PCI DSS COMPLIANCE AND WHY IT IS NECESSARY FOR CREDIT CARD INDUSTRY
Introduction
The whole world is shifting towards a cashless economy, with innovative payment transaction systems such as UPI payments, card payments, etc. These payment systems require processing, storage, and movement of millions of cardholders data which is crucial for any successful transaction.
And therefore to maintain the credibility of this payment ecosystem, security or secure movement and processing of cardholders data becomes paramount. Entities involved in a payment ecosystem are responsible for the security of cardholders data. Security is also important because if breaches happen in cardholders data it would amount to financial loss. Fraudsters are attempting smart ways to leverage any kind of security loopholes in the payment system.
So these entities which are involved in the payment ecosystem need to maintain some security standards set by one council of network providers in the payment industry popularly known as the Payment Card Industry Security Standard Council.
Overview of what is PCI and PCI DSS Compliance
Earlier every network providers in the payment industry have their own set of security standards but later they all together i.e., Visa, Mastercard, American Express, Discover, and JCB constituted an independent body to come up with comprehensive security standards like PCI DSS, PA DSS, PCI-PTS, etc. And these network providers ensure the enforcement of the security standards by putting conditions on services being provided to the merchant or acquirer bank.
In other words, PCI DSS particularly is the global standard that provides a baseline of technical and operational requirements designed to protect account data. PCI DSS is a security standard specially designed for merchants and service providers in the payment ecosystem to protect the cardholders data against any fraud or theft.
It applies to all the entities including third-party vendors which are involved in processing storing and transmitting cardholders data. In organization, even all CDE (Card Holder Data Environment) including system components or network component that stores and process cardholders data, has to comply with all the requirements of PCI compliance. Recently PCI has released a new version of PCI DSS v4.0 a few months ago with certain changes from the previous version after three years of the review cycle.
12 Requirements of PCI DSS
This is the most important part of PCI DSS as following these requirements can make any organization to some extent PCI compliant. So what are these requirements:
- Installing firewalls or maintaining security controls in the networks
- Use strong password in order to secure the CDE( Card holders data environment)
- Protection of cardholder data
- Encrypting the cardholder data during transmission over an open and public network.
- Timely detection and protection of the cardholders data environment from any malicious activity or software.
- Regular updating the software thereby maintaining a secure system.
- Rule of business need to know should apply to access the cardholders data
- Identification and authentication of the user are important to access the system components.
- Physical access to cardholders data should be restricted.
- Monitoring or screening of system components to know the malicious activity internally in real-time.
- Regular auditing of security control and finding any vulnerabilities available in the systems.
- Make policies and programs accordingly in order to support information security.
How organization can become PCI compliant
- Scope: First step is to determine all the system components or networks storing and processing cardholders data i.e., Cardholders Data Environment.
- Assess: Then test whether these systems or networks are complying with all the requirements of PCI DSS COMPLIANCE.
- Report: Documenting all the assessment through self assessment questionnaire by answering following questions like whether the requirements are met or not? Whether the requirements are met with customized approach.
- Attest: Then the next step is to complete the attestation process available on the website of PCI SSC.
- Submit: Then organization can submit all the documents including reports and other supporting documents if it is requested by other entities such as payment brands, merchant or acquirer.
- Remediate: Then the organisation should take remedial action for the requirements which are not in place on the system components or networks.
Conclusion
One of the most important issues facing those involved in the digital payment ecosystem is cybersecurity. The likelihood of being exposed to cybersecurity hazards including online fraud, information theft, and virus assaults is rising as more and more users prefer using digital payments.
And thus complying and adopting with these security standards is the need of the hour. And moreover RBI has also mandated all the regulated entities ( NBFCs Banks etc) under one recent notification to comply with these standards.
Related Blogs
Introduction
In recent times the evolution of cyber laws has picked up momentum, primarily because of new and emerging technologies. However, just as with any other law, the same is also strengthened and substantiated by judicial precedents and judgements. Recently Delhi High Court has heard a matter between Tata Sky and Linkedin, where the court has asked them to present their Chief Grievance Officer details and SoP per the intermediary guidelines 2021.
