Netcetera 3-D Secure Issuer Service – a secure SaaS solution

Software as a Service (SaaS) applications are currently witnessing high adoption rates among businesses. With the SaaS model, businesses can easily access a complex solution of software and infrastructure components at low operational costs. The SaaS solutions simplify the software and hardware lifecycle management, they reduce the time to market and offer on-demand scalability – making SaaS models highly beneficial.

The 3-D Secure Access Control Server is one of the software services that benefits from the SaaS deployment models. In addition to the complex assembly of infrastructure and software components, the 3-D Secure protocol requires sophisticated security and compliance tools and processes.

Netcetera is offering its 3-D Secure Issuer Service system in a SaaS model leveraging 25 years of experience in full lifecycle delivery of mission-critical, high-security software applications.

  Significant cost savings

When using the Netcetera 3-D Secure Issuer Service in a SaaS model, you benefit from the cost savings for the purchase, installation and maintenance of the hardware components that host the applications. Additionally, Netcetera continuously manages the compliance certifications with card networks[1], which means that you do not have to spend money and effort on this demanding task. Last, but not least, all system updates related to the protocol changes are managed by Netcetera on your behalf, while you reap the benefits of the service.

   Always up-to-date   

With the Netcetera 3-D Secure Issuer Service, you are always up-to-date with the latest regulatory and scheme network requirements. Netcetera is always one of the first providers to certify their ACS with the latest versions of the 3DS 2.0 protocol, as we did for the three major protocol updates in the last five years. In parallel with the compliancy updates, Netcetera’s continuous product development brings you the latest product features to stay ahead of industry trends, without requiring a new software license, software updates or maintenance efforts from your side.

   Fast time-to-market

Once you decide to use the Netcetera 3-D Secure Issuer Service system, it takes typically weeks to be up-and-running and compliant with the latest version of the 3-D Secure protocol. Netcetera has invested the time and effort to build, certify and operate the system, so that our customers just integrate in the SaaS service and start consuming it. This is only a fraction of the time it takes to be productive with an on-premises installation, because of the time it takes to acquire the scheme certifications for such a system.

   Multi-premises access  

The Netcetera 3-D Secure Issuer Service is hosted in Netcetera’s data center and can be accessed over any internet enabled site, giving you the possibility to access the service from different premises, without the need to install separate instance for each premises, and without the need to purchase new licenses. The service is charged based on consumption, regardless of how many instances are creating the requests. You don’t have to worry about additional costs for your Disaster Recovery (DR) site.

[1] Netcetera 3-D Secure Issuer Service is compliant and certified with all major schemes: Mastercard, Visa, American Express, Union Pay

As more and more services with a SaaS model become available, attention is being focused on the security and privacy of a company’s data, as well as the reliability of the service. These topics have been addressed by almost all our customers. More than 100 of them use our SaaS platform because they are convinced that their data and business is safe and secure with us.

Netcetera places the highest importance on these issues. We take technical and organizational measures for data protection, compliant with PCI-DSS, PCI-3DS, ISO 27001:2013, ISO 22301:2012 and with GDPR, so our customers can get all the benefits of the SaaS applications while guaranteeing that we operate the solution securely. The reliability of the service is above 99,5% and we continuously invest in improving this number even further.

Celebrating their 25 years anniversary in 2021, Netcetera was founded in Zurich, Switzerland, showing a steady growth even through the pandemic years and providing mission critical and highly secure solutions for major financial institutions. More than 2,000 banks and issuers, and 150,000 merchants rely on our digital payment solutions and globally certified 3-D Secure products. One of the largest banks in Switzerland has been our customer from the beginning and is still relying on our services and solutions today. We were trusted with the development of the backbone of the Swiss financial industry: the interbank payment system with over 700 million transactions annually.

For a sample of our successful customers see https://www.netcetera.com/home/company/track-record.html

We are processing our customers’ data daily to deliver our high-quality service. We understand that data is one of the most important assets for our customers, and therefore place the highest importance on data security. The data is processed in Netcetera’s data centers, with all the precautionary measures implemented to secure this asset.

Netcetera has built its own data centers from the ground up, in collocation services in Zurich, Switzerland. The data centers benefit from the exceptional connectivity, power, and physical security services, while being protected by the independence, neutrality, and the strong data privacy laws of Switzerland.

