PCI DSS COMPLIANCE AND WHY IT IS NECESSARY FOR CREDIT CARD INDUSTRY
Introduction
The whole world is shifting towards a cashless economy, with innovative payment transaction systems such as UPI payments, card payments, etc. These payment systems require processing, storage, and movement of millions of cardholders data which is crucial for any successful transaction.
And therefore to maintain the credibility of this payment ecosystem, security or secure movement and processing of cardholders data becomes paramount. Entities involved in a payment ecosystem are responsible for the security of cardholders data. Security is also important because if breaches happen in cardholders data it would amount to financial loss. Fraudsters are attempting smart ways to leverage any kind of security loopholes in the payment system.
So these entities which are involved in the payment ecosystem need to maintain some security standards set by one council of network providers in the payment industry popularly known as the Payment Card Industry Security Standard Council.
Overview of what is PCI and PCI DSS Compliance
Earlier every network providers in the payment industry have their own set of security standards but later they all together i.e., Visa, Mastercard, American Express, Discover, and JCB constituted an independent body to come up with comprehensive security standards like PCI DSS, PA DSS, PCI-PTS, etc. And these network providers ensure the enforcement of the security standards by putting conditions on services being provided to the merchant or acquirer bank.
In other words, PCI DSS particularly is the global standard that provides a baseline of technical and operational requirements designed to protect account data. PCI DSS is a security standard specially designed for merchants and service providers in the payment ecosystem to protect the cardholders data against any fraud or theft.
It applies to all the entities including third-party vendors which are involved in processing storing and transmitting cardholders data. In organization, even all CDE (Card Holder Data Environment) including system components or network component that stores and process cardholders data, has to comply with all the requirements of PCI compliance. Recently PCI has released a new version of PCI DSS v4.0 a few months ago with certain changes from the previous version after three years of the review cycle.
12 Requirements of PCI DSS
This is the most important part of PCI DSS as following these requirements can make any organization to some extent PCI compliant. So what are these requirements:
- Installing firewalls or maintaining security controls in the networks
- Use strong password in order to secure the CDE( Card holders data environment)
- Protection of cardholder data
- Encrypting the cardholder data during transmission over an open and public network.
- Timely detection and protection of the cardholders data environment from any malicious activity or software.
- Regular updating the software thereby maintaining a secure system.
- Rule of business need to know should apply to access the cardholders data
- Identification and authentication of the user are important to access the system components.
- Physical access to cardholders data should be restricted.
- Monitoring or screening of system components to know the malicious activity internally in real-time.
- Regular auditing of security control and finding any vulnerabilities available in the systems.
- Make policies and programs accordingly in order to support information security.
How organization can become PCI compliant
- Scope: First step is to determine all the system components or networks storing and processing cardholders data i.e., Cardholders Data Environment.
- Assess: Then test whether these systems or networks are complying with all the requirements of PCI DSS COMPLIANCE.
- Report: Documenting all the assessment through self assessment questionnaire by answering following questions like whether the requirements are met or not? Whether the requirements are met with customized approach.
- Attest: Then the next step is to complete the attestation process available on the website of PCI SSC.
- Submit: Then organization can submit all the documents including reports and other supporting documents if it is requested by other entities such as payment brands, merchant or acquirer.
- Remediate: Then the organisation should take remedial action for the requirements which are not in place on the system components or networks.
Conclusion
One of the most important issues facing those involved in the digital payment ecosystem is cybersecurity. The likelihood of being exposed to cybersecurity hazards including online fraud, information theft, and virus assaults is rising as more and more users prefer using digital payments.
And thus complying and adopting with these security standards is the need of the hour. And moreover RBI has also mandated all the regulated entities ( NBFCs Banks etc) under one recent notification to comply with these standards.
Related Blogs
Introduction
The Ministry of Electronics and Information Technology recently released the IT Intermediary Guidelines 2023 Amendment for social media and online gaming. The notification is crucial when the Digital India Bill’s drafting is underway. There is no denying that this bill, part of a series of bills focused on amendments and adding new provisions, will significantly improve the dynamics of Cyberspace in India in terms of reporting, grievance redressal, accountability and protection of digital rights and duties.
What is the Amendment?
The amendment comes as a key feature of cyberspace as the bill introduces fact-checking, a crucial aspect of relating information on various platforms prevailing in cyberspace. Misformation and disinformation were seen rising significantly during the Covid-19 pandemic, and fact-checking was more important than ever. This has been taken into consideration by the policymakers and hence has been incorporated as part of the Intermediary guidelines. The key features of the guidelines are as follows –
- The phrase “online game,” which is now defined as “a game that is offered on the Internet and is accessible by a user through a computer resource or an intermediary,” has been added.
- A clause has been added that emphasises that if an online game poses a risk of harm to the user, intermediaries and complaint-handling systems must advise the user not to host, display, upload, modify, publish, transmit, store, update, or share any data related to that risky online game.
- A proviso to Rule 3(1)(f) has been added, which states that if an online gaming intermediary has provided users access to any legal online real money game, it must promptly notify its users of the change, within 24 hours.
