Security as a Priority 

The widespread use of modern payment methods and banking technologies stipulates the need for reliable instruments to protect banks and their customers from fraud. Banking services inevitably involve access to personal data and sensitive financial information and we have the additional responsibility of protecting such data and ensuring its confidentiality. We pay significant attention to preventing and counteracting any attempts to cause damage to the Bank or our clients both externally and internally by insiders abusing their access rights.

The reliability and security of all Sberbank’s information systems is carefully monitored on a regular basis. The Bank has in place access control policies and systems, as well as anti-virus, intrusion detection and perimeter security systems. Cryptographic technologies (digital signatures and data encryption) are widely used in our corporate electronic document flow systems and for data exchange between different divisions. Sberbank has been certified as conforming to the ISO/IEC 20000 (Information Technology — Service Management) international standard, which demonstrates the reliability of its information systems. In 2010, Sberbank ensured that corporate information systems used for personal data processing were compliant with the requirements of Russian Federal Law No. 152-FZ On Personal Data.

Employees are granted access rights on the basis of justified requests, which helps to rule out unauthorised access to information. Employees work with banking information systems on computers that require user authentication and with no Internet access. We also have mechanisms in place to ensure protection from user errors as critical operations require confirmation by another authorised person. The Bank limits the use of flash drives and other removable data storage devices on its premises. No incidents of personal data leakage from Sberbank’s information systems or customer complaints about inappropriate disclosure of their personal data were reported in 2010.

In order to ensure the security of online card transactions, the Bank uses a technology based on 3D Secure protocol (MasterCard SecureCode and Verified By Visa), adding another authentication step for online payment. In the near future, the Bank will start to use the same technology for acquiring operations.

The Bank regularly undergoes information security audits in accordance with the requirements of the Visa and MasterCard international payment systems. In 2010, the Bank also began the implementation of a system of measures necessary to obtain PCI DSS (Payment Card Industry Data Security Standard) certification. Sberbank has in place an effective card transaction monitoring system, which can identify a large number of suspicious transactions in real time. Up-to-date information on card fraud and safety for cardholders is published on the Bank’s website.

One of the most serious threats to cardholders is skimming — the reading of information recorded on the card’s magnetic strip with a special device. In 2010, 140 cases of the installation of equipment for card fraud and data theft on Sberbank ATMs were reported. In order to counteract this type of fraud, special Rapid Response Groups were created in our security divisions. In 2010, these groups removed and handed over 18 skimming units to the law enforcement agencies. The most effective way to identify skimming attacks in good time is SMS notifications of card transactions. Currently this service is used by more than 20 million Sberbank cardholders on some 40% of the cards issued by the Bank.


My Annual Report