SabPaisa Security

  1. Is the servers (PROD & DR) kept behind Firewall.
  2. Yes
  3. Is physical access to the servers restricted to a select group of authenticated users?
  4. Yes, through passwords. People for deployment role only have the password.
  5. Is Disaster Recovery available for the application & database?
  6. Yes, we do have DR, Apart from DR, we can also resurrect the set-up in an hour’s time from the last deployed app versions and DB backup.
  7. If yes, what is the replication method & duration?
  8. Two times a day of the Database both through replication and through backup.
  9. Where is the Production & DR server residing?
  10. Prod – Noida. DR – Faridabad
  1. Are the applications thoroughly tested?
  2. Yes. All testing mechanisms are used on QA and UAT before moving to Production.
  3. What are the types of tests exercised?
  4. Several tests are exercised including Blackbox Testing, Load Testing, GUI Testing, Stress Testing, Regression Testing, Smoke Testing, Security Testing, Functional Testing, Ad-hoc Testing, etc
  5. Is Vulnerability Assessment and Penetration Testing done on periodic intervals.
  6. Yes
  7. What all Penetration tests are performed?
  8. The External, Internal and Web application penetration tests are performed on all the network components, servers which are exposed to the internet and as and when there is any significant change the application architecture or the network architecture.
  9. Is hardening of various underlying technologies done?
  10. Yes. At the OS level (security patches, virus protection etc), Software Level (strong passwords, backup of data, encryption of sensitive data etc)
  1. Whether the application has change process controls built in place.
  2. Yes
  3. What are the change process controls?
  4. Yes. A change management technique is used for tracking all changes to the network components, servers and desktops. It is ensured that all the changes contain the following
    • All the changes are approved by a team other than the requester
    • All the changes contain the details of the system components involved
    • The change requests include the impact which may be created on the system component, if the change is done
    • Any information security related threat is included in the change management
    • Roll back procedures is included for all the changes which will be done.
  1. Are authentication pages SSL encrypted?
  2. Yes
  3. Does all critical data is obtained through an https channel which is delegated over a TLS v1.2 certificate?
  4. Yes
  5. Where does the https channel from the customer browsers is terminated?
  6. Only on the application server
  7. Does all the connection to the Payment Gateway is delegated over an https channel using the TLS v1.2 certificate?
  8. Yes
  9. From where does the Payment Gateway connection initiated?
  10. From the client application server directly
  1. What is the mechanism used to maintain state in a session?
  2. The objects are saved to the session
  3. Are cookies used for storing any sensitive information?
  4. No
  5. Whether the algorithm used for randomising session ids?
  6. Yes generated randomly by the container (tomcat)
  7. Is server side input validation built in, for type, length, format, range etc?
  8. Yes
  9. Is canonicalization used on the server side?
  10. Yes
  11. Are all headers, cookies, query strings, form fields and hidden fields accepting inputs are validated against acceptable data lists?
  12. Yes
  13. Are free form fields have limit on the amount of text allowed?
  14. Yes
  1. Is encryption used to secure critical data?
  2. yes
  3. Whether in all the locations where the critical data is stored is encrypted?
  4. Yes. The encryption algorithm is AES 256 bits.
  5. What are the keys used in encryption?
  6. The following keys are used,
    • A data encryption key called DEK is used to encrypt the data
    • A master encryption key called MEK is used to encrypt the DEK
  7. How the DEK is generated?
  8. Randomly generated by the application without any intervention by human users
  9. Are we splitting the MEK?
  10. Yes. MEK is split into two key components and distributed to two key custodians. Neither of the custodians have full knowledge of the key all by themselves.
  11. How are the keys being stored?
  12. The keys are stored in the following formats
    • The DEK is stored in a key file format in the database server
    • The MEK is stored in the key file format in the application server
  13. Is there a Key Management Policy?
  14. Yes. There is a thorough policy on Key Management with specific module to ensure modification of the keys as and when required. The retired keys are deleted in a secure manner to ensure that it is unconstructuable.
  15. Does the CDE have a separate firewall?
  16. Yes. It monitors the traffic in the following conditions
    • Between the internet and the web server/merchant applications
    • Between the web server/merchant applications and the App server
    • Between the application server and the database server
  1. How would an error that might cause the program or part of the program to fail, treated?
  2. Through Exception handling, catching the exception, logging it and transforming to custom client error report.
  3. Is the access to the logs restricted and logged?
  4. Yes
  5. For what all events for which, logs are collected from all the system components?
  6. There are 7 types of which logs are collected. They are
    • All individual access to systems containing card holder data
    • All administrator access to all the system components in the PCI-DSS scope
    • All the access to the logs and audit trails which are collected from the system components.
    • All the invalid logical access attempts to the system components.
    • Use of any access control mechanism
    • The time when the logs are started, stopped, modified and or captured
    • Creation and deletion of system level objects such as firewall rules, new users, new file shares, new network connections, new application executable, new application installations.
  7. If yes, do the logs pertaining to the events are logged?
  8. Yes. All the logs pertaining to the 7 events described above are logged.
  9. Whether Critical application system logs/audit trails have options for backups and incorporated as part of the application backup policy?
  10. Yes
  11. Whether the Sensitive authentication data such as the CVV2 is stored anywhere in the entire ecosystem?
  12. No. It is not stored anywhere in the entire ecosystem. This includes, the mobile / hand held device application, the application server, the database, application logs and / or trace files.
  13. Is any file integrity monitoring tool is being used on the critical system files?
  14. Yes. MonitorPaisa (FIM) is used and is capable of generating alerts, when any change is detected in these files. Some of the critical system files include
    • application executable
    • configuration files
    • password files (pam and or sam files)
    • key files
    MonitorPaisa is capable of generating an alert to the relevant stake holders if an anomalous behavior is detected. This trigger is in the form of an email or a notification through a text message on the phone.