Security oStandards Council

Payment Card lndustry (PCl)Data Security Standard

Attestation of Compliance forOnsite Assessments - Service ProvidersVersion 3.2

April 2016

I

Security aStandards Council

Section 1: Assessment lnformation

I nstructi ons for S ubm issi on

This Attestation of Compliance must be completed as a declaration of the results of the service provider'sassessment with tne Payment card lndustry Data security standard Requirements and securityAssessmenf Procedures (PCl DSS) Complete all sections: The service provider is responsible forensuring that each section is completed by the relevant parties, as applicable. Contact the requestingpayment brand for reportlng and submission procedures.

Part'1. Service Provider and Qualified Security Assessor lnformation

Part 1a. Service Provider Organization lnformation

Company Name: lnternational Card SystemsAD CaSys lnternational

DBA (doingbusiness as):

Contact Name: Lidija Vucidolova-Bogoevska

Title: lnternal Auditor

Telephone: +389 2 3293 879 E-mail: lidijav@casys.com.mk

Business Address: Kuzman Josifovski PituNo1.

City: Skopje

State/Province: Skopje Country: Macedonia Zip: 1000

URL: http://www. casys.com. mld

Part 1b. Qualified Security Assessor Company lnformation (if applicable)

Company Name: Compliance Control Ltd.

Lead QSA Contact Name: Evgeny Babitsky TitIE: Deputy CEO

Telephone: +7 499 136-27-66 E-mail: evgeny@compliance-control.ru

Business Address: Revoluytcionnaya str., d.3 City: Volokolamsk

State/Province: Moscow region Country: Russia zip: 143600

URL: http://www.compliance-control.ru

PCI DSS v3.2 Attestation of Compliance /or Orsile /ssessments - Seruice providers, Rev. 1.0@ 2006-2016 PCI Secuity Standards Council, LLC. Alt Rights Reserued.

April 2016Page 1

Part 2. Executive Summary

Part 2a. Scope Verification

Services that were INCLUDED in the scope of the PCI DSS Assessment (check all that apply):

Name of service(s) assessed: Processing services for banks

Type of service(s) assessed:

Hosting Provider:

! Applications / software

E Hardware

E lnfrastructure / Network

E Physical space (co-location)

n storage

! wen

E Security services

E 3-D Secure Hosting Provider

! Shared Hosting Provider

n Other Hosting (specify):

Managed Services (specify):

.E Systems security services

E lT support

E Physical security

E Terminal Management System

f] other services (specify):

Payment Processing:

X POS / card present

X lnternet / e-commerce

X Moro / ca center

trI ATM

E Other processing (specify):

! Account Management X Fraud and Chargeback X Payment Gateway/Switch

E Back-Offjce Services I lssuer Processing E Prepaid Services

n Billing Management ! Loyalty Programs n Records Management

X Clearing and Settlement E Merchant Services ! Tar/Government Payments

E Network Provider

I Others (specify):

Note: These categoies are provided for assistance only, and are not intended to limit or predeteminean entityB seNice desciption. lf you feel these categories don't apply to your sevice, complete"Others." lf you're unsure whether a category could apply to your service, consult with the applicablepayment bnnd.

PCl DSS v3.2 Attestation of Compliance for Onslfe .Assessments - Service Providers, Rev. 1.0 Apfl 2016@ 2006-2016 PCI Secuity Standards Council, LLC. A Rights Reserved. page 2

v

Paft 2a. Verification continued)

Services that are provided by the service provider but were NOT INCLUDED in the scope ofthe PCI DSS Assessment (check all that apply):

Name of service(s) not assessed:

Type of service(s) not assessed:

Hosting Provider:

! Applications / software

E Hardware

E lnfrastructure / Network

I Physical space (co-location)

! storage

E weoE Security services

! 3-D Secure Hosting Provider

n Shared Hosting Provider

E Other Hosting (specify):

! Account Management

E Back-Office Services

E Billing Management

! Clearing and Settlement

E Network Provider

Payment Processing:

n PoS / card present

E lnternet / e-commerce

E Moro I calt centern nrnlt! Other processing (specity):

fl Pavment

! Prepaid Services

E Records Management

n Tax/Government Payments

Managed Services (specify):

E Systems security services

! tt support

! Physical security

E Terminal Management System

E Other services (specify):

! Fraud and Chargeback

E Others (specify):

Provide a brief explanation why any checked serviceswere not included in the assessment:

Part 2b. Description of Payment Card Business

Describe how and in what capacity your businessstores, processes, and/or transmits cardholder data.