- Sub-rules have been added to Rule 4 that focus on any legal online real money game and require large social media intermediaries to exercise further due diligence. In certain situations, online gaming intermediaries:
- Are required to display a demonstrable and obvious mark of verification of such online game by an online gaming self-regulatory organisation on such permitted online real money game
- Will not offer to finance themselves or allow financing to be provided by a third party.
- Verification of real money online gaming has been added to Rule 4-A.
- The Ministry may name as many self-regulatory organisations for online gaming as it deems necessary for confirming an online real-money game.
- Each online gaming self-regulatory body will prominently publish on its website/mobile application the procedure for filing complaints and the appropriate contact information.
- After reviewing an application, the self-regulatory authority may declare a real money online game to be a legal game if it is satisfied that:
- There is no wagering on the outcome of the game.
- Complies with the regulations governing the legal age at which a person can engage into a contract.
- The Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 have a new rule 4-B (Applicability of certain obligations after an initial period) that states that the obligations of the rule under rules 3 and 4 will only apply to online games after a three-month period has passed.
- According to Rule 4-C (Obligations in Relation to Online Games Other Than Online Real Money Games), the Central Government may direct the intermediary to make necessary modifications without affecting the main idea if it deems it necessary in the interest of India’s sovereignty and integrity, the security of the State, or friendship with foreign States.
- Intermediaries, such as social media companies or internet service providers, will have to take action against such content identified by this unit or risk losing their “safe harbour” protections under Section 79 of the IT Act, which let intermediaries escape liability for what third parties post on their websites. This is problematic and unacceptable. Additionally, these notified revisions can circumvent the takedown order process described in Section 69A of the IT Act, 2000. They also violated the ruling in Shreya Singhal v. Union of India (2015), which established precise rules for content banning.
- The government cannot decide if any material is “fake” or “false” without a right of appeal or the ability for judicial monitoring since the power to do so could be abused to thwart examination or investigation by media groups. Government takedown orders have been issued for critical remarks or opinions posted on social media sites; most of the platforms have to abide by them, and just a few, like Twitter, have challenged them in court.
Conclusion
The new rules briefly cover the aspects of fact-checking, content takedown by Govt, and the relevance and scope of sections 69A and 79 of the Information Technology Act, 2000. Hence, it is pertinent that the intermediaries maintain compliance with rules to ensure that the regulations are sustainable and efficient for the future. Despite these rules, the responsibility of the netizens cannot be neglected, and hence active civic participation coupled with such efficient regulations will go a long way in safeguarding the Indian cyber ecosystem.
Introduction
In the digital landscape, there is a rapid advancement of technologies such as generative AI(Artificial Intelligence), deepfake, machine learning, etc. Such technologies offer convenience to users in performing several tasks and are capable of assisting individuals and business entities. Certain regulatory mechanisms are also established for the ethical and reasonable use of such advanced technologies. However, these technologies are easily accessible; hence, cyber-criminals leverage AI tools and technologies for malicious activities or for committing various cyber frauds. By such misuse of advanced technologies, new cyber threats have emerged.
Deepfake Scams
Deepfake is an AI-based technology. Deepfake is capable of creating realistic images or videos which in actuality are created by machine algorithms. Deepfake technology, since easily accessible, is misused by fraudsters to commit various cyber crimes or deceive and scam people through fake images or videos that look realistic. By using the Deepfake technology, cybercriminals manipulate audio and video content, which looks very realistic but, in actuality, is fake.
Voice cloning
To create a voice clone of anyone's, audio can be deepfaked too, which closely resembles a real one but, in actuality, is a fake voice created through deepfake technology. Recently, in Kerala, a man fell victim to an AI-based video call on WhatsApp. He received a video call from a person claiming to be his former colleague. The scammer, using AI deepfake technology, impersonated the face of his former colleague and asked for financial help of 40,000.
Uttarakhand Police issues warning admitting the rising trend of AI-based scams
Recently, Uttarakhand police’s Special Task Force (STF) has issued a warning admitting the widespread of AI technology-based scams such as deepfake or voice cloning scams targeting innocent people. Police expressed concern that several incidents have been reported where innocent people are lured by cybercriminals. Cybercriminals exploit advanced technologies and manipulate innocent people to believe that they are talking to their close ones or friends, but in actuality, they are fake voice clones or deepfake video calls. In this way, cybercriminals ask for immediate financial help, which ultimately leads to financial losses for victims of such scams.
Tamil Nadu Police Issues advisory on deepfake scams
To deceive people, cyber criminals misuse deepfake technologies and target them for financial gain. Recently, Tamilnadu Police Cyberwing have issued an advisory on rising deepfake scams. Fraudsters are creating highly convincing images, videos or voice clones to defraud innocent people and make them victims of financial fraud. The advisory states that you limit the personal data you share you share online and adjust privacy settings. Advisory says to promptly report any suspicious activity or cyber crimes to 1930 or the National Cyber Crime Reporting portal.
Best practices
- Pay attention if you notice compromised video quality because deepfake videos often have compromised or poor video quality and unusual blur resolution, which poses a question to its genuineness. Deepfake videos often loop or unusually freeze, which indicates that the video content might be fabricated.
