SlideShare a Scribd company logo
Requirement of PCI-DSS
in India.
CA. PriyadarshanBehera
1. Background
In today’s competitive business environment,
E-markets are increasing day by day for
effecting multiple business transactions of
goods &services. During this process the users
mostly rely on payment gateways to complete
the financial transactions by using various
types of debit/credit cards. Consequently the
extensive use of these cards forced to follow
certain procedures in order to prevent the
vulnerabilities towards the security of the
customer’sdata.
The Payment Card Industry Data Security
Standards (PCIDSS) is a widely accepted
policies & procedures which are used to
protect the debit, credit & cash card
transactions. These principles & procedures
are mainly used to protect the card holder’s
(persons who authorized to use their
Credit/Debit cards for making payments
towards goods & services) personal data
against misuse. The Payment Card Industry
Security Standard Council (PCISSC) was
launched on September 7, 2006, which is
called as “Council”, to focus primarily on the
PCI security standards. Enterprises which are
handling card data have to comply with the
requirements as issued by “council”.In the
current business environment it becomes
imperative to follow these standards because
of the extensive use of E-transactions not only
in the form of amount but also by volume too.
The fivepayment Card brands i.e. - American
Express, Discover Financial Services, JCB
International, MasterCard, and Visa have
agreed to adopt the standards as issued by
PCI-DSS for the purpose of data security
compliance program.

2.

Intended Audience

This standard is meant for those people who
stores, processes or transmits card holder data.
In addition to this the payment industry stake
holders like payment processors, acquiring

bank (which connects to a card brand
network for payment processing), service
providers (who provide all or some of the
payment services for the merchant), assessors
&the information security professionals who
want to understand PCI are the target
audience of the PCI DSS. This is meant for all
sorts of organization whether it is large,
medium or small.

3.

3.1

About PCI DSS

Key players in PCI DSS

The idea of PCI-DSS was brought in to by the
major credit card companies as a guideline to
help
organizations
that
process
card
payments to effect transactions relating to
goods or services so that it will obstruct the
fraud arising out of
hacking and various
threats. PCI DSS was created jointly in 2004 by
five major credit-card companiesi.e. Visa,
MasterCard, Discover, JCB and American
Express.

3.2

PCI Compliance

Who needs to comply- Any merchant,
acquirer, issuer bank & service providers that
processes, stores or transmits credit or debit
card data & any party involved with them.
Complying with the Payment Card Industry's
Data Security Standard (PCI DSS) requirements
means to ensure that both information systems
and payment applications are secured in realtime. Compliance with the PCI-DSS helps to
protect cardholder data. It is a very complex
and growing subject affecting millions of
business
–
banks,
Independent
Sales
Organizations (ISOs), processors, E-commerce
and retail merchants and other merchant
services providers. If you are not certified, then
there is a high risk of data being hacked. In
India many E-commerce websites don’t
collect any credit card information of
customers. During payment transaction when
customer chooses “Credit card” as a method
for payment& proceed to complete the
checkout they are redirected to a payment
gateways payment page (like CCavenue)
where customer himself enter all the card
details. In this scenario E-commerce merchant
is not bearing any risk of being hacked or any
PCI risk. If during the same transaction of the
checkout stage customer enter his credit card
number following which he is directedwith the
payment gateway to process the customer’s
transactions, then this transaction will fall under
the purview of PCI audit.Merchants who are
even holding data in temporary memory also
liable to PCI certified.
Why to comply with PCI DSS-By complying with
PCI DSS helps you to protect the customer
data, manage your risk, to avoid penal
measures, to stay in your business& to
compete in the market.

3.3

Challenges in PCI Compliance

Organizations face scrutiny when adhering to
PCl-DSS compliance. Huge fines & penalties
are imposed & it has increased significantly for
systems that are not in compliance. You can
refer the link below as provided by “council”
regarding the fines imposed for noncompliance
with
PCI
DSS.http://www.pcistandard.com/cardassociation-fines/

As per the Visa most of the large & medium
size merchants in US did not reach their
respective PCI-DSS compliance. Organizations
largely relying on manual assessment methods
for PCI-DSS audit. This manual assessment is a
very time consuming & error prone process.

1.4
Frauds in India & its involvement
in global scam
Credit card fraud is rampant not only in India
but also across globe affecting millions of
consumers & business every day. Indians are

actively involved in various frauds relating to
Debit/credit card, or in others means of online
transactions. They are not only involved
themselves for making frauds in India but also
extended their routes abroad. Following are
some of the examples of recent events:In Delhi a man allegedly involved in credit
card theft of more than 30K customers of a
private sector bank & making transactions
worth crores of rupees landed in police net in
the year 2013.In another incident 5 Indianorigin men were among 18 others charged for
running a massive 200 million dollar global
credit card fraud under which they used
thousands of fake identities to target business
& financial firms & wired millions of dollars to
Pakistan & India.
These types of incidents clearly depict how
Indians are actively involved in various frauds
involving debit/credit cards& it has not limited
to one part rather it has been extended across
globe. All these cases leads to high alarm in
those sectors using online credit cards to get
complied with PCI-DSS standards as issued by
“council”.

1.5

Steps in PCI Compliance

Assess, Remediate and ReportThe first step in the PCI compliance is to assess
the process by considering inventory of the IT
assets and business processes for payment
card processing, and analyzing it for
vulnerabilities that could expose cardholder
data. The second step is remediate. It is
basically the process of fixing those
vulnerabilities. The last stage is Reporting.
Report involves the accumulation of records
required by PCI DSS to validate remediation,
and submission of reports to the acquiring
bank and card payment brands. All the
above three steps are not a one-time process
rather it’s an ongoing process for continuous
compliancewith the PCI DSS requirements.
4.

