will have the right to access, rectify and erase it, restrict and object to its processing, and the right to data portability.
  6. Every person whose data is processed has the right to lodge a complaint with the supervisory authority, i.e. the Inspector General for the Protection of Personal Data (ul. Stawki 2, 00-193 Warsaw) until May 24, 2018, and as of May 25, 2018 – the President of the Office for Personal Data Protection.
  7. Personal data may be made available to other entities from the group that SNP Poland Sp. z o.o. is part of – also located outside the European Economic Area, for marketing purposes. SNP Poland ensures that the data provided to these entities is properly secured, and the Employee has the right to obtain a copy of the data provided and information on the location of the data provision.

Please write an email or call

E-mail office.pl@snpgroup.com
Phone +48 61 827 7000

SNP Poland Sp. z o.o.

Headquarter:
Złotniki, ul. Krzemowa 1
62-002 Suchy Las near Poznań, Poland

Contact us