Security Policy


  1. The security, integrity, and availability of your data are our top priorities. MobisCard Limited uses a multi-layered approach to protect and monitor all customer information. Our solution leverages multiple layers of defence to protect key information and handle all critical facets of network and application security, including authentication, authorization and assurance.

  2. Key Security Attributes

    1. All data is encrypted at transport AES encryption

    2. All data is encrypted at rest AES encryption

    3. All administration access to servers requires Multi-factor Authentication

    4. Multi-tier security topology

    5. Extensive auditing and logging

    6. Separation of control

    7. WAF

    MobisCard delivers high levels of security that are compliant with current security standards, regulations (GDPR, PCI-DSS, ISO-27001), and practices applicable to the medical and financial sectors in Europe and elsewhere. This level of security is achieved by data/metadata separation (anonymization), encryption, distributed key management, and by enforcing strict access control on data and user privacy settings. These mechanisms enables secure information storage, exchange, and processing. Secure data management in the MobisCard platform with optional end-to-end security approach, guarantees data confidentiality and consistency during the entire data transfer and storage process.

  3. Information and Cyber Security

    Communication between MobisCard entities and employees is encrypted in transit, and data in storage and databases is encrypted at rest. All personal electronic devices participating in business communications are registered, authored and monitored. Additionally, the system periodically undergoes extensive internal and external penetration tests and all possible vulnerabilities are classified and prioritized for resolution.

  4. Third-Party Oversight

    Third-party oversight is the process whereby MobisCard monitors and manages interactions with all external parties with which it has a relationship. This includes both contractual and non-contractual parties (ex., online services).

    Third-party management is conducted primarily for the purpose of assessing the ongoing behaviour, performance and risk that each third-party relationship represents to a company as well as:

    1. identification of all relevant data processors

    2. understanding what data is stored and processed

    3. how well each processor protects EUPI data

    4. processor's progress at becoming GDPR compliant

  5. MobisCard key security controls

    1. Protecting authentication credentials in storage and in transit

    2. Not disclosing causes of failed login attempts

    3. Preventing users from logging into functional accounts

    4. Maintaining vendor software and hardware on supported versions

    5. Controlling caching of sensitive data on client-side devices

    6. Masking confidential data attributes in non-production environments

    7. Employing backup procedures

    8. Reporting and tracking operational incidents

    9. Performing high availability, sustained resiliency and disaster recovery tests

    10. Having a current technology recovery action plan

    11. Performing penetration tests and re-mediating discovered issues prior to production

    12. Not relying exclusively on client-side security controls

    13. Employing automatic authenticated session time-out after a specified period of inactivity

    14. Protecting against concurrent logins, cloning or reuse of the session

    15. Employing strong session controls and MFA