Payten Türkiye and its paymnet facilitation company Paratika have successfully completed their annual compliance audits, reaffirming their commitment to operational resilience and data protection by achieving updated certifications for: PCI DSS Level 1 - the highest level of compliance in payment card security, ISO/IEC 27001:2022 – Information Security Management System and ISO 22301:2019 – Business Continuity Management System.

PCI DSS (Payment Card Industry Data Security Standard) certification demonstrates that all systems that process and store payment card information fully comply with the security requirements defined by PCI DSS. The measures taken to protect customer data not only ensure compliance with legal regulations but also help strengthen customer trust.

The updates made to align with PCI DSS version 4.0.1 particularly address modern technology requirements such as security policies, HTTP headers, Content Security Policy (CSP), and third-party dependencies.

These measures represent significant steps toward ensuring the security of both payment card data and payment pages, as well as providing our customers with uninterrupted and secure service.

In this context, particular attention has been given to the following technical requirements within the cardholder data environment, encompassing all applications and systems:

·       Content Security Policy (CSP): The implementation of content security policies has become mandatory to protect payment pages from malicious content, especially against XSS (Cross-Site Scripting) attacks, adding an extra layer of security.

·       HTTP Security Headers: The use of HTTP security headers has been mandated on payment pages. These headers are a critical measure to enhance the security of web applications and help prevent malicious attacks. They ensure the encryption of data transmitted over HTTP, block malicious content, and protect against iframe-based attacks.

·       Vulnerability Management: Regular vulnerability scans of all software and hardware components, along with the prompt closure of identified security gaps, are now mandatory. Tools compliant with OWASP standards are being used to continuously scan the systems.

·       Encryption Updates: Encryption methods must be updated, and all sensitive data must be securely stored using strong encryption, ensuring that data cannot be accessed by unauthorized parties.

·       Password Policies: Passwords must be strong, regularly changed, and unique for each system and application user. Additionally, passwords must comply with complexity rules and meet minimum length requirements (12 characters). Furthermore, secure password reset procedures and secure password recall processes must be implemented.

·       Privileged Access Management (PAM): Stricter control and monitoring over privileged user access have been required. PAM has been implemented to prevent unauthorized access to critical systems and data.

·       Authentication and Access Control: This requirement enforces stricter authentication processes and access controls. The new version expands the use of multi-factor authentication (MFA), making it mandatory to implement additional security measures—such as physical tokens—instead of relying solely on passwords for user access.

·       Third-Party Dependency Management: Regular checks of software dependencies and minimizing security risks in third-party components are required. The security of open-source software has also been further emphasized.

·       Security Awareness Training: Regular security awareness training for employees is essential to prevent human-related security breaches. Card data security content has been added to current training program to increase awareness on social engineering attacks.

·       Security Monitoring and Logging: Continuous monitoring and logging of security events across all payment pages (CSP and HTTP Header Integrity Check) and systems were implemented for early detection of threats and quick intervention.

·       Targeted Risk Management: Targeted risk analysis is designed to help organizations identify and evaluate potential risks to their PCI Environment. The purpose of this assessment is to provide a systematic approach to risk management that enables organizations to make informed decisions about the measures they need to take to safeguard against risks and reduce the likelihood and impact of adverse events. Payten Türkiye has conducted this analysis to ensure that all potential threats are minimized with effective solutions.

All these updates have been implemented successfully with the best-in-class SDLC (Software Development Life Cycle) practices to further enhance the security of the systems, protect customer card data, and ensured that it has been prepared for potential threats. Additionally, it has been strengthened the security culture within the organization by providing regular security awareness training to employees.

Furthermore, Payten Türkiye and Paratika have successfully completed the ISO/IEC 27001 and ISO/IEC 22301 audits, reaffirming the certifications by taking all necessary measures to ensure information security and business continuity of all business processes related to Payten and Paratika services offered to customers and stakeholders.

These internationally recognized standards demonstrate the dedication to information security and business continuity. All necessary measures and controls have been implemented to ensure the protection of sensitive information and the seamless operation of business processes. These measures encompass the entire spectrum of Payten Türkiye and Paratika’s services, safeguarding the interests of their customers and stakeholders.

This accomplishment underscores the dedication to providing secure, reliable, and uninterrupted services, while continuously enhancing the risk management strategies to mitigate any potential disruptions.