PCI- DSS in India

The PCI-DSS is not very popular among Indian
companies.
India,
the
second-most
populouscountry where E-payments through
cards are extensively used for various
transactions.E-commerce
as
a
business
transacts on the internet wherethere might of
chance of customer data that can be
hacked. The transaction level of debit/credit
card transactions is no longer small as it is used
to be 5 years back.
India is normally named as the destination of
outsourcing.Business
Process
Outsourcing
(BPO) plays a very significant role in the field of
outsourcing. Generally BPO’s are deals with
various data relating to third parties. There is a
high risk of threat to data leakage &fraud. In
order to thwart fraud, the Indian BPO industry is
adopting some of the most stringent standards
for handling of sensitive information and data.
One such standard is the payment card
industry data security standards (PCI-DSS), as
prescribed by “Council”. Indian companies
like Infosys BPO; Vodafone India has already
under the PCI DSS certification.
The size of the payments card market in India
is very big and it’s increasing day by day.
“Threat report 2013” as published by Symantec
internet security countries leading the chart in
bank cards threat is USA, China & India. Out of
which India isaccounting for 6.5% of the total
targeted attack in 2012. Various countries
have already taken several steps to prevent
the fraud in relation to credit card hence we
should protect ourselves against the frauds
moving in to India &we can’t ignore the fact
that “Fraudsters are a step ahead of Market”.
In India due to the rise in fraud arising out of
debit/credit card transactions the Reserve
Bank of India (RBI) has stipulated some safety
measures for Credit/Debit card transactions. In
the recent notification dated 28 Feb 2013

named as “Security & Risk Mitigation Measures
for Electronic Payment Transactions” RBI has
directed banks to put in place some safety
measures as follows ( below relating to PCI DSS
only) :a.
Banks should ensure that the terminals
installed at the merchants for capturing card
payments(including
the
double
swipe
terminals used) should be verified for PCIDSS(Payment Card Industry – Data Security
Standards) & PA-DSS (Payment ApplicationData Security Standards)(By June 30, 2013).
b.
Bank should ensure that all acquiring
infrastructure that is currently operational on IP
(Internet Protocol) based solutions are
mandatorily made to go through PCI-DSS and
PA-DSS certification. This should include
acquires, processors/aggregators and large
merchants.(By June 30, 2013).
Considering the rapid growth of the cards
payment markets & merchants in India, sooner
we have to adopt additional factor of
authentication for card present transactions in
various terminals dealing with debit/credit
cards. The way frauds related to credit/debit
cards are spreading across various corner in
India, it becomes imperative for organizations
to covers them under PCI-DSS.

5.

Requirements of PCI DSS

PCI DSS classified in to 6 categories defining 12
requirements as mentioned belowa. Building & maintaining a secure
network
(Includesinstallation
&
maintenance of firewall & vendor
supplied passwords).
b. Protecting card holder data (Includes
protection & encrypt transmission of
card holder data).
c. Maintaining
a
vulnerability
management
program
(Includes
antivirus software & development &
maintenance of secure system).
d. Implementing strong access control
measures(Includes access card holder
data by business need-to-know, unique
ID & physical access to card holder
data).
e. Regularly monitoring & testing of
networks
(Includes
tracking
&
monitoring access & testing of security
system).
f. Maintaining an information security
policy (Maintenance of policy to
address information system).

6.

Certification &Reporting

Normally there are 2 ways by which business
houses can check that they have achieved
PCI DSS certification. These are:a. Self-Assessment Questionnaire.
b. Vulnerability scanning.
The questionnaire & the scanning process will
help to identify if there is any weakness or
vulnerability exist in the network or not. The
reason
behind
SAQ
(Self-Assessment
Questionnaire) is to enable organizations in self
evaluating compliances with the PCI-DSS. The
PCI-DSS SAQ consists of 2 components: a set of
questions relating to PCI-DSS requirements &
an attestation of compliance. The attestation
is your certification that you have performed
appropriate assessment.
PCI-DSS compliance requires that merchants
have comprehensive vulnerability scan at
least every quarter. PCI-DSS recommends that
all outward facing scans should be scanned in
order to protect the data from hacking.
PCI-DSS SAQ identifies &mitigates risk from the
inside (behind the firewall) while the scanning
identify & mitigate risk from the outside.

Various Credit card companies have defined
4 level of classification. Falling under which
merchants are subject to certain reporting
requirement. Check this link to get an idea on
how VISA has defined the merchant levelshttp://usa.visa.com/merchants/risk_management/
cisp_merchants.html#anchor_2

Reports are the official mechanism by which
merchants
and
other
entities
verify
compliance with PCI-DSS to their respective
acquiring financial institutions or payment card
brand. Depending on payment card brand
requirements, merchants and service providers
may need to submit an SAQ or annual
attestations of compliance for on-site
assessments. Quarterly submission of a report
for network scanning may also be required.

7.

Conclusion

PCI DSS helps all the E-commerce merchants
by disclosing various guidelines for customer
data security & protection. Customers can
ensure security & trust over the merchants
getting certified under PCI DSS while doing Etransactions.
The PCI Security Standards Council collects
various feedbacks on the PCI Security
Standards from companies and stakeholders.
This valuable input says that the standards as
issued by “Council” can continue to provide a
strong security framework for protecting the
data relating to various card holders.