Furthermore, in another news, officials from RBI and Meity have been summoned by the Parliamentary Standing Committee in order to address the rising issues of cyber securities and cybercrimes in India. This comes on the very first day of the monsoon session of the parliament this year. As we move towards the aspects of digital India, addressing these concerns are of utmost importance to safeguard the Indian Netizen.
The Issue
Tata Sky changed its name to Tata Play last year and has since then made its advent in the OTT sector as well. As the rebranding took place, the company was very cautious of anyone using the name Tata Sky in a bad light. Tata Play found that a lot of people on Linkedin had posted their work experience in Tata Sky for multiple years, as any new recruiter cannot verify the same. This poses a misappropriation of the brand’s name. This issue was reported to Linkedin multiple times by officials of Tata Play, but no significant action was seen. This led to an issue between the two brands; hence, a matter has been filed in front of the Hon’ble Delhi High Court to address the issue. The court has taken due cognisance of the issue, and hence in accordance with the Intermediary Guidelines 2021, the court has directed Linkedlin to provide the details of their Cheif Grievance Officer in the public domain and also to share the SoP for the redressal of issues and grievances. The guidelines made it mandatory for all intermediaries to set up a dedicated office in India and appoint a Chief Grievance Officer responsible for effective and efficient redressal of the platform-related offences and grievances within the stipulated period.
The job platform has also been ordered to share the SoPs and the various requirements and safety checks for users to create profiles over Linkedin. The policy of Linkedin is focused towards the users as well as the companies existing on the platform in order to create a synergy between the two.
RBI and Meity Official at Praliament
As we go deeper into cyberspace, especially after the pandemic, we have seen an exponential rise in cybercrimes. Based on statistics, 4 out of 10 people have been victims of cybercrimes in 2022-23, and it is estimated that 70% of the population has been subjected to direct or indirect cybercrime. As per the latest statistics, 85% of Indian children have been subjected to cyberbullying in some form or the other.
The government has taken note of the rising numbers of such crimes and threats, and hence the Parliamentary Committee has summoned the officials from RBI and the Ministery of Electronics and Information Technology to the parliament on July 20, 2023, i.e. the first day of monsoon session at the parliament. This comes at a very crucial time as the Digital Personal Data Protection Bill is to be tabled in the parliament this session and this marks the revamping of the legislation and regulations in the Indian cyberspace. As emerging technologies have started to surround us it is pertinent to create legal safeguards and practices to protect the Indian Netizen at large.
Conclusion
The legal crossroads between Tata Sky and Linkedin will go a long way in establishing the mandates under the Intermediary guidelines in the form of legal precedents. The compliance with the rule of law is the most crucial aspect of any democracy. Hence the separation of power between the Legislature, Judiciary and Execution has been fundamental in safeguarding basic and fundamental rights. Similarly, the RBI and Meity officials being summoned to the parliament shows the transparency in the system and defines the true spirit of democracy., which will contribute towards creating a safe and secured Indian Cyberspace.
Introduction
DDoS – Distributed Denial of Service Attack is one of the cyber-attacks which has been evolving at the fastest pace, the new technologies have created a blanket of vulnerability for the victim which allows the cyber criminals to stay under the radar and keep launching small scale high intensity cyber attacks. A distributed denial-of-service (DDoS) attack is a malicious attempt to disrupt the normal traffic of a targeted server, service, or network by overwhelming the target or its surrounding infrastructure with a flood of Internet traffic. DDoS attacks achieve effectiveness by utilizing multiple compromised computer systems as sources of attack traffic. Exploited machines can include computers and other networked resources such as IoT devices. From a high level, a DDoS attack is like an unexpected traffic jam clogging up the highway, preventing regular traffic from arriving at its destination.
