Security is at the core of everything we do. As a PCI SSC Participating Organization and an EMVCo Business and Technical Associate we have the inside track on emerging threats and advanced knowledge of changes in security regulation. Our systems are constantly updated and maintained to exceed industry standards, so you can rest assured your business is in safe hands.
PCI DSS Level 1 Compliance
NMI is a validated PCI DSS Level 1 Service Provider. This is the industry’s highest level of certification. Reviewed annually, an intensive onsite audit ensures the highest compliance levels are maintained and adhered to. As such, we are on Visa’s Global Registry of Service Providers and Mastercard’s Compliant Service Provider List
NMI recently acquired Creditcall, during the initial transition both NMI & Creditcall’s AoC certifications may be applicable to your solution, please contact us for more information.
- Download Our Attestation Of Compliance (PDF – Omni) (Last updated: March 27th 2021)
- Download Our Attestation Of Compliance (PDF – Cardease/ChipDNA) (Last updated: April 14th 2021)
It is widely acknowledged that encrypting cardholder data at the earliest possible point in the transaction chain is the best way of ensuring its security. As such, our PCI P2PE (Point-to-Point Encryption) solutions secure cardholder data in transit and offer the benefits of simplified PCI DSS compliance to merchants that properly implement our PCI P2PE certified solution.
The essence of P2PE is that secure card readers and PIN pads are securely injected with cryptographic keys that the Merchant has no knowledge of. Cardholder data is securely encrypted by the card reader or PIN pad. This data can then only be decrypted by a HSM (Hardware Security Module) at NMI.
NMI is audited and assessed to comply with the Payment Card Industry PCI PIN Security Requirements version 2.0. The PCI PIN standard is a set of requirements for the secure management, processing, and transmission of personal identification numbers (PINs) during online and offline payment card transaction processing at attended and unattended devices, such as ATMs, kiosks and point of sale (POS) terminals.
NMI is audited and assessed to comply with the American National Standards Institute (ANSI) TR-39 (TG-3) standard to validate proper PIN security and key management practices. Organizations dealing with PIN debit transactions within automated teller machine (ATM) or point of sale (POS) environments or maintaining a processing network that connects directly to an online debit network for transaction processing need to comply with the ANSI-based TR-39 standard.
Security and reliability
Prohibited data storage
To comply with the strictest security standards, NMI does not store raw magnetic-stripe (Track 2), card validation codes or PIN block data. Storage of this data is strictly prohibited by PCI DSS.
Data At Rest Encryption
Cardholder data is secured by using a combination of symmetric and asymmetric cryptographic algorithms that utilise larger than required key lengths in a scheme that has been assessed by our QSA.
Our data centres are strategically located to serve our core geographic regions to ensure the minimum amount of latency is experienced by our customers and their merchants. Wherever we can, we peer as close as possible to strategic Internet Exchanges such as LINX, NYIIX and AMS-IX to further reduce latency and the number of hops to our processing network.
Our core infrastructure has been engineered with high levels of redundancy and resilience built in. NMI’s critical infrastructure has dual PSUs fed from two diverse UPS platforms. All data is stored on RAID based SAN systems. This data is in turn is replicated to our nearest geographical datacenter for further resilience. All servers are connected to our internal networks via at least two network interfaces and our internal networking is provided by dual independent network switches.
We have six geographically diverse data centres, four in North America and another two in Europe. This allows continuous service and unrivalled survivability in the event of a localized or international event. Our infrastructure is carefully designed to avoid single points of failure. All of our service providers are also diverse both in location, networking paths and core routing equipment. We only use service providers that maintain at least two physical fiber entry points into our data centres, and equally, diverse and multiple paths into their own core networks.
Our internet facing systems are probed from points all over the world at least every five minutes to assess availability. NMI’s entire infrastructure is monitored by a series of internal monitoring platforms that alert our engineers around the clock, 365 days a year, of predictive failures, warnings and hard errors. Our overall aim is to detect and resolve issues before they can impact our transaction processing ability.
We perform rigorous automated vulnerability scans several times a week on both our internet facing and internal infrastructure to assess our attack surface area. A team of on staff experts and independent third parties are also commissioned by NMI every six months, to perform intensive manual and automated penetration testing.
The NMI network has been built to observe the most stringent standards of security and best practices, with minimal access to outside networks and the Internet. Internally we use a series of highly segmented networks so only specific servers can communicate with each other. Access between network segments is highly restricted by robust firewall rules which define legitimate business need. To further enhance security all inbound and outbound traffic from our platforms is monitored by an active Intrusion Prevention System (IPS) which blocks the threat of common exploits and zero day attacks.
All internet facing and internal infrastructure is aggressively patched in a tight time scale after patches for security vulnerabilities are made available by vendors.
Distributed Denial of Service (DDoS) mitigation
We employ the services of a third party DDoS mitigator which is able to scrub malicious Internet traffic when needed.
The European General Data Protection Regulations came into force in May 2018. NMI’s existing set of controls for keeping cardholder data secure has been extended to maintaining the integrity and confidentiality of all personally identifiable data held by the organization. In line with industry best practice we regularly check that in-scope data is current, and that the controls to protect it are working effectively.