More Related Content

What's hot

Expert Judgement Credit Rating for SME & Commercial Customers
Expert Judgement Credit Rating for SME & Commercial CustomersExpert Judgement Credit Rating for SME & Commercial Customers
Expert Judgement Credit Rating for SME & Commercial Customers
Mike Coates
 
Fundamental analysis and technical analysis of Top 4 FMCG Companies
Fundamental analysis and technical analysis of Top 4 FMCG CompaniesFundamental analysis and technical analysis of Top 4 FMCG Companies
Fundamental analysis and technical analysis of Top 4 FMCG Companies
SHAHID HASSAN
 
Life insurance project report
Life insurance project reportLife insurance project report
Life insurance project report
Prasoon Agarwal
 
Nbfc industry analysis
Nbfc industry analysisNbfc industry analysis
Nbfc industry analysis
Abirami Ayyaluswamy
 
Indian financial system, short report
Indian financial system, short reportIndian financial system, short report
Indian financial system, short report
saurabh surve
 
A project report on market potential of current account for traders
A project report on market potential of current account for tradersA project report on market potential of current account for traders
A project report on market potential of current account for traders
Babasab Patil
 
cash management at bank of India
cash management at bank of Indiacash management at bank of India
cash management at bank of India
Aashish Goyal
 
A project report on overview of indian stock market
A project report on overview of indian stock marketA project report on overview of indian stock market
A project report on overview of indian stock market
Projects Kart
 
Auditing MCQ
Auditing MCQAuditing MCQ
Auditing MCQ
Dr. Sushil Bansode
 
comparison of Banking systems
comparison of Banking systems comparison of Banking systems
comparison of Banking systems
Shanta Mishra
 
A project report on analysis of financial statement of icici bank
A project report on analysis of financial statement of  icici bankA project report on analysis of financial statement of  icici bank
A project report on analysis of financial statement of icici bank
Projects Kart
 
Overall AxisBank Operations and Assessment of Working Capital
Overall AxisBank Operations and Assessment of Working CapitalOverall AxisBank Operations and Assessment of Working Capital
Overall AxisBank Operations and Assessment of Working Capital
Axis Bank
 
Kanika tandon hdfc_bank_ltd._summer_internship_project...
Kanika tandon hdfc_bank_ltd._summer_internship_project...Kanika tandon hdfc_bank_ltd._summer_internship_project...
Kanika tandon hdfc_bank_ltd._summer_internship_project...
Hemant Pandey
 
Comaparative study of indian stock market with other
Comaparative study of indian stock market with otherComaparative study of indian stock market with other
Comaparative study of indian stock market with other
Misbah Choudhary
 
ECONOMIC AND FINANCIAL ANALYSIS OF SBI AND BOB
ECONOMIC AND FINANCIAL ANALYSIS OF SBI AND BOB ECONOMIC AND FINANCIAL ANALYSIS OF SBI AND BOB
ECONOMIC AND FINANCIAL ANALYSIS OF SBI AND BOB
Jeetu Matta
 
SEBI's Role In Capital Market
SEBI's Role In Capital MarketSEBI's Role In Capital Market
SEBI's Role In Capital Market
Sagar Agrawal
 
Brief history of banking in india
Brief history of banking in indiaBrief history of banking in india
Brief history of banking in india
Abhishek Trivedi
 
Strategic management process of HDFC Bank
Strategic management process of HDFC BankStrategic management process of HDFC Bank
Strategic management process of HDFC Bank
Komal Sahi
 
SEBI
SEBISEBI
Banking reforms
Banking reformsBanking reforms
Banking reforms
R K Dwivedi
 

What's hot (20)

Expert Judgement Credit Rating for SME & Commercial Customers
Expert Judgement Credit Rating for SME & Commercial CustomersExpert Judgement Credit Rating for SME & Commercial Customers
Expert Judgement Credit Rating for SME & Commercial Customers
 
Fundamental analysis and technical analysis of Top 4 FMCG Companies
Fundamental analysis and technical analysis of Top 4 FMCG CompaniesFundamental analysis and technical analysis of Top 4 FMCG Companies
Fundamental analysis and technical analysis of Top 4 FMCG Companies
 
Life insurance project report
Life insurance project reportLife insurance project report
Life insurance project report
 
Nbfc industry analysis
Nbfc industry analysisNbfc industry analysis
Nbfc industry analysis
 
Indian financial system, short report
Indian financial system, short reportIndian financial system, short report
Indian financial system, short report
 
A project report on market potential of current account for traders
A project report on market potential of current account for tradersA project report on market potential of current account for traders
A project report on market potential of current account for traders
 
cash management at bank of India
cash management at bank of Indiacash management at bank of India
cash management at bank of India
 
A project report on overview of indian stock market
A project report on overview of indian stock marketA project report on overview of indian stock market
A project report on overview of indian stock market
 
Auditing MCQ
Auditing MCQAuditing MCQ
Auditing MCQ
 
comparison of Banking systems
comparison of Banking systems comparison of Banking systems
comparison of Banking systems
 
A project report on analysis of financial statement of icici bank
A project report on analysis of financial statement of  icici bankA project report on analysis of financial statement of  icici bank
A project report on analysis of financial statement of icici bank
 
Overall AxisBank Operations and Assessment of Working Capital
Overall AxisBank Operations and Assessment of Working CapitalOverall AxisBank Operations and Assessment of Working Capital
Overall AxisBank Operations and Assessment of Working Capital
 
Kanika tandon hdfc_bank_ltd._summer_internship_project...
Kanika tandon hdfc_bank_ltd._summer_internship_project...Kanika tandon hdfc_bank_ltd._summer_internship_project...
Kanika tandon hdfc_bank_ltd._summer_internship_project...
 
