2. 1. Background
In today’s competitive business environment,
E-markets are increasing day by day for
effecting multiple business transactions of
goods &services. During this process the users
mostly rely on payment gateways to complete
the financial transactions by using various
types of debit/credit cards. Consequently the
extensive use of these cards forced to follow
certain procedures in order to prevent the
vulnerabilities towards the security of the
customer’sdata.
The Payment Card Industry Data Security
Standards (PCIDSS) is a widely accepted
policies & procedures which are used to
protect the debit, credit & cash card
transactions. These principles & procedures
are mainly used to protect the card holder’s
(persons who authorized to use their
Credit/Debit cards for making payments
towards goods & services) personal data
against misuse. The Payment Card Industry
Security Standard Council (PCISSC) was
launched on September 7, 2006, which is
called as “Council”, to focus primarily on the
PCI security standards. Enterprises which are
handling card data have to comply with the
requirements as issued by “council”.In the
current business environment it becomes
imperative to follow these standards because
of the extensive use of E-transactions not only
in the form of amount but also by volume too.
The fivepayment Card brands i.e. - American
Express, Discover Financial Services, JCB
International, MasterCard, and Visa have
agreed to adopt the standards as issued by
PCI-DSS for the purpose of data security
compliance program.
2.
Intended Audience
This standard is meant for those people who
stores, processes or transmits card holder data.
In addition to this the payment industry stake
holders like payment processors, acquiring
bank (which connects to a card brand
network for payment processing), service
providers (who provide all or some of the
payment services for the merchant), assessors
&the information security professionals who
want to understand PCI are the target
audience of the PCI DSS. This is meant for all
sorts of organization whether it is large,
medium or small.
3.
3.1
About PCI DSS
Key players in PCI DSS
The idea of PCI-DSS was brought in to by the
major credit card companies as a guideline to
help
organizations
that
process
card
payments to effect transactions relating to
goods or services so that it will obstruct the
fraud arising out of
hacking and various
threats. PCI DSS was created jointly in 2004 by
five major credit-card companiesi.e. Visa,
MasterCard, Discover, JCB and American
Express.
3.2
PCI Compliance
Who needs to comply- Any merchant,
acquirer, issuer bank & service providers that
processes, stores or transmits credit or debit
card data & any party involved with them.
Complying with the Payment Card Industry's
Data Security Standard (PCI DSS) requirements
means to ensure that both information systems
and payment applications are secured in realtime. Compliance with the PCI-DSS helps to
protect cardholder data. It is a very complex
and growing subject affecting millions of
business
–
banks,
Independent
Sales
Organizations (ISOs), processors, E-commerce
and retail merchants and other merchant
services providers. If you are not certified, then
there is a high risk of data being hacked. In
India many E-commerce websites don’t
collect any credit card information of
customers. During payment transaction when
3. customer chooses “Credit card” as a method
for payment& proceed to complete the
checkout they are redirected to a payment
gateways payment page (like CCavenue)
where customer himself enter all the card
details. In this scenario E-commerce merchant
is not bearing any risk of being hacked or any
PCI risk. If during the same transaction of the
checkout stage customer enter his credit card
number following which he is directedwith the
payment gateway to process the customer’s
transactions, then this transaction will fall under
the purview of PCI audit.Merchants who are
even holding data in temporary memory also
liable to PCI certified.
Why to comply with PCI DSS-By complying with
PCI DSS helps you to protect the customer
data, manage your risk, to avoid penal
measures, to stay in your business& to
compete in the market.
3.3
Challenges in PCI Compliance
Organizations face scrutiny when adhering to
PCl-DSS compliance. Huge fines & penalties
are imposed & it has increased significantly for
systems that are not in compliance. You can
refer the link below as provided by “council”
regarding the fines imposed for noncompliance
with
PCI
DSS.http://www.pcistandard.com/cardassociation-fines/
As per the Visa most of the large & medium
size merchants in US did not reach their
respective PCI-DSS compliance. Organizations
largely relying on manual assessment methods
for PCI-DSS audit. This manual assessment is a
very time consuming & error prone process.
1.4
Frauds in India & its involvement
in global scam
Credit card fraud is rampant not only in India
but also across globe affecting millions of
consumers & business every day. Indians are
actively involved in various frauds relating to
Debit/credit card, or in others means of online
transactions. They are not only involved
themselves for making frauds in India but also
extended their routes abroad. Following are
some of the examples of recent events:In Delhi a man allegedly involved in credit
card theft of more than 30K customers of a
private sector bank & making transactions
worth crores of rupees landed in police net in
the year 2013.In another incident 5 Indianorigin men were among 18 others charged for
running a massive 200 million dollar global
credit card fraud under which they used
thousands of fake identities to target business
& financial firms & wired millions of dollars to
Pakistan & India.
These types of incidents clearly depict how
Indians are actively involved in various frauds
involving debit/credit cards& it has not limited
to one part rather it has been extended across
globe. All these cases leads to high alarm in
those sectors using online credit cards to get
complied with PCI-DSS standards as issued by
“council”.
1.5
Steps in PCI Compliance
Assess, Remediate and ReportThe first step in the PCI compliance is to assess
the process by considering inventory of the IT
assets and business processes for payment
card processing, and analyzing it for
vulnerabilities that could expose cardholder
data. The second step is remediate. It is
basically the process of fixing those
vulnerabilities. The last stage is Reporting.
Report involves the accumulation of records
required by PCI DSS to validate remediation,
and submission of reports to the acquiring
bank and card payment brands. All the
above three steps are not a one-time process
rather it’s an ongoing process for continuous
compliancewith the PCI DSS requirements.
4. 4.
PCI- DSS in India
The PCI-DSS is not very popular among Indian
companies.
India,
the
second-most
populouscountry where E-payments through
cards are extensively used for various
transactions.E-commerce
as
a
business
transacts on the internet wherethere might of
chance of customer data that can be
hacked. The transaction level of debit/credit
card transactions is no longer small as it is used
to be 5 years back.
India is normally named as the destination of
outsourcing.Business
Process
Outsourcing
(BPO) plays a very significant role in the field of
outsourcing. Generally BPO’s are deals with
various data relating to third parties. There is a
high risk of threat to data leakage &fraud. In
order to thwart fraud, the Indian BPO industry is
adopting some of the most stringent standards
for handling of sensitive information and data.
One such standard is the payment card
industry data security standards (PCI-DSS), as
prescribed by “Council”. Indian companies
like Infosys BPO; Vodafone India has already
under the PCI DSS certification.