Describe how and in what capacity your business isotherwise involved in or has the ability to impact the

Casys provides different processing services forseveral banks within the county. During providing

this services the entity deals with CHD storage,transmission and processing.

The amount of transaction for either VISA orMastercard is much more then 300,000 each thalcorresponds to Level 1 service provider.

No other way of being involved into the ability toimpact security of CHD exists except the above.

of cardholder data.

Part 2c. Locations

of locations included in the PCI DSS review.

Type of facility:

Exam pl e : Reta il outl ets

Head office and primary DC

Location(s) of facility (city, country):

Boston, MA, USA

Skopje, l\4acedonia.

List types of facilities (for example, retail outlets, corporate offices, data centers, call centers, etc.) and a

Number of facilitiesof this type

PCl DSS y3.2 ,Atlestation of Compliance for Onslre Assessments - SeNice Providers, Rev. 1.0@ 2006-.2016 PCI Secuity Standards Council, LLC. All Rights ReseNed.

Aptil 2016Page 3

u

Part 2d. Payment Applications

Does the organization use one or more Payment Applications? E yes E No

Provide the following information regarding the Payment Applications your organization uses:

Payment ApplicationName

VersionNumber

ApplicationVendor

ls applicationPA-DSS Listed?

PA-DSS Listing Expirydate (if applicable)

cpay Dais Software E Yes X ttoCMS Comsoft E yes X ttoBase24 ACI X ves E tto

E Yes E ttoE Yes ! tto

EYes lNo! Yes E ttoEYes ENo

Part 2e. Description of Environment

Ptovide a hiqhJevel description of the environmentcovered by this assessment.

For example:. Connections into and out of the cardholder data

environment (CDE).

Critical system components within the CDE such as POSdevices, databases, web seNers, etc., and any othernecessary payment components, as applicable.

Does your business use network segmentation to affect the scope of your PCI DSSenvironment?(Refer to "Netwotu Segmentation" section of PCI DSS for guidance on networksegmentation)

The internal network is properly segmented andCDE consist of:

- Shared segment for users{o-CDE access

- Perso segment

- Several servers segment based on the serviceprovided

- DMZ for external-facing services

- Connections to external parties

XYes ENo

PCI DSS v3.2 Attestation of Compliance for Onslle Assessments - Service Providers, Rev. 1.0@ 2006-2016 PCI Secuity Standards Council, LLC. All Rights ReseNed.

Apnl 2016Page 4

Part 2f. Third-Party Service Provide6

Does your company have a relationship with a Oualified lntegrator & Reseller (elR) forthe purpose of the services being validated?

lf Yes:

Name of QIR Company:

QIR lndividual Name:

Description of services provided by QIR:

Does your company have a relationship wjth one or more third-party service providers (forexample, Qualified lntegrator Resellers (QlR), gateways, payment processors, paymentservice providers (PSP), web-hosting companies, airline booking agents, loyalty programagents, etc.) for the purpose of the services being validated?

Name of service provider: Description of services

DAIS Software Software development

n ves Elruo

X yes ! t'to

lf Yes:

Note: Requirement 12.8 applies to all entities in this list.

PCI DSS v3.2 Attestation of Compliance for Onsite Assessments - Sevice providers, Rev. 1.0@ 2006-2016 PCI Secuity Standards Council, LLC. All Rights Reseved.

Apfl 2016Page 5

V

Part 29. Summary of Requirements Tested

For each PCI DSS Requirement, select one of the following:

. Full - The requirement and all sub-requirements ofthat requirement were assessed, and no sub-requirements were marked as "Not Tested" or "Not Applicable" in the ROC.

. Partial - One or more sub-requirements of that requirement were marked as "Not Tested" or.NotApplicable" in the ROC.

. None - All sub-requirements of that requirement were marked as "Not Tested' and/or "Not Applicable"in the ROC.

