INFO: My Mobile Tickets - Security Overview

posted 22 Jun 2018, 02:18 by Mobile Onboard System Admin   [ updated 22 Jun 2018, 02:56 ]
My Mobile Tickets - IT Security Overview

Platform Infrastructure
Mobile Onboard's My Mobile Tickets and mTicketr Cloud infrastructure has been built on the Amazon Web Services (AWS) cloud computing platform.  This offers us high-availability and scalability to the meet the increasing demands of our system.

AWS have data centres at strategic locations across the world and allows us to deploy instances of the platform in regions to suit the legislative, data protection and performance needs of the application and customer. 

AWS is responsible for protecting the global infrastructure that runs all of the services offered in the AWS cloud. This infrastructure is comprised of the hardware, software, networking, and facilities that run AWS services. They can provide several reports from third-party auditors who have verified their compliance with a variety of computer security standards and regulations (for more information, visit (https://aws.amazon.com/compliance).

Full information regarding AWS security can be found at: https://aws.amazon.com/security/

Their Security Whitepaper can be downloaded from https://d0.awsstatic.com/whitepapers/aws-security-whitepaper.pdf for full information.

The core AWS services that the My Mobile Tickets infrastructure has been built on are:
-    EC2
-    Elastic Beanstalk
-    S3 Storage System
-    Relational Database Service
-    Simple Email Service
-    Simple Notification Services
-    Amazon API Gateway
-    Simple Queue Service
-    Identity and Access Management
-    Amazon Route 53

Internal Security
Access to the My Mobile Tickets platform is strictly controlled and limited to specific personnel within Mobile Onboard.  No external personnel or contractors have access to the servers or platform.  We maintain security with:
-    Strong passwords and keys
-    Firewall-controlled access
-    VPN access to services
-    Monitoring of systems and real-time alerts

Data Security
Access to our databases is strictly controlled and only accessible from certain IP addresses.  Each server and application has its own credentials to access common databases such that access can be revoked immediately whilst not affecting the access from other systems.

Each database is fully backed up a minimum of once a day and the data is shipped to a secure server outside of the AWS environment.  Full server snapshots are taken at regular intervals to ensure quick business recovery in the event of a system issue.

Web App Electronic Payments
Where we provide the electronic (card) payments services through the My Mobile Tickets Web App, we confirm that we are PCI DSS compliant as certified by Elavon and Sysnet.

Where payments are made through an MMT account holder's own gateway then they are responsible for any card scheme compliancy.

All of our Web apps are secured with Extended Validation (EV) SSL certificates issued by a trusted Certificate Authority.  We do not store card details on our own servers.  Any stored card details will be with the Acquirer, and if the customer requests that the app "remembers" their details we store a token only which is provided by the Acquirer.

On-Site Kiosk Payment Systems
On-site Kiosk payments are treated as "customer present – unattended", therefore there are certain Card Scheme (i.e. Visa, Mastercard) criteria that needs to be met in terms of integration with the My Mobile Tickets platform and related security.  If the MMT account holder is using their own merchant account (rather than our payment gateway), then they are responsible for any compliancy required by their acquirer, as the payment transactions are made directly between the Customer, the Acquirer and the Merchant.  Mobile Onboard only process the "success/failure" responses at the time of purchase with the integration to the Kiosk infrastructure via the approved software.

In general, unattended Kiosk payments and the pin-entry device are monitored and processed by Creditcall – a Card Scheme approved gateway provider for chip-and-pin / contactless payments.  See https://www.creditcall.com for more information.

The Kiosk payment hardware, such as the pin-entry device and card reader are provided by Hemisphere West (http://www.hweurope.com).  Hemisphere West partner with Creditcall to provide the fully compliant physical payment system from end-to-end.

Unattended devices are built to a different standard than indoor devices.  They are designed to withstand moisture ingress, temperature extremes and impact attacks and have built-in tamper switches that activate if an attempt to open the device is detected.  Devices conform to PCI PTS 3.x or above which is the security standard for hardware devices as defined by the Payment Card Industry (PCI).

Ċ
Mobile Onboard System Admin,
22 Jun 2018, 02:54