We take the following measures to fulfill the highest standards of data privacy and security:

Storing data in encrypted form is a basic measure when it comes to data protection. It ensures that the data is in an unusable format in case someone gains access to the data storage. Therefore, all payment sensitive data is encrypted at rest. Additionally, personal data is pseudonymized where technically possible, to protect the PII when being accessed by the system users. 

Netcetera 3-D Secure Issuer Services is multi-tenant system and is being used by multiple customers. Therefore, the service is designed to provide isolated environment for each tenant, and no tenant can see the data of the other tenants. This isolation is achieved by encrypting the data for each tenant with their own unique cryptographic key. These keys are safeguarded using hardware security modules (HSMs) and are governed by strict key-management procedures.

Once our service receives and secures the customer data, we have processes and tools in place to protect access to the data. All entry and exit points of the data are identified and managed by us (Netcetera employees), guaranteeing to our customers the security of the data.

Three types: 

  Physical Access Control

The security standards of Netcetera’s data center are certified according to ISO27001 (international standard for Information Security) and ISO22301 (international standard for Business Continuity Management). The physical entry is controlled by a multi-layer security system: security fence around the data center, interlocked door with electronic access control (badge), video surveillance, and a gate with 24/7 security personnel. Access permission to the cage (Netcetera’s separated area) is managed through an electronic portal of the data center operator, with full traceability.

  Logical Access Control

The data is accessed via web-based administration application that implements role-based access control. This gives us the flexibility to grant different data access levels to different roles, like administrators, call center employees, etc. Users with access to sensitive data or performing sensitive operations, are always required to authenticate with two factor authentication (2FA). All actions taken via the web-based administration application are logged and can be traced back to the individual users. The assignment to or roles for the users is managed by the customers themselves. As an additional security layer, the web-based administration application is accessible only for whitelisted IP addresses.

   Network Security

Multi-layered defense measures ensure network security: dedicated, physical network firewalls at the transition to the Internet and between the various security zones separate network zones for sensitive backend systems (database, log server, HSM, etc.), Web Application Firewall (WAF), Host- and Network-based IDS (Intrusion Detection System), Security information and event management (SIEM) with Threat Intelligence (scanning for Indicators of Compromise), vulnerability scans and manual penetration tests by independent organization entities.

Netcetera enforces strong encryption using cryptographic protocols in all processes in which data is transmitted via electronic means. To guarantee the confidentiality and integrity of the data, each service exchange between Netcetera and the customers is protected by two layers of encryption and does not rely on transport encryption only. Web services are additionally authenticated and under no circumstances will sensitive data be transmitted without encryption and authentication.

Backup of the data and disaster recovery plans are in place. With this we minimize the impact of incidents and make sure that no data is lost under any circumstance. The data is backed up in multiple locations to ensure that no single-system failure will damage it.  

To ensure data recoverability, Netcetera is prepared for any scenario with the following measures:

In the data center:

• All hardware components are redundant and redundancy is regularly tested
• Spare parts and replacement devices are directly available ("cold standby")
• The application servers and databases have redundant design (hot standby with 24/7 failover)
• Backup data is available

In the event of a disaster:

• A disaster plan is in place with annual testing of the plan
• A second data center location is available
• Backup data is available

The reliability of the service might also be a concern for the companies that decide to use SaaS service, as it is outside the control of the company. Netcetera’s solution has availability of more than 99,5% and we are continuously investing in improving it. The reliability of the solution is achieved by these measures:

• Several application instances are operated in active-active mode in every data center. This ensures fault tolerance within a single data center.
• Additionally, the two data centers are handling traffic active-active ensuring fault tolerance on data center level. All data is synchronized between the data centers.
• Data center interconnection is based on several dedicated physical links and all links have geographically separated paths and are provided by different independent suppliers. Latency of all links is below 1ms.
• All components are continuously monitored. The monitoring solution operates and reports in real time to the operational team.
• The 24x7 application support team processes the alerts and messages from the continuous monitoring as well as the input from the customers and acts according to defined incident handling procedures.

As required by PCI-DSS and PCI-3DS, which ensure the effectiveness of technical and organizational measures, Netcetera’s solution is audited annually by an external qualified security assessor (QSA) for PCI compliance.