For all requirements identified as either "Partial" or "None," provide details in the "Justiflcation for Approach"column, including:

. Details of speciflc sub-requirements that were marked as either "Not Tested" and/or "Not Applicable" inthe ROC

. Reason why sub-requirement(s) were not tested or not applicable

Note: One table to be combleted for each sevice covered by this AOC. Additional copies of this section a,eavailable on the PCl SSC l,vebsile.

PCI DSS v3.2 Attestation of Compliance fol. Onslle Assessments - SeNice Providers, Rev. 1.0 Ap 2016@2006-2016 PCI Secuity Standards Council, LLC. All Rights Reseved. page 6

Name of Service Assessed: Processing services for banks

Details of Requirements Assessed

PCI DSSRequirement Full Partial None

Justification for Approach(Required for all "Partial" and "None" responses. ldentify which

sub-requirements were not tested and the reason.)

Requirement 1 : tr x tr 1.2.3 - No wireless networks are used.

1.4 - No employee-owned PCs are in use.

Requirement 2: n x n 2,'1.'l - No wireless networks are used.

2.2.3 - No unsecure protocols are in use,

2.6 - Bank is not a shared hosting provider.

Requirement 3: tr x tr 3.4.1 - No full-disk encryption is used.

Requirement 4: tr x tr 4.1.1 - No wireless networks are used.

4.2 - PANS are not sent via end-user messageservices.

Requirement 5: x tr trRequirement 6: x n trRequirement 7: x n trRequirement 8: tr x tr 8.5.1 - No remote access to customers is used.

Requirement 9: tr x n 9.6.2 and 9.6.3 - No media with CHD are sent outsidethe facility.

9.9 - No POS terminals management services areprovided to clients.

Requirement 10: X n D

Requirement 1 '1 : x tr nRequirement 12: x n nAppendix Al: n tr x The entity is not a shared hosting provider.

Appendix A2: tr tr x No isecure protocols are in use.

PCI DSS v3.2 Att$tation of Compliance fororsite Assessments - SeNice Providers, Rev. 1.0@ 2006-2016 PCI Security Standards Council, LLC. A Rights Rese/yed

Apnt 2016Page 7

\9'**""'"'Section 2: Report on Compliance

This Attestation of Compliance reflects the results of an onsite assessment, which is documented in anaccompanying Report on Compliance (ROC).

The assessment documented in this attestation and in the ROC was completedon:

27, June 2018

Have compensating controls been used to meet any requirement in the ROC? I yes E t,to

Were any requirements in the ROC identified as being not applicable (N/A)? E Yes nNo

Were any requirements not tested? ! Yes X tto

Were any requirements in the ROC unable to be met due to a legal constraint? n Yes Xuo

PCl DSS y3.2 Aftestation of Compliance for Onsde Assessments - Service Providers, Rev. 1.0A 2006-2016 PCI Secuity Standards Council, LLC. All Rights ReseNed.

Apfl 2016Page 8

u

Section 3: Validation and Attestation Details

Part 3. PCI DSS Validation

This AOC is based on results noted in the ROC daled 27, June 2018.

Based on the results documented in the ROC noted above, the signatoriesapplicable, assert(s) the following compliance status for the entity identilied(check one):

identified in Parts 3b-3d, asin Part 2 of this document

Compliant: All sections of the PCI DSS ROC are complete, all questions answered affirmatively,resulting in an overall COMPLIANT ratin g, thercby lntemational Card Systems AD Casys lntemationalhas demonstrated full compliance with the PCI DSS.

tr Non-Compliant: Notall sections of the PCI DSS ROC are complete, or not all questions areanswered affirmatively, resulting in an overall NON-COMPLIANT rating, thereby has notdemonskated full compliance with the PCI DSS.

Target Date for Compliance:

An entity submitting this form with a status of Non-Compliant may be required to complete the ActionPlan in Part 4 of this document. Check with the payment brand(s) before completing Patt 4.

Compliant but with Legal exception: One or more requirements are marked "Not in Place" due to alegal restriction that prevents the requirement from being met. This option requires additional reviewfrom acquirer or payment brand.

lf checked. complete the following.

