The goal of information security is to ensure the confidentiality, availability and integrity of information.
Direct Fidoo Payments s.r.o. is a payment institution authorised to provide payment services within the scope of the licence granted under the regulatory supervision of the Czech National Bank. The company is registered in the Lists of regulated and registered financial market entities – Direct search of financial market entities (cnb.cz).
Direct Fidoo Payments considers information security not only an integral part of protecting our values, but also as part of our clients’ trust.
That’s why Direct Fidoo Payments has established an IT security team led by a manager with experience in the financial sector and certifications as a PCI DSS Assessor and ISO/IEC 27001 Lead Implementer. This security team has implemented and maintains security based on the PCDA method. Individual measures and objectives are implemented in accordance with the international standard for information security ISO/IEC 27001. For each area, an internal regulation defining the binding processes, duties and responsibilities is approved by the Board of Directors.
Measures by area
(according to the international standard ISO/IEC 27001)
The Czech Republic has committed to the CRS and has implemented the CRS in Czech legislation. Czech financial institutions (i.e. banks, insurance companies, payment institutions, etc.) must check the tax status of their clients and report relevant clients to the tax authority.
To ensure this, the company has:
- Defined roles and responsibilities in IB.
- The principle of separation of duties is established.
- Relationships with relevant authorities and bodies are maintained, as well as with interest groups and professional associations through the internal security team.
- Information security in project management.
- A policy on the use of mobile devices is in place.
- Telework policy developed and implemented.
The security of human resources is ensured both before, during and, of course, after the employment relationship is established. We are achieving individual targets in this area:
- Screening of candidates (internal and external employees, third parties) in accordance with applicable legislation and with regard to the nature of the assets they will come into contact with in the course of their work.
- Contractual arrangements that include responsibility for information security, including post-contractual obligations.
- Regular and exceptional IB training.
- Disciplinary process in place.
The Company has identified assets that are related to information and information processing and has defined owners of those assets. It has defined rules for the permissible use of these assets, including mandatory repayment in the event of termination of the contractual relationship.
The company has a DLP system in place to track sensitive and personal information. The evaluation of events is performed in the central management of the running tool.
The goal in access control is to ensure that every user has the necessary permissions to do their job, prevent unauthorized access to systems and applications, and hold users accountable for protecting their authentication information.
Access control is based on the principle of least privilege. Role management is implemented in such a way that the principle of separation of powers is respected. In order to ensure the above requirements, an IDM (Identity Management) system and processes have been put in place to ensure duties and responsibilities in all phases of the User Management and Access Management cycle (user creation/cancellation, request, approval, assignment, editing, revocation of permissions).
Special attention is paid to the transmission and use of secret authentication information and the management of privileged accounts. Their number is limited to the minimum necessary, they may only be used for defined purposes and their use is monitored.
A policy for the use of cryptographic measures and key management is developed and in place.
The company operates its production, development and testing environment in the cloud environment of the O2 data centre, which provides physical security against unauthorised access, natural disasters, deliberate attacks, accidents and network outages. All environments are logically separated from each other. The O2 Hosting Centre is certified to TIER3+ level.
O2 Cloud resources are protected according to ISO 27017 and 27018 security standards. All data traffic, web consoles and remote consoles of virtual servers are secured using the hosting center’s security resources. Data flowing over the Internet is protected by SSL Certificates, which provide even better protection than the ISO 27001:2005 standard.
Offices and server rooms for back-office systems are protected by access control and CCTV. The company has a clean desk policy for documents and removable storage media and a blank monitor screen policy for Information Processing equipment.
Documented operating procedures are available to ensure safe operation. The production environment is strictly separated from the development and testing environment. The company has change management and monitoring of available capacity in place.
Malware prevention and detection systems are implemented to protect against malware.
All production data as well as other data whose nature requires high availability are regularly backed up.
Logs from all systems must meet internal requirements for their content and format and are linked to a central SIEM (Security Information and Event Management). It provides collection, correlation, automated analysis (e.g. UBA) and archiving of logs for the purpose of detecting security risks and providing evidence. Access to logs stored in the SIEM is controlled by an internal policy to ensure their protection against tampering or destruction. One of the factors to ensure the reliability of logs as well as information from all systems is the implementation of time synchronization against a single source. Logs do not contain sensitive data such as passwords, PINs, etc.
The selection, acquisition and installation of software is subject to internal regulations.
VM (Vulnerability management) is implemented and operated to protect against technical vulnerabilities of the information systems used. The tool performs automated scans of all endpoint devices several times a week, and new vulnerabilities identified are addressed according to best practices. Regular updating and patching of all operating information systems is a matter of course.
Network segmentation, FW (Identity-Based Firewall Policy) terminal services, webfiltering, DDoS protection, redundancy measures and other technical and procedural measures are a matter of course to ensure the necessary communication security. All electronic communication with Direct Fidoo is secured using TLS 1.2 or higher.
When purchasing new information systems or extending existing ones, security requirements are defined. Transmitted information and transaction data shall be protected to prevent incomplete transmission of information, misrouting, unauthorized modification, disclosure, duplication or repetition.
Anonymised data is used for testing, and where this is not possible, the same level of security is applied to it as to production data.
The company has included security requirements in its policies for developing and managing changes to systems throughout the lifecycle, including. Part of the application development safety is the training of the internal development department. The development environment is protected, and the development includes penetration tests by an ethical hacker (EC-council certified security specialist). Possible vulnerabilities are removed before the release depending on the type of criticality.
In the case of the purchase of new information systems, installation of updates and new versions of IS, these are tested before the actual deployment.
Security measures and guarantees are also required by the company in the case of supplier relationships. Where relevant to the nature of the data and systems transferred/accessed, requirements are contractually embedded. The contractual documentation also includes requirements for ensuring the required level of service, and these are regularly evaluated and reviewed.
For the purposes of incident management, the company has developed a binding internal regulation with responsibilities and binding procedures, and an application for recording and overview of individual incidents, their status, form of resolution, responsible persons and proposed preventive measures. These requirements are also contractually enshrined with third parties.
To ensure business continuity, the company has developed a crisis management plan, which includes requirements for information security. The continuity of the production environment is ensured contractually by the O2 data centre operator.
The company strictly adheres to all legal, regulatory and contractual requirements.
In addition to the operational and technical measures described above, the following measures are implemented in the business application itself:
- Passwords protected by the Bcrypt hashing function
- Password complexity
- Penetration tests
- Automatic logout after a certain period of inactivity
- Granular roll setup
- 2FA authentication
- Biometrics option in the mobile app
- Secure O2 data centre environment
- Login block: Login is blocked if the user has more than 5 bad login attempts in 10 minutes
- Certificate pinning