Requirement of PCI-DSS in India.


Published on

Published in: Technology
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Requirement of PCI-DSS in India.

  1. 1. Requirement of PCI-DSS in India. CA. PriyadarshanBehera
  2. 2. 1. Background In today’s competitive business environment, E-markets are increasing day by day for effecting multiple business transactions of goods &services. During this process the users mostly rely on payment gateways to complete the financial transactions by using various types of debit/credit cards. Consequently the extensive use of these cards forced to follow certain procedures in order to prevent the vulnerabilities towards the security of the customer’sdata. The Payment Card Industry Data Security Standards (PCIDSS) is a widely accepted policies & procedures which are used to protect the debit, credit & cash card transactions. These principles & procedures are mainly used to protect the card holder’s (persons who authorized to use their Credit/Debit cards for making payments towards goods & services) personal data against misuse. The Payment Card Industry Security Standard Council (PCISSC) was launched on September 7, 2006, which is called as “Council”, to focus primarily on the PCI security standards. Enterprises which are handling card data have to comply with the requirements as issued by “council”.In the current business environment it becomes imperative to follow these standards because of the extensive use of E-transactions not only in the form of amount but also by volume too. The fivepayment Card brands i.e. - American Express, Discover Financial Services, JCB International, MasterCard, and Visa have agreed to adopt the standards as issued by PCI-DSS for the purpose of data security compliance program. 2. Intended Audience This standard is meant for those people who stores, processes or transmits card holder data. In addition to this the payment industry stake holders like payment processors, acquiring bank (which connects to a card brand network for payment processing), service providers (who provide all or some of the payment services for the merchant), assessors &the information security professionals who want to understand PCI are the target audience of the PCI DSS. This is meant for all sorts of organization whether it is large, medium or small. 3. 3.1 About PCI DSS Key players in PCI DSS The idea of PCI-DSS was brought in to by the major credit card companies as a guideline to help organizations that process card payments to effect transactions relating to goods or services so that it will obstruct the fraud arising out of hacking and various threats. PCI DSS was created jointly in 2004 by five major credit-card companiesi.e. Visa, MasterCard, Discover, JCB and American Express. 3.2 PCI Compliance Who needs to comply- Any merchant, acquirer, issuer bank & service providers that processes, stores or transmits credit or debit card data & any party involved with them. Complying with the Payment Card Industry's Data Security Standard (PCI DSS) requirements means to ensure that both information systems and payment applications are secured in realtime. Compliance with the PCI-DSS helps to protect cardholder data. It is a very complex and growing subject affecting millions of business – banks, Independent Sales Organizations (ISOs), processors, E-commerce and retail merchants and other merchant services providers. If you are not certified, then there is a high risk of data being hacked. In India many E-commerce websites don’t collect any credit card information of customers. During payment transaction when
  3. 3. customer chooses “Credit card” as a method for payment& proceed to complete the checkout they are redirected to a payment gateways payment page (like CCavenue) where customer himself enter all the card details. In this scenario E-commerce merchant is not bearing any risk of being hacked or any PCI risk. If during the same transaction of the checkout stage customer enter his credit card number following which he is directedwith the payment gateway to process the customer’s transactions, then this transaction will fall under the purview of PCI audit.Merchants who are even holding data in temporary memory also liable to PCI certified. Why to comply with PCI DSS-By complying with PCI DSS helps you to protect the customer data, manage your risk, to avoid penal measures, to stay in your business& to compete in the market. 3.3 Challenges in PCI Compliance Organizations face scrutiny when adhering to PCl-DSS compliance. Huge fines & penalties are imposed & it has increased significantly for systems that are not in compliance. You can refer the link below as provided by “council” regarding the fines imposed for noncompliance with PCI DSS. As per the Visa most of the large & medium size merchants in US did not reach their respective PCI-DSS compliance. Organizations largely relying on manual assessment methods for PCI-DSS audit. This manual assessment is a very time consuming & error prone process. 1.4 Frauds in India & its involvement in global scam Credit card fraud is rampant not only in India but also across globe affecting millions of consumers & business every day. Indians are actively involved in various frauds relating to Debit/credit card, or in others means of online transactions. They are not only involved themselves for making frauds in India but also extended their routes abroad. Following are some of the examples of recent events:In Delhi a man allegedly involved in credit card theft of more than 30K customers of a private sector bank & making transactions worth crores of rupees landed in police net in the year 2013.In another incident 5 Indianorigin men were among 18 others charged for running a massive 200 million dollar global credit card fraud under which they used thousands of fake identities to target business & financial firms & wired millions of dollars to Pakistan & India. These types of incidents clearly depict how Indians are actively involved in various frauds involving debit/credit cards& it has not limited to one part rather it has been extended across globe. All these cases leads to high alarm in those sectors using online credit cards to get complied with PCI-DSS standards as issued by “council”. 1.5 Steps in PCI Compliance Assess, Remediate and ReportThe first step in the PCI compliance is to assess the process by considering inventory of the IT assets and business processes for payment card processing, and analyzing it for vulnerabilities that could expose cardholder data. The second step is remediate. It is basically the process of fixing those vulnerabilities. The last stage is Reporting. Report involves the accumulation of records required by PCI DSS to validate remediation, and submission of reports to the acquiring bank and card payment brands. All the above three steps are not a one-time process rather it’s an ongoing process for continuous compliancewith the PCI DSS requirements.
