The whole world is shifting towards a cashless economy, with innovative payment transaction systems such as UPI payments, card payments, etc. These payment systems require processing, storage, and movement of millions of cardholders data which is crucial for any successful transaction.
And therefore to maintain the credibility of this payment ecosystem, security or secure movement and processing of cardholders data becomes paramount. Entities involved in a payment ecosystem are responsible for the security of cardholders data. Security is also important because if breaches happen in cardholders data it would amount to financial loss. Fraudsters are attempting smart ways to leverage any kind of security loopholes in the payment system.
So these entities which are involved in the payment ecosystem need to maintain some security standards set by one council of network providers in the payment industry popularly known as the Payment Card Industry Security Standard Council.
Overview of what is PCI and PCI DSS Compliance
Earlier every network providers in the payment industry have their own set of security standards but later they all together i.e., Visa, Mastercard, American Express, Discover, and JCB constituted an independent body to come up with comprehensive security standards like PCI DSS, PA DSS, PCI-PTS, etc. And these network providers ensure the enforcement of the security standards by putting conditions on services being provided to the merchant or acquirer bank.
In other words, PCI DSS particularly is the global standard that provides a baseline of technical and operational requirements designed to protect account data. PCI DSS is a security standard specially designed for merchants and service providers in the payment ecosystem to protect the cardholders data against any fraud or theft.
It applies to all the entities including third-party vendors which are involved in processing storing and transmitting cardholders data. In organization, even all CDE (Card Holder Data Environment) including system components or network component that stores and process cardholders data, has to comply with all the requirements of PCI compliance. Recently PCI has released a new version of PCI DSS v4.0 a few months ago with certain changes from the previous version after three years of the review cycle.
12 Requirements of PCI DSS
This is the most important part of PCI DSS as following these requirements can make any organization to some extent PCI compliant. So what are these requirements:
- Installing firewalls or maintaining security controls in the networks
- Use strong password in order to secure the CDE( Card holders data environment)
- Protection of cardholder data
- Encrypting the cardholder data during transmission over an open and public network.
- Timely detection and protection of the cardholders data environment from any malicious activity or software.
- Regular updating the software thereby maintaining a secure system.
- Rule of business need to know should apply to access the cardholders data
- Identification and authentication of the user are important to access the system components.
- Physical access to cardholders data should be restricted.
- Monitoring or screening of system components to know the malicious activity internally in real-time.
- Regular auditing of security control and finding any vulnerabilities available in the systems.
- Make policies and programs accordingly in order to support information security.
How organization can become PCI compliant
- Scope: First step is to determine all the system components or networks storing and processing cardholders data i.e., Cardholders Data Environment.
- Assess: Then test whether these systems or networks are complying with all the requirements of PCI DSS COMPLIANCE.
- Report: Documenting all the assessment through self assessment questionnaire by answering following questions like whether the requirements are met or not? Whether the requirements are met with customized approach.
- Attest: Then the next step is to complete the attestation process available on the website of PCI SSC.
- Submit: Then organization can submit all the documents including reports and other supporting documents if it is requested by other entities such as payment brands, merchant or acquirer.
- Remediate: Then the organisation should take remedial action for the requirements which are not in place on the system components or networks.
One of the most important issues facing those involved in the digital payment ecosystem is cybersecurity. The likelihood of being exposed to cybersecurity hazards including online fraud, information theft, and virus assaults is rising as more and more users prefer using digital payments.
And thus complying and adopting with these security standards is the need of the hour. And moreover RBI has also mandated all the regulated entities ( NBFCs Banks etc) under one recent notification to comply with these standards.
Author: Mr. Ishan Kumar Rai, Intern, CyberPeace Foundation