With the increasing possibilities of digitalization, the requirements and customer expectations in terms of information security, data protection and compliance are on the rise as well. More than ever, companies are obliged to prove their diligence and trustworthiness. We asked René Beiler, Chief Information Security Officer at *um, how certificates can help.
René, what is the purpose of certificates in IT?
With certificates, companies can demonstrate that they meet certain requirements, such as the quality or safety of their products, services and processes. The verification of compliance with these requirements - which is called audit - is carried out by independent third parties. This creates trust and transparency.
The more sensitive the field in which the products or services are used, the more trust potential customers need. Certification makes transparent what their trust is based on, namely the evaluation by a third, independent authority.
It is self-evident that a provider must be certified in order to, for example, offer financial transactions that are trustworthy in every respect. In addition, certificates are an efficient way to manage relationships with suppliers or subcontractors. Companies are to a certain extent responsible for their suppliers and must ensure that their own standards are being maintained in the supply chain. Such requirements can be met with certifications. This saves time and money.
What is important about an IT service provider being certified?
Nowadays, Many companies outsource departments that are not part of their core area of business. This applies above all to IT. Certificates serve as proof of performance and process quality, as well as evidence of a constantly increasing level of quality, data protection and security. Last but not least, with the help of certificates, IT service providers position themselves on the market as secure and trustworthy companies.
Which certificates does *um have?
Naturally, *um is certified in every conceivable context. In the context of security, the most important certificates are ISO/IEC 27001, PCI DSS certification and TISAX from the German Association of the Automotive Industry.
ISO / IEC 27001:2013 – the international norm for information safety
PCI DSS (Payment Card Industry Data Security Standard) – the information security standard for safety of cardholder data
TISAX / VDA-ISA (Trusted Information Security Assessment Exchange) / German Association of the Automotive Industry - Information Security Assessment) – as proof of compliance with the information security requirements of the German automotive industry
Specifically, PCI DSS: It is said that the standard was developed to reduce credit card fraud on the Internet, and all companies that process cardholder data must comply with PCI DSS. Is *um complying as well?
Yes, indirectly. We are PCI DSS compliant because we develop, implement and operate IT architectures and solutions for companies that process cardholder data.
This means that a company can only be considered PCI DSS-compliant if its participating service provider is also certified accordingly?
Not necessarily, but it facilitates the verification for the company in question. Compliance is verified for the vendor by checking the relevant setting against the standard. This includes the service provider. If the service provider is now PCI DSS-certified himself, he can already prove compliance and no longer has to be checked down to the last detail when checking the company. We ourselves are certified accordingly and fulfill all criteria of the PCI DSS. This saves our customers a lot of time, effort and money.
The Payment Card Industry Data Security Standard (PCI DSS) demands...
What do *um customers get out of the certifications?
Our customers can rest assured that we guarantee the highest level of data protection and security. This is particularly essential in the highly sensitive financial sector. At *um, we document our own quality and diligence towards customers and partners. We make sure to meet all the required standards and have the necessary expertise to implement customer-specific, complex projects according to the highest standards.
René Beiler is Chief Information Security Officer at The unbelievable Machine Company and responsible for information and data security throughout the company.