Comaparative study of indian stock market with other
Comaparative study of indian stock market with otherComaparative study of indian stock market with other
Comaparative study of indian stock market with other
 
ECONOMIC AND FINANCIAL ANALYSIS OF SBI AND BOB
ECONOMIC AND FINANCIAL ANALYSIS OF SBI AND BOB ECONOMIC AND FINANCIAL ANALYSIS OF SBI AND BOB
ECONOMIC AND FINANCIAL ANALYSIS OF SBI AND BOB
 
SEBI's Role In Capital Market
SEBI's Role In Capital MarketSEBI's Role In Capital Market
SEBI's Role In Capital Market
 
Brief history of banking in india
Brief history of banking in indiaBrief history of banking in india
Brief history of banking in india
 
Strategic management process of HDFC Bank
Strategic management process of HDFC BankStrategic management process of HDFC Bank
Strategic management process of HDFC Bank
 
SEBI
SEBISEBI
SEBI
 
Banking reforms
Banking reformsBanking reforms
Banking reforms
 

Viewers also liked

How to Start Payment Gateway Business in India
How to Start Payment Gateway Business in IndiaHow to Start Payment Gateway Business in India
How to Start Payment Gateway Business in India
MyOnlineCA.in
 
Online Payment Gateway System
Online Payment Gateway SystemOnline Payment Gateway System
Online Payment Gateway System
Mannu Khani
 
PCI DSS Simplified: What You Need to Know
PCI DSS Simplified: What You Need to KnowPCI DSS Simplified: What You Need to Know
PCI DSS Simplified: What You Need to Know
AlienVault
 
Introduction to PCI DSS
Introduction to PCI DSSIntroduction to PCI DSS
Introduction to PCI DSS
Saumya Vishnoi
 
PCI DSS 3.2
PCI DSS 3.2PCI DSS 3.2
PCI DSS 3.2
Kimberly Simon MBA
 
OSPL Mobile recharge API vs White label solution: Which is better for Making ...
OSPL Mobile recharge API vs White label solution: Which is better for Making ...OSPL Mobile recharge API vs White label solution: Which is better for Making ...
OSPL Mobile recharge API vs White label solution: Which is better for Making ...
osplrecharge
 
New ads
New adsNew ads
WCF
WCFWCF
Twitter Bootstrap Presentation
Twitter Bootstrap PresentationTwitter Bootstrap Presentation
Twitter Bootstrap Presentation
Duy Do Phan
 
Presentation CentOS
Presentation CentOS Presentation CentOS
Presentation CentOS
rommel gavia
 
PCI DSS
PCI DSSPCI DSS
PCI DSS
Duy Do Phan
 
1. PCI Compliance Overview
1. PCI Compliance Overview1. PCI Compliance Overview
1. PCI Compliance Overview
okrantz
 
Small Business Opportunities in a Down Market
Small Business Opportunities in a Down MarketSmall Business Opportunities in a Down Market
Small Business Opportunities in a Down Market
BDPA Education and Technology Foundation
 
How to create a business vision that motivates you to take action
How to create a business vision that motivates you to take actionHow to create a business vision that motivates you to take action
How to create a business vision that motivates you to take action
Tamsen Garrie
 
The new patterns of innovation
The new patterns of innovationThe new patterns of innovation
The new patterns of innovation
YOGENDRA SINGH
 
Ten steps to create a Business Miracle
Ten steps to create a Business Miracle Ten steps to create a Business Miracle
Ten steps to create a Business Miracle
carmen ortiz
 
How to create a business with one euro or no money
How to create a business with one euro or no moneyHow to create a business with one euro or no money
How to create a business with one euro or no money
Maxime Deschamps
 
Resultados Encuesta En Twitter
Resultados Encuesta En TwitterResultados Encuesta En Twitter
Resultados Encuesta En Twitter
Pablo Bicego
 
Small business ideas in india (om project)
Small business ideas in india  (om project)Small business ideas in india  (om project)
Small business ideas in india (om project)
17791
 

Viewers also liked (20)

How to Start Payment Gateway Business in India
How to Start Payment Gateway Business in IndiaHow to Start Payment Gateway Business in India
How to Start Payment Gateway Business in India
 
Online Payment Gateway System
Online Payment Gateway SystemOnline Payment Gateway System
Online Payment Gateway System
 
PCI DSS Simplified: What You Need to Know
PCI DSS Simplified: What You Need to KnowPCI DSS Simplified: What You Need to Know
PCI DSS Simplified: What You Need to Know
 
Introduction to PCI DSS
Introduction to PCI DSSIntroduction to PCI DSS
Introduction to PCI DSS
 
PCI DSS 3.2
PCI DSS 3.2PCI DSS 3.2
PCI DSS 3.2
 
OSPL Mobile recharge API vs White label solution: Which is better for Making ...
OSPL Mobile recharge API vs White label solution: Which is better for Making ...OSPL Mobile recharge API vs White label solution: Which is better for Making ...
OSPL Mobile recharge API vs White label solution: Which is better for Making ...
 