Op Power Off
In a recent Operation by Law enforcement agencies known as Op Power Off, LEAs from United Kingdom, United States of America, Netherlands, Poland, and Germany joined hands to target the cybergroups committing such large-scale attacks which can paralyse the Internet become inaccessible for a large faction of netizens. The services collectively seized were by far the most popular DDoS booter services on the market, receiving top billing on search engines. One such service taken down had been used to carry out over 30 million attacks. As part of this action, seven administrators have been arrested so far in the United States and the United Kingdom, with further actions planned against the users of these illegal services. International police cooperation was central to the success of this operation as the administrators, users, critical infrastructure, and victims were scattered across the world. Europol’s European Cybercrime Centre coordinated the activities in Europe through its Joint Cybercrime Action Taskforce (J-CAT).
Participating Authorities
- United States: US Department of Justice (US DOJ), Federal Bureau of Investigation (FBI)
- United Kingdom: National Crime Agency (NCA)
- The Netherlands: National High Tech Crime Unit Landelijke Eenheid, Cybercrime team Midden-Nederland, Cybercrime team Noord-Holland and Cybercrime team Den Haag
- Germany: Federal Criminal Police Office (Bundeskriminalamt), Hanover Police Department (Polizeidirektion Hannover), Public Prosecutor’s Office Verden (Staatsanwaltschaft Verden)
- Poland: National Police Cybercrime Bureau (Biuro do Walki z Cyber-przestępczością)
Issue related to DDoS Attacks
DDoS booter services have effectively lowered the entry barrier into cybercrime: for a fee as low as EUR 10, any low-skilled individual can launch DDoS attacks with the click of a button, knocking offline whole websites and networks by barraging them with traffic. The damage they can do to victims can be considerable, crippling businesses financially and depriving people of essential services offered by banks, government institutions, and police forces. Emboldened by perceived anonymity, many young IT enthusiasts get involved in this seemingly low-level crime, unaware of the consequences that such online activities can carry. The influence of toolkits available on the dark net has made it easier for criminals to commit such crimes and at times even get away with it as well.
Recent examples of DDoS Attacks
- In February 2020, Amazon Web Services (AWS) suffered a DDoS attack sophisticated enough to keep its incident response teams occupied for several days also affecting customers worldwide.
- In February 2021, the EXMO Cryptocurrency exchange fell victim to a DDoS attack that rendered the organization inoperable for almost five hours.
- Recently, Australia experienced a significant, sustained, state-sponsored DDoS attack.
- Belgium also became a victim of a DDoS attack that targeted the country’s parliament, police services, and universities.
DDoS vs. DoS Attacks: What’s the Difference?
It’s important to avoid confusing a DDoS (distributed denial of service) attack with a DoS (denial of service) attack. Although only one word separates the two, these attacks vary significantly in nature.
- Strictly defined, a typical DDoS attack manipulates many distributed network devices between the attacker and the victim into waging an unwitting attack, exploiting legitimate behavior.
- A traditional DoS attack doesn’t use multiple, distributed devices, nor does it focus on devices between the attacker and the organization. These attacks also tend not to use multiple internet devices.
Conclusion
In this era of cyberspace, it is of paramount importance to maintain digital safety and security equivalent to physical safety, the cybercriminals will not stop at anything and can stoop to any level to target netizens and critical infrastructures in order to commit ransomware and malware attacks. As we can see DDoS-ing is taken seriously by law enforcement, at all levels of users, and are on the radar of law enforcement, be it a gamer booting out the competition out of a video game, or a high-level hacker carrying out DDoS attacks against commercial targets for financial gain.
Introduction
Emerging technologies in the digital era have made their inroads in manifold domains and locations, including the “Aviation industry”. A 2022 Cranfield University and Inmarsat report has made the point for digitalization powering a reviving age for the aviation industry. Several airport authorities are presently mobilizing power of emerging technologies such as Artificial Intelligence (AI) across the airport bedrock to provide travelers with a plain sailing and expeditious air travel experience.
The Perils of Juice-Jacking
Today, Universal Serial Bus (USB) charging ports are ubiquitous and a convenient way for travelers to keep their devices powered up. In their busy, mundane lives, people use the public charging facility while travelling. However, cybersecurity experts have warned that charging in public areas could wipe off data from an electronic device or install malware, and they have urged people to stay away from USB charging ports at airports and other public areas. This leads to the possibility that fraudsters may manipulate susceptible users via juice jacking.
Investigative journalist Brian Krebs in 2011 coined the term "Juice Jacking". It isa form of cyber attack where a public USB charging port is fiddled with and infected using hardware and software changes to pocket data or install malware on devices connected to it. The term “juice jacking” is a slang representation for electric power or energy, and “hijacking” indicates an unauthorized key toa device.
While the preliminary purpose of juice jacking is usually to pilfer sensitive information from corresponding devices, such as passwords and payment card details, attackers can exploit this stolen information to attain unauthorized to your financial accounts. If the adversary attacker installs malware in the electronic device during the juice jacking strategy, the attacker may further observe the individual's movements even after one has disconnected the device from the USB port. However, the hazards of Juice Jacking include malware infection, data heist, economic loss and damage to the reputation of an individual.
RedFlags from Agencies
In2023, the Federal Bureau of Investigation (FBI) forewarned travelers against using charging stations in public zones such as hotels, airports, and shopping malls due to malicious actors attempting to use the public USB to introduce monitoring software and malware into devices. The U.S. Federal Communications Commission (FCC) has also administered a new advisory regarding “juice jacking "and its possibility of launching a hushed cyber attack against a mobile gadget while one is charging the phone with a USB cord. Similarly, according to new research from International Business Machines (IBM) Security, many nation-state hackers are currently training their eyes on travelers.
RBI Advisory
Recently in 2024, The Reserve Bank of India (RBI) has likewise administered a warning statement to mobile phone users urging them against charging their devices using public ports. RBI has additionally accentuated the importance of safeguarding private and financial data while using mobile devices. Juice jacking is further cited as one of the scams in the RBI booklet on the modus operandi of financial fraudsters in the financial space.
Preventing juice jacking attacks
The routes to avoid Juice Jacking are to keep a tab on the USB devices, not use the public charging ports, update the phone software regularly, enable and utilize the software security measures of the device, use a USB pass-through device, a wall outlet, or a backup battery; never use unknown charging cables and use only the trusted security apps. It is further important to avoid using cables that are left behind by other travelers in any public space. Users can correspondingly turn off their devices before connecting to a wary charging port. Nevertheless, the absence of documented cases does not necessarily imply that users cannot be a target of such an attack and a warning is still recommended when securing personal gadgets with susceptible user data while using standard cables. Also, using a virtual private network (VPN) and assuring that devices have the updated security updates established can aid in mitigating the danger of cyber attacks. It is equally important to utilize the security features of your device, such as passcodes, fingerprints, or facial recognition, enabled to count as a supplementary layer of safeguard.
Conclusion
In the contemporary digital age, individuals, on the whole, need to be vigilant about “Cybersecurity hygiene” and avoid accessing susceptible data or conducting financial transactions on unsecured networks. Mobile phones or devices should run on the latest operating system, and antivirus software should be revamped to mitigate conceivable security susceptibilities.
References
- https://www.forbes.com/sites/suzannerowankelleher/2023/04/20/juice-jacking-malware-phone-airports-hotels/?sh=47adab7e82ed
- https://www.businessairportinternational.com/features/how-ai-is-improving-business-aviation-operations.html
- https://www.news18.com/business/juice-jacking-attack-scam-bank-frauds-india-8412037.html
- https://www.comparitech.com/blog/information-security/juice-jacking/
- https://blogs.blackberry.com/en/2023/04/juice-jacking-advisory
- https://www.thehindubusinessline.com/info-tech/juice-jacking-rbi-issues-warning-against-charging-mobile-phones-using-public-ports/article67895091.ece
- https://www.thehindu.com/sci-tech/technology/juice-jacking-how-hackers-target-smartphones-tethered-to-public-charging-points/article67026433.ece
- https://www.forbes.com/sites/suzannerowankelleher/2019/05/21/why-you-should-never-use-airport-usb-charging-stations/?sh=630f026a5955
- https://edition.cnn.com/2023/04/12/tech/fbi-public-charging-port-warning/index.html
- https://social-innovation.hitachi/en-in/knowledge-hub/hitachi-voice/digital-transformation/
- https://www.inmarsat.com/en/insights/aviation/2022/future-aviation-connectivity.html