Details of how legal constraint prevents requirement belng met

Part 3a, Acknowledgement of Status

Signatory(s) confirms:

(Check all that apply)

x The ROC was completed according to the PCI DSS Requirements and Security AssessmenlProcedures, Version 3.2, and was completed according to the instructions therein.

All informatjon within the above-referenced ROC and in this attestation fairly represents the results ofmy assessment in all material respects.

I have confirmed with my payment application vendor that my payment system does not storesensitive authentication data after authorization.

I have read the PCI DSS and I recognize that I must maintain PCI DSS compliance, as applicable tomy environment, at all times.

lf my environment changes, I recognize I must reassess my environment and implement anyadditional PCI DSS requirements that apply.

x

El

x

x

PCI DSS v3.2 Attestation of Compliance fol" Orsite Assessments - Service Providers, Rev. 1.0A 2006-2016 PCI Security Standards Council, LLC. A Rights Reserved.

Apnl 2016Page I

\\

Part 3a. Acknowledgement of Status (continued)

No evidence of full track data1, CAV2, CVC2, ClD, or CW2 data', or PIN data3 storage aftertransaction authorization was found on ANY system reviewed during this assessment.

x

tr

ASV scans are being completed by Approved Scanning Vendor Qua/ys.

Part 3b. Service

Signature of Executive Date : 27 , June 2018

SeNice Provider Executive Officer Namer Biljana DonovskaGecheva

Iitle: Board of Director President andExecutive Director

Part 3c. Qualified Security Assessor (QSA) Acknowledgement (if applicable)

lf a QSA was involved or assisted with this i lhe QSA was pertoming the assessmentassessment, describe the role performed:

Signature ot Duly Aulhorized Officer ol QSA Company 4 Date: 27, June 2018

Duly Authorized Officer Namer Evgeny Babitsky QSA Conpany: Compliance Control Ltd.

Part 3d. lnternal Security Assessor (lSA) lnvolvement (if applicable)

lf an ISA(s) was involved or assisted withthis assessment, identify the ISA personneland describe the role performed:

' Data encoded in the magnetic slripe or equivaleni data on a chip used for authorizalion during a card-present transaction. Entitiesmay not retain full track data after transaction authorization. The only elemenis ofkack data that may be retained are primary

account number (PAN), expiration date, and cardholder name.2 The three- or four-digit value printed by the signature panelor on the Iace ofa payment card used to verify card-nol-present

transactions.3 Personal identirlcation number entered by cardholder during a card-presenl transaction, and/or encrypted PIN block present

wilhin lhe lransaction message.

O 200&2016 PCI Security Standards Council, LLC. All Rights Reserved. Page 10

Part 4. Action Plan for Non-Compliant Requirements

Select the appropriate response for "Compliant to PCI DSS Requirements" for each requirement. lf youanswer "No" to any of the requirements, you may be required to provide the date your Company expects to becompliant with the requirement and a brief description of the actions being taken to meet the requirement.

Check with the applicable payment brand(s) before completing Part 4.

Remediation Dato andPCr DSS

Requirement Description of Requirement

lnstall and maintain a firewallcon{iguration to protect cardholder data

Do nol use vendor-supplied defaults forsystem passwords and other securityparameters

Actions(lf .NO" selecled tor any

Requirement)

Protect stored cardholder data

tr

tr

tr

xxEncrypt transmission ot carOnotder data

- data

. - I rack and monitor all access ," i"*"*'10 .J"r."" ""i *roi"ia", 0",

across open, public networks

Protect all systems against malwareand regularly update anli-virus softwareor programs

Develop and maintain secure systemsand applications

Restrict access to carOnotOer data by

Restrict physical access to cardholder

x

xX

xRegularly test security systems andprocesses

l\ilaintain a policy that addressesinformation security for all personnel

Additional PCI DSS Requirements forShared Hosting Providers

Additional PCI DSS Requirements forEntities using SSUearly TLS

tr

tr

Appendix 42

!IIa],,l vrsAMaite[Ca]d

PCI DSS v3.2 Attestation of Compliance fol. Onslte Assessments - Sevice Providers, Rev. 1.0@ 2006-2016 PCI Secudty Standards Council, LLC. All Rights Reseved.

Apfl 2016Page 11