- Whenever you receive requests for any immediate financial help, act responsively and verify the situation by directly contacting the person on his primary contact number.
- You need to be vigilant and cautious, since scammers often possess a sense of urgency, leading to giving no time for the victim to think about it and deceiving them by making a quick decision. Scammers pose sudden emergencies and demand financial support on an urgent basis.
- Be aware of the recent scams and follow the best practices to stay protected from rising cyber frauds.
- Verify the identity of unknown callers.
- Utilise privacy settings on your social media.
- Pay attention if you notice any suspicious nature, and avoid sharing voice notes with unknown users because scammers might use them as voice samples and create your voice clone.
- If you fall victim to such frauds, one powerful resource available is the National Cyber Crime Reporting Portal (www.cybercrime.gov.in) and the 1930 toll-free helpline number where you can report cyber fraud, including any financial crimes.
Conclusion
AI-powered technologies are leveraged by cybercriminals to commit cyber crimes such as deepfake scams, voice clone scams, etc. Where innocent people are lured by scammers. Hence there is a need for awareness and caution among the people. We should be vigilant and aware of the growing incidents of AI-based cyber scams. Must follow the best practices to stay protected.
References:
- https://www.the420.in/ai-voice-cloning-cyber-crime-alert-uttarakhand-police/
- https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/exploiting-ai-how-cybercriminals-misuse-abuse-ai-and-ml#:~:text=AI%20and%20ML%20Misuses%20and%20Abuses%20in%20the%20Future&text=Through%20the%20use%20of%20AI,and%20business%20processes%20are%20compromised.
- https://www.ndtv.com/india-news/kerala-man-loses-rs-40-000-to-ai-based-deepfake-scam-heres-what-it-is-4217841
- https://news.bharattimes.co.in/t-n-cybercrime-police-issue-advisory-on-deepfake-scams/
Introduction
Cyberspace is the new and the fifth dimension of warfare as recognised by the UN. In recent times we have seen a significant rise in cyber attacks on nations’ strategic interests and critical infrastructure. The scope of cyberwarfare is increasing rapidly in contemporary times. Nations across the globe are struggling with this issue. The Ministry of Defence of the Government of India has been fundamental to take preventive measures towards all attacks on the Republic of India. The ministry is the junction for all three forces: Airforce, Navy and Army and creates coordination between the forces and deploys the force at strategic locations in terms of enemy threats.
The new OS
Governments across the world have developed various cyber security measures and mechanisms to keep data and information safe and secure. Similarly, the Indian Government has been very critical in deploying cybersecurity strategies, policies, measures, and bills to safeguard the Indian cyber-ecosystem. The Ministry of Defence has recently made a transition in terms of the Operating System used in the daily functions of the ministry. Earlier, the ministry was using an OS from Microsoft, which has now been replaced with the indigenous OS named “Maya” based on open-source Ubuntu. This is the first time the ministry will be deploying indigenous operating software. This step comes at a time of global rise in cyber attacks, and the aspect of indigenous OS will prevent malware and spyware attacks.
What is Maya?
Users will not notice many differences while switching to Maya because it has a similar interface and functionality to Windows. The first instruction is to install Maya on all South Block PCs with Internet access before August 15. In these systems, a Chakravyuh “endpoint detection and protection system” is also being installed. Maya isn’t yet installed on any computers connected to the networks of the three Services; instead, it is solely used in Defence Ministry systems. It had also been reviewed by the three Services and would shortly be adopted on service networks. The Army and Air Force were currently reviewing it after the Navy had already given its approval.
OS Maya was created by government development organisations in less than six months. An official from the ministry has informed that Maya would stop malware attacks and other cyberattacks, which have sharply increased. The nation has recently experienced a number of malware and extortion attacks, some of which targeted vital infrastructure. The Defence Ministry has made repeated attempts in the past to switch from Windows to an Indian operating system.
How will the new OS help?
The OS Maya is a critically developed OS and is expected to cater to the needs of all cybersecurity and safety issues of contemporary threats and vulnerabilities.
The following aspects need to be kept in mind in regard to safety and security issues:
- Better and improved security and safety
- Reduced chances of cyberattacks
- Promotion of Inidegenous talent and innovation
- Global standard OS
- Preventing and precautionary measures
- Safety by Design for overall resilience
- Improved Inter forces coordination
- Upskilling and capacity building for Serving personnel
Conclusion
Finally, the emergence of cyberspace as the fifth dimension of warfare has compelled countries all over the world to adopt a proactive stance, and India’s Ministry of Defence has made a significant move in this area. The significance of strengthened cybersecurity measures has been highlighted by the rising frequency and level of complexity of cyberattacks against key assets and vital infrastructure. The Ministry’s choice to use the local Maya operating system is a key step in protecting the country’s cyber-ecosystem. Maya’s debut represents a fundamental shift in the cybersecurity approach as well as a technology transition. This change not only improves the security and protection of confidential data but also demonstrates India’s dedication to supporting innovation and developing homegrown talent. Government development organisations have shown their commitment to solving the changing difficulties of the digital age by producing cutting-edge operating systems like Maya in a relatively short amount of time.