New ads
New adsNew ads
New ads
 
WCF
WCFWCF
WCF
 
Twitter Bootstrap Presentation
Twitter Bootstrap PresentationTwitter Bootstrap Presentation
Twitter Bootstrap Presentation
 
Presentation CentOS
Presentation CentOS Presentation CentOS
Presentation CentOS
 
PCI DSS
PCI DSSPCI DSS
PCI DSS
 
1. PCI Compliance Overview
1. PCI Compliance Overview1. PCI Compliance Overview
1. PCI Compliance Overview
 
Small Business Opportunities in a Down Market
Small Business Opportunities in a Down MarketSmall Business Opportunities in a Down Market
Small Business Opportunities in a Down Market
 
How to create a business vision that motivates you to take action
How to create a business vision that motivates you to take actionHow to create a business vision that motivates you to take action
How to create a business vision that motivates you to take action
 
The new patterns of innovation
The new patterns of innovationThe new patterns of innovation
The new patterns of innovation
 
Ten steps to create a Business Miracle
Ten steps to create a Business Miracle Ten steps to create a Business Miracle
Ten steps to create a Business Miracle
 
Biotrace_Prez_20161208
Biotrace_Prez_20161208Biotrace_Prez_20161208
Biotrace_Prez_20161208
 
How to create a business with one euro or no money
How to create a business with one euro or no moneyHow to create a business with one euro or no money
How to create a business with one euro or no money
 
Resultados Encuesta En Twitter
Resultados Encuesta En TwitterResultados Encuesta En Twitter
Resultados Encuesta En Twitter
 
Small business ideas in india (om project)
Small business ideas in india  (om project)Small business ideas in india  (om project)
Small business ideas in india (om project)
 

Similar to Requirement of PCI-DSS in India.

MTBiz May-June 2019
MTBiz May-June 2019 MTBiz May-June 2019
MTBiz May-June 2019
Mutual Trust Bank Ltd.
 
Pci ssc quick reference guide
Pci ssc quick reference guidePci ssc quick reference guide
Pci ssc quick reference guide
Mohammad Makchudul Alam (Arif)
 
Pcidss qr gv3_1
Pcidss qr gv3_1Pcidss qr gv3_1
Pcidss qr gv3_1
leon bonilla
 
Quick Reference Guide to the PCI Data Security Standard
Quick Reference Guide to the PCI Data Security StandardQuick Reference Guide to the PCI Data Security Standard
Quick Reference Guide to the PCI Data Security Standard
- Mark - Fullbright
 
PCI DSS Slidecast
PCI DSS SlidecastPCI DSS Slidecast
PCI DSS Slidecast
RobertXia
 
PCI Compliance for Payment Security
PCI Compliance for Payment SecurityPCI Compliance for Payment Security
PCI Compliance for Payment Security
PaymentAsia
 
Payment card industry data security standard
Payment card industry data security standardPayment card industry data security standard
Payment card industry data security standard
sallychiu
 
Requirement of PCI DSS in India.
Requirement of PCI DSS in India.Requirement of PCI DSS in India.
Requirement of PCI DSS in India.
CA Priyadarshan Behera
 
Payment card industry data security standard 1
Payment card industry data security standard 1Payment card industry data security standard 1
Payment card industry data security standard 1
wardell henley
 
Online_Transactions_PCI
Online_Transactions_PCIOnline_Transactions_PCI
Online_Transactions_PCI
Kelly Lam
 
ECMTA 2009 PCI Compliance and the Ecommerce Merchant
ECMTA 2009 PCI Compliance and the Ecommerce MerchantECMTA 2009 PCI Compliance and the Ecommerce Merchant
ECMTA 2009 PCI Compliance and the Ecommerce Merchant
Melanie Beam
 
eCommerce Summit Atlanta Mountain Media
eCommerce Summit Atlanta Mountain MediaeCommerce Summit Atlanta Mountain Media
eCommerce Summit Atlanta Mountain Media
eCommerce Merchants
 
PCI FAQs and Myths
PCI FAQs and MythsPCI FAQs and Myths
PCI FAQs and Myths
BluePayProcessing
 
PCI DSS introduction by khaled mosharraf,
PCI DSS introduction by khaled mosharraf,PCI DSS introduction by khaled mosharraf,
PCI DSS introduction by khaled mosharraf,
Khaled Mosharraf
 
Merchant Responsibilities According to the Payment Card Industry
Merchant Responsibilities According to the Payment Card IndustryMerchant Responsibilities According to the Payment Card Industry
Merchant Responsibilities According to the Payment Card Industry
Allied Wallet
 
How to Comply with the PCI Data Security Standard
How to Comply with the PCI Data Security Standard How to Comply with the PCI Data Security Standard
How to Comply with the PCI Data Security Standard
Allied Wallet
 
Payment Card Industry Introduction CMTA APR 2010
Payment Card Industry Introduction CMTA APR 2010Payment Card Industry Introduction CMTA APR 2010
Payment Card Industry Introduction CMTA APR 2010
Donald E. Hester
 
PCI Compliance Report
PCI Compliance ReportPCI Compliance Report
PCI Compliance Report
Holly Vega
 
PCI Compliance - How To Keep Your Business Safe From Credit Card Criminals
PCI Compliance - How To Keep Your Business Safe From Credit Card CriminalsPCI Compliance - How To Keep Your Business Safe From Credit Card Criminals
PCI Compliance - How To Keep Your Business Safe From Credit Card Criminals
Fit Small Business
 
Demystifying PCI DSS: Expert Tips and Explanations to Help You Gain PCI DSS C...
Demystifying PCI DSS: Expert Tips and Explanations to Help You Gain PCI DSS C...Demystifying PCI DSS: Expert Tips and Explanations to Help You Gain PCI DSS C...
Demystifying PCI DSS: Expert Tips and Explanations to Help You Gain PCI DSS C...
Rapid7
 

Similar to Requirement of PCI-DSS in India. (20)

MTBiz May-June 2019
MTBiz May-June 2019 MTBiz May-June 2019
MTBiz May-June 2019
 
Pci ssc quick reference guide
Pci ssc quick reference guidePci ssc quick reference guide
Pci ssc quick reference guide
 
Pcidss qr gv3_1
Pcidss qr gv3_1Pcidss qr gv3_1
Pcidss qr gv3_1
 
Quick Reference Guide to the PCI Data Security Standard
Quick Reference Guide to the PCI Data Security StandardQuick Reference Guide to the PCI Data Security Standard
Quick Reference Guide to the PCI Data Security Standard
 
PCI DSS Slidecast
PCI DSS SlidecastPCI DSS Slidecast
PCI DSS Slidecast
 
PCI Compliance for Payment Security
PCI Compliance for Payment SecurityPCI Compliance for Payment Security
PCI Compliance for Payment Security
 
Payment card industry data security standard
Payment card industry data security standardPayment card industry data security standard
Payment card industry data security standard
 
Requirement of PCI DSS in India.
Requirement of PCI DSS in India.Requirement of PCI DSS in India.
Requirement of PCI DSS in India.
 
