Of the many industries that suffered during 2020, online shopping hasn’t been one of them. According to Australia Post, Latest figures show eCommerce grew more than 73% YOY since the start of the pandemic. Unsurprisingly, a third of all Australian online shopping purchases during July were made in Victoria. This means more payment card details are flying across the world than ever before. This is how Xinja makes sure yours stay safe.
A friendly word of warning – this will get a little geeky.
The PCI Council
To help ensure the security of credit card transactions, the payments cards industry (PCI), created the Data Security Standard (DSS). The PCI DSS compliance refers to the technical and operational standards that businesses must follow to secure and protect your credit card data. These standards for compliance are developed and managed by the PCI Security Standards Council.
Greg Steel, our Chief Information Officer admits: “Xinja never wanted to have to be PCI-compliant; like most organisations we used to go through great lengths to avoid ever seeing a Card Primary Account number (PAN). However, when we first introduced Apple Pay we realised that we would need to be exposed to the PAN and become PCI compliant, which made us a little nauseous.”
“We realised that we would need to be exposed to the PAN and become PCI compliant, which made us a little nauseous.”
-Greg Steel, Xinja CIO
Lock them up
Steel continues: “We knew making the entire Xinja Platform and App PCI-compliant was going to be ridiculously hard, so we locked our product lead and architect in a room until they came out with an approach that confined the PAN to a separate environment. And so the concept of the Card Data Environment (CDE) was born.” The image below explains the structure they came up with to confine the PAN and make the PCI DSS compliance a little easier (and more cost effective) to achieve.
Xinja worked with partners Itoc, UL and AWS to build the Card Data Environment and the introduction of AWS ‘Hyperplane ENI’ (cool, huh?!) dramatically reduced costs. Steel adds that the method was unconventional: “The technical term for this approach was: close your eyes, cross your fingers and jump; totally Xinja!” The CDE was born and AWS has since used it as a case study across the world during their AWS Global Summit.
“The technical term for this approach was: close your eyes, cross your fingers and jump; totally Xinja!”
-Greg Steel, Xinja CIO
High, higher, highest
Once the CDE was a fact, it was the job of Chief Information Security Officer, Jean-Baptiste Bres and his team to get the PCI compliance. He explains the challenges: “not only did we start this process one month before COVID hit, it was also one of the hardest things we ever did, with limited resources and a lot of challenges. The level of detail involved with getting the highest level of PCI DSS compliance is extraordinary.” Despite not being in the office together, we pulled it off, and Steel thinks this is a cause for celebration: “This is a fantastic achievement and is something we did through smart thinking and by leveraging the expertise of our excellent partners. Congratulations to everyone involved.”
Be compliant. Stay compliant.
Although Xinja Bank is now PCI compliant and the CDE has full PCI DSS compliance, both Steel and Bres know it’s a work in progress: “PCI-compliance is something everybody at Xinja thinks about and we will do the right thing to keep us compliant and card details safe. We’ll be running ongoing security training to make sure everybody understands their responsibilities.”