Case study: XLink achieves milestone five years of PCI compliance, peace of mind with Galix
XLink provides reliable and secure connectivity for payment processing and facilitates in excess of one billion connections a year, offering managed services around payment connectivity and other digital services.
As such, Payment Card Industry Data Security Standard (PCI DSS) compliance is crucial for XLink in order to comply with the Payments Association of South Africa (PASA) regulations. When XLink required certification for its milestone fifth year in a row, it turned to Galix to conduct the assessment and perform the audit process.
“PASA regulates our industry, so all parties that are engaged in the payment ecosystem need to be PCI DSS compliant. Thus, it has become a prerequisite in doing business. In addition, PCI DSS sets the standard for best practice regarding security and process. Compliance has certainly made a huge difference in the way we conduct our day-to-day operations, giving the technical department the confidence that we are doing things right,” explains Craig Lefkowitz, Head of Information Technology at XLink.
Setting the bar for high standards
While PCI DSS compliance may not be a legal requirement, it is a necessity for doing business if any payments are processed. In turn, this is important for compliance with regulations such as the Protection of Personal Information (PoPI) Act. As part of its commitment to delivering services of the highest standard, XLink’s technical team is constantly striving to provide enhanced security technologies in managing and supporting its network services.
“Our strength lies in our ability to provide a world-class service in deployment and providing 365/24/7 support to all our customers. We are always looking for ways to innovate and provide enhanced secure connectivity solutions and staying focused on delivering exceptional solutions in both EFT and IOT markets. By adhering to these standards, we provide assurance that gives our customers confidence that we are doing everything possible to prevent card-holder data misuse which can lead to fraud,” says Lefkowitz.
Success is all in the preparation
In line with best practice, XLink changes Qualified Security Assessors (QSAs) from time to time and Galix was selected based on a matrix of criteria including experience, availability, BBBEE status, local presence, flexibility of the assessor and more.
XLink engaged with Galix in mid-2018 to ensure that plenty of time was given to prepare for and conduct the audit, which began in April 2019. The audit process consists of five phases: a pre-assessment, gap analysis and remediation, vulnerability scans and penetration testing, validation assessment and compliance, and then ensuring compliance is maintained.
Simeon Tassev, Managing Director and Qualified Security Assessor at Galix, says: “XLink’s environment is large and complex so preparation is key to a smooth and successful audit process. As this is the fifth year in a row that XLink has completed the process, they are well versed in its requirements and their environment is fully compliant. The audit and subsequent re-certification therefore ran smoothly and was completed on schedule.”
Compliance is a benefit, not just ticking a box
Often compliance with regulations is seen as a grudge and many organisations perform audits to tick a box without leveraging any real value. PCI DSS compliance, however, has significant benefits beyond just compliance and enhanced security.
“Our introduction to PCI DSS and the audit process was at first a large mountain we had to climb as a business, but we understood this is an opportunity to better the service and assurance we could provide to our customers. Over the years, the benefits have become clear and we can see how important and valuable attaining this certification has been,” Lefkowitz further explains. PCI DSS has transformed its operations for the better from both a management and support perspective.
“Although PCI DSS does not guarantee that one’s system is immune from penetration it goes a long way toward providing a level of confidence that as a technical team XLink is not sitting by taking threats that are out there for granted. In being compliant, it provides XLink’s customers with confidence and ensures they have a competitive-edge in their market,” Tassev concludes.