Payment card industry data security standard 1
Payment card industry data security standard 1Payment card industry data security standard 1
Payment card industry data security standard 1
 
Online_Transactions_PCI
Online_Transactions_PCIOnline_Transactions_PCI
Online_Transactions_PCI
 
ECMTA 2009 PCI Compliance and the Ecommerce Merchant
ECMTA 2009 PCI Compliance and the Ecommerce MerchantECMTA 2009 PCI Compliance and the Ecommerce Merchant
ECMTA 2009 PCI Compliance and the Ecommerce Merchant
 
eCommerce Summit Atlanta Mountain Media
eCommerce Summit Atlanta Mountain MediaeCommerce Summit Atlanta Mountain Media
eCommerce Summit Atlanta Mountain Media
 
PCI FAQs and Myths
PCI FAQs and MythsPCI FAQs and Myths
PCI FAQs and Myths
 
PCI DSS introduction by khaled mosharraf,
PCI DSS introduction by khaled mosharraf,PCI DSS introduction by khaled mosharraf,
PCI DSS introduction by khaled mosharraf,
 
Merchant Responsibilities According to the Payment Card Industry
Merchant Responsibilities According to the Payment Card IndustryMerchant Responsibilities According to the Payment Card Industry
Merchant Responsibilities According to the Payment Card Industry
 
How to Comply with the PCI Data Security Standard
How to Comply with the PCI Data Security Standard How to Comply with the PCI Data Security Standard
How to Comply with the PCI Data Security Standard
 
Payment Card Industry Introduction CMTA APR 2010
Payment Card Industry Introduction CMTA APR 2010Payment Card Industry Introduction CMTA APR 2010
Payment Card Industry Introduction CMTA APR 2010
 
PCI Compliance Report
PCI Compliance ReportPCI Compliance Report
PCI Compliance Report
 
PCI Compliance - How To Keep Your Business Safe From Credit Card Criminals
PCI Compliance - How To Keep Your Business Safe From Credit Card CriminalsPCI Compliance - How To Keep Your Business Safe From Credit Card Criminals
PCI Compliance - How To Keep Your Business Safe From Credit Card Criminals
 
Demystifying PCI DSS: Expert Tips and Explanations to Help You Gain PCI DSS C...
Demystifying PCI DSS: Expert Tips and Explanations to Help You Gain PCI DSS C...Demystifying PCI DSS: Expert Tips and Explanations to Help You Gain PCI DSS C...
Demystifying PCI DSS: Expert Tips and Explanations to Help You Gain PCI DSS C...
 

Recently uploaded

GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
GraphSummit Singapore | The Art of the  Possible with Graph - Q2 2024GraphSummit Singapore | The Art of the  Possible with Graph - Q2 2024
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
Neo4j
 
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfObservability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Paige Cruz
 
PCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase TeamPCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase Team
ControlCase
 
Video Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the FutureVideo Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the Future
Alpen-Adria-Universität
 
“I’m still / I’m still / Chaining from the Block”
“I’m still / I’m still / Chaining from the Block”“I’m still / I’m still / Chaining from the Block”
“I’m still / I’m still / Chaining from the Block”
Claudio Di Ciccio
 
Introduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - CybersecurityIntroduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - Cybersecurity
mikeeftimakis1
 
How to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptxHow to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptx
danishmna97
 
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
名前 です男
 
Mind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AIMind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AI
Kumud Singh
 
Uni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdfUni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems S.M.S.A.
 
Artificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopmentArtificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopment
Octavian Nadolu
 
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
SOFTTECHHUB
 
DevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA ConnectDevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA Connect
Kari Kakkonen
 
zkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex Proofs
zkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex ProofszkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex Proofs
zkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex Proofs
Alex Pruden
 
Generative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to ProductionGenerative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to Production
Aggregage
 
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Albert Hoitingh
 
Removing Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software FuzzingRemoving Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software Fuzzing
Aftab Hussain
 
National Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practicesNational Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practices
Quotidiano Piemontese
 
GridMate - End to end testing is a critical piece to ensure quality and avoid...
GridMate - End to end testing is a critical piece to ensure quality and avoid...GridMate - End to end testing is a critical piece to ensure quality and avoid...
GridMate - End to end testing is a critical piece to ensure quality and avoid...
ThomasParaiso2
 
Essentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FMEEssentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FME
Safe Software
 

Recently uploaded (20)

GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
GraphSummit Singapore | The Art of the  Possible with Graph - Q2 2024GraphSummit Singapore | The Art of the  Possible with Graph - Q2 2024
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
 
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfObservability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
 
PCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase TeamPCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase Team
 
Video Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the FutureVideo Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the Future
 
“I’m still / I’m still / Chaining from the Block”
“I’m still / I’m still / Chaining from the Block”“I’m still / I’m still / Chaining from the Block”
“I’m still / I’m still / Chaining from the Block”
 
Introduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - CybersecurityIntroduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - Cybersecurity
 
How to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptxHow to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptx
 
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
 
Mind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AIMind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AI
 
Uni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdfUni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdf
 
Artificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopmentArtificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopment
 
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
Goodbye Windows 11: Make Way for Nitrux Linux 3.5.0!
 
DevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA ConnectDevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA Connect
 
zkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex Proofs
zkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex ProofszkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex Proofs
zkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex Proofs
 
Generative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to ProductionGenerative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to Production
 
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
 
Removing Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software FuzzingRemoving Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software Fuzzing
 
National Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practicesNational Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practices
 
GridMate - End to end testing is a critical piece to ensure quality and avoid...
GridMate - End to end testing is a critical piece to ensure quality and avoid...GridMate - End to end testing is a critical piece to ensure quality and avoid...
GridMate - End to end testing is a critical piece to ensure quality and avoid...
 
Essentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FMEEssentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FME
 

Requirement of PCI-DSS in India.

  • 1. Requirement of PCI-DSS in India. CA. PriyadarshanBehera
  • 2. 1. Background In today’s competitive business environment, E-markets are increasing day by day for effecting multiple business transactions of goods &services. During this process the users mostly rely on payment gateways to complete the financial transactions by using various types of debit/credit cards. Consequently the extensive use of these cards forced to follow certain procedures in order to prevent the vulnerabilities towards the security of the customer’sdata. The Payment Card Industry Data Security Standards (PCIDSS) is a widely accepted policies & procedures which are used to protect the debit, credit & cash card transactions. These principles & procedures are mainly used to protect the card holder’s (persons who authorized to use their Credit/Debit cards for making payments towards goods & services) personal data against misuse. The Payment Card Industry Security Standard Council (PCISSC) was launched on September 7, 2006, which is called as “Council”, to focus primarily on the PCI security standards. Enterprises which are handling card data have to comply with the requirements as issued by “council”.In the current business environment it becomes imperative to follow these standards because of the extensive use of E-transactions not only in the form of amount but also by volume too. The fivepayment Card brands i.e. - American Express, Discover Financial Services, JCB International, MasterCard, and Visa have agreed to adopt the standards as issued by PCI-DSS for the purpose of data security compliance program. 2. Intended Audience This standard is meant for those people who stores, processes or transmits card holder data. In addition to this the payment industry stake holders like payment processors, acquiring bank (which connects to a card brand network for payment processing), service providers (who provide all or some of the payment services for the merchant), assessors &the information security professionals who want to understand PCI are the target audience of the PCI DSS. This is meant for all sorts of organization whether it is large, medium or small. 3. 3.1 About PCI DSS Key players in PCI DSS The idea of PCI-DSS was brought in to by the major credit card companies as a guideline to help organizations that process card payments to effect transactions relating to goods or services so that it will obstruct the fraud arising out of hacking and various threats. PCI DSS was created jointly in 2004 by five major credit-card companiesi.e. Visa, MasterCard, Discover, JCB and American Express. 3.2 PCI Compliance Who needs to comply- Any merchant, acquirer, issuer bank & service providers that processes, stores or transmits credit or debit card data & any party involved with them. Complying with the Payment Card Industry's Data Security Standard (PCI DSS) requirements means to ensure that both information systems and payment applications are secured in realtime. Compliance with the PCI-DSS helps to protect cardholder data. It is a very complex and growing subject affecting millions of business – banks, Independent Sales Organizations (ISOs), processors, E-commerce and retail merchants and other merchant services providers. If you are not certified, then there is a high risk of data being hacked. In India many E-commerce websites don’t collect any credit card information of customers. During payment transaction when
  • 3. customer chooses “Credit card” as a method for payment& proceed to complete the checkout they are redirected to a payment gateways payment page (like CCavenue) where customer himself enter all the card details. In this scenario E-commerce merchant is not bearing any risk of being hacked or any PCI risk. If during the same transaction of the checkout stage customer enter his credit card number following which he is directedwith the payment gateway to process the customer’s transactions, then this transaction will fall under the purview of PCI audit.Merchants who are even holding data in temporary memory also liable to PCI certified. Why to comply with PCI DSS-By complying with PCI DSS helps you to protect the customer data, manage your risk, to avoid penal measures, to stay in your business& to compete in the market. 3.3 Challenges in PCI Compliance Organizations face scrutiny when adhering to PCl-DSS compliance. Huge fines & penalties are imposed & it has increased significantly for systems that are not in compliance. You can refer the link below as provided by “council” regarding the fines imposed for noncompliance with PCI DSS.http://www.pcistandard.com/cardassociation-fines/ As per the Visa most of the large & medium size merchants in US did not reach their respective PCI-DSS compliance. Organizations largely relying on manual assessment methods for PCI-DSS audit. This manual assessment is a very time consuming & error prone process. 1.4 Frauds in India & its involvement in global scam Credit card fraud is rampant not only in India but also across globe affecting millions of consumers & business every day. Indians are actively involved in various frauds relating to Debit/credit card, or in others means of online transactions. They are not only involved themselves for making frauds in India but also extended their routes abroad. Following are some of the examples of recent events:In Delhi a man allegedly involved in credit card theft of more than 30K customers of a private sector bank & making transactions worth crores of rupees landed in police net in the year 2013.In another incident 5 Indianorigin men were among 18 others charged for running a massive 200 million dollar global credit card fraud under which they used thousands of fake identities to target business & financial firms & wired millions of dollars to Pakistan & India. These types of incidents clearly depict how Indians are actively involved in various frauds involving debit/credit cards& it has not limited to one part rather it has been extended across globe. All these cases leads to high alarm in those sectors using online credit cards to get complied with PCI-DSS standards as issued by “council”. 1.5 Steps in PCI Compliance Assess, Remediate and ReportThe first step in the PCI compliance is to assess the process by considering inventory of the IT assets and business processes for payment card processing, and analyzing it for vulnerabilities that could expose cardholder data. The second step is remediate. It is basically the process of fixing those vulnerabilities. The last stage is Reporting. Report involves the accumulation of records required by PCI DSS to validate remediation, and submission of reports to the acquiring bank and card payment brands. All the above three steps are not a one-time process rather it’s an ongoing process for continuous compliancewith the PCI DSS requirements.