  4. 4. 4. PCI- DSS in India The PCI-DSS is not very popular among Indian companies. India, the second-most populouscountry where E-payments through cards are extensively used for various transactions.E-commerce as a business transacts on the internet wherethere might of chance of customer data that can be hacked. The transaction level of debit/credit card transactions is no longer small as it is used to be 5 years back. India is normally named as the destination of outsourcing.Business Process Outsourcing (BPO) plays a very significant role in the field of outsourcing. Generally BPO’s are deals with various data relating to third parties. There is a high risk of threat to data leakage &fraud. In order to thwart fraud, the Indian BPO industry is adopting some of the most stringent standards for handling of sensitive information and data. One such standard is the payment card industry data security standards (PCI-DSS), as prescribed by “Council”. Indian companies like Infosys BPO; Vodafone India has already under the PCI DSS certification. The size of the payments card market in India is very big and it’s increasing day by day. “Threat report 2013” as published by Symantec internet security countries leading the chart in bank cards threat is USA, China & India. Out of which India isaccounting for 6.5% of the total targeted attack in 2012. Various countries have already taken several steps to prevent the fraud in relation to credit card hence we should protect ourselves against the frauds moving in to India &we can’t ignore the fact that “Fraudsters are a step ahead of Market”. In India due to the rise in fraud arising out of debit/credit card transactions the Reserve Bank of India (RBI) has stipulated some safety measures for Credit/Debit card transactions. In the recent notification dated 28 Feb 2013 named as “Security & Risk Mitigation Measures for Electronic Payment Transactions” RBI has directed banks to put in place some safety measures as follows ( below relating to PCI DSS only) :a. Banks should ensure that the terminals installed at the merchants for capturing card payments(including the double swipe terminals used) should be verified for PCIDSS(Payment Card Industry – Data Security Standards) & PA-DSS (Payment ApplicationData Security Standards)(By June 30, 2013). b. Bank should ensure that all acquiring infrastructure that is currently operational on IP (Internet Protocol) based solutions are mandatorily made to go through PCI-DSS and PA-DSS certification. This should include acquires, processors/aggregators and large merchants.(By June 30, 2013). Considering the rapid growth of the cards payment markets & merchants in India, sooner we have to adopt additional factor of authentication for card present transactions in various terminals dealing with debit/credit cards. The way frauds related to credit/debit cards are spreading across various corner in India, it becomes imperative for organizations to covers them under PCI-DSS. 5. Requirements of PCI DSS PCI DSS classified in to 6 categories defining 12 requirements as mentioned belowa. Building & maintaining a secure network (Includesinstallation & maintenance of firewall & vendor supplied passwords). b. Protecting card holder data (Includes protection & encrypt transmission of card holder data). c. Maintaining a vulnerability management program (Includes antivirus software & development & maintenance of secure system).
  5. 5. d. Implementing strong access control measures(Includes access card holder data by business need-to-know, unique ID & physical access to card holder data). e. Regularly monitoring & testing of networks (Includes tracking & monitoring access & testing of security system). f. Maintaining an information security policy (Maintenance of policy to address information system). 6. Certification &Reporting Normally there are 2 ways by which business houses can check that they have achieved PCI DSS certification. These are:a. Self-Assessment Questionnaire. b. Vulnerability scanning. The questionnaire & the scanning process will help to identify if there is any weakness or vulnerability exist in the network or not. The reason behind SAQ (Self-Assessment Questionnaire) is to enable organizations in self evaluating compliances with the PCI-DSS. The PCI-DSS SAQ consists of 2 components: a set of questions relating to PCI-DSS requirements & an attestation of compliance. The attestation is your certification that you have performed appropriate assessment. PCI-DSS compliance requires that merchants have comprehensive vulnerability scan at least every quarter. PCI-DSS recommends that all outward facing scans should be scanned in order to protect the data from hacking. PCI-DSS SAQ identifies &mitigates risk from the inside (behind the firewall) while the scanning identify & mitigate risk from the outside. Various Credit card companies have defined 4 level of classification. Falling under which merchants are subject to certain reporting requirement. Check this link to get an idea on how VISA has defined the merchant levels cisp_merchants.html#anchor_2 Reports are the official mechanism by which merchants and other entities verify compliance with PCI-DSS to their respective acquiring financial institutions or payment card brand. Depending on payment card brand requirements, merchants and service providers may need to submit an SAQ or annual attestations of compliance for on-site assessments. Quarterly submission of a report for network scanning may also be required. 7. Conclusion PCI DSS helps all the E-commerce merchants by disclosing various guidelines for customer data security & protection. Customers can ensure security & trust over the merchants getting certified under PCI DSS while doing Etransactions. The PCI Security Standards Council collects various feedbacks on the PCI Security Standards from companies and stakeholders. This valuable input says that the standards as issued by “Council” can continue to provide a strong security framework for protecting the data relating to various card holders.