  • 4. 4. PCI- DSS in India The PCI-DSS is not very popular among Indian companies. India, the second-most populouscountry where E-payments through cards are extensively used for various transactions.E-commerce as a business transacts on the internet wherethere might of chance of customer data that can be hacked. The transaction level of debit/credit card transactions is no longer small as it is used to be 5 years back. India is normally named as the destination of outsourcing.Business Process Outsourcing (BPO) plays a very significant role in the field of outsourcing. Generally BPO’s are deals with various data relating to third parties. There is a high risk of threat to data leakage &fraud. In order to thwart fraud, the Indian BPO industry is adopting some of the most stringent standards for handling of sensitive information and data. One such standard is the payment card industry data security standards (PCI-DSS), as prescribed by “Council”. Indian companies like Infosys BPO; Vodafone India has already under the PCI DSS certification. The size of the payments card market in India is very big and it’s increasing day by day. “Threat report 2013” as published by Symantec internet security countries leading the chart in bank cards threat is USA, China & India. Out of which India isaccounting for 6.5% of the total targeted attack in 2012. Various countries have already taken several steps to prevent the fraud in relation to credit card hence we should protect ourselves against the frauds moving in to India &we can’t ignore the fact that “Fraudsters are a step ahead of Market”. In India due to the rise in fraud arising out of debit/credit card transactions the Reserve Bank of India (RBI) has stipulated some safety measures for Credit/Debit card transactions. In the recent notification dated 28 Feb 2013 named as “Security & Risk Mitigation Measures for Electronic Payment Transactions” RBI has directed banks to put in place some safety measures as follows ( below relating to PCI DSS only) :a. Banks should ensure that the terminals installed at the merchants for capturing card payments(including the double swipe terminals used) should be verified for PCIDSS(Payment Card Industry – Data Security Standards) & PA-DSS (Payment ApplicationData Security Standards)(By June 30, 2013). b. Bank should ensure that all acquiring infrastructure that is currently operational on IP (Internet Protocol) based solutions are mandatorily made to go through PCI-DSS and PA-DSS certification. This should include acquires, processors/aggregators and large merchants.(By June 30, 2013). Considering the rapid growth of the cards payment markets & merchants in India, sooner we have to adopt additional factor of authentication for card present transactions in various terminals dealing with debit/credit cards. The way frauds related to credit/debit cards are spreading across various corner in India, it becomes imperative for organizations to covers them under PCI-DSS. 5. Requirements of PCI DSS PCI DSS classified in to 6 categories defining 12 requirements as mentioned belowa. Building & maintaining a secure network (Includesinstallation & maintenance of firewall & vendor supplied passwords). b. Protecting card holder data (Includes protection & encrypt transmission of card holder data). c. Maintaining a vulnerability management program (Includes antivirus software & development & maintenance of secure system).
  • 5. d. Implementing strong access control measures(Includes access card holder data by business need-to-know, unique ID & physical access to card holder data). e. Regularly monitoring & testing of networks (Includes tracking & monitoring access & testing of security system). f. Maintaining an information security policy (Maintenance of policy to address information system). 6. Certification &Reporting Normally there are 2 ways by which business houses can check that they have achieved PCI DSS certification. These are:a. Self-Assessment Questionnaire. b. Vulnerability scanning. The questionnaire & the scanning process will help to identify if there is any weakness or vulnerability exist in the network or not. The reason behind SAQ (Self-Assessment Questionnaire) is to enable organizations in self evaluating compliances with the PCI-DSS. The PCI-DSS SAQ consists of 2 components: a set of questions relating to PCI-DSS requirements & an attestation of compliance. The attestation is your certification that you have performed appropriate assessment. PCI-DSS compliance requires that merchants have comprehensive vulnerability scan at least every quarter. PCI-DSS recommends that all outward facing scans should be scanned in order to protect the data from hacking. PCI-DSS SAQ identifies &mitigates risk from the inside (behind the firewall) while the scanning identify & mitigate risk from the outside. Various Credit card companies have defined 4 level of classification. Falling under which merchants are subject to certain reporting requirement. Check this link to get an idea on how VISA has defined the merchant levelshttp://usa.visa.com/merchants/risk_management/ cisp_merchants.html#anchor_2 Reports are the official mechanism by which merchants and other entities verify compliance with PCI-DSS to their respective acquiring financial institutions or payment card brand. Depending on payment card brand requirements, merchants and service providers may need to submit an SAQ or annual attestations of compliance for on-site assessments. Quarterly submission of a report for network scanning may also be required. 7. Conclusion PCI DSS helps all the E-commerce merchants by disclosing various guidelines for customer data security & protection. Customers can ensure security & trust over the merchants getting certified under PCI DSS while doing Etransactions. The PCI Security Standards Council collects various feedbacks on the PCI Security Standards from companies and stakeholders. This valuable input says that the standards as issued by “Council” can continue to provide a strong security framework for protecting the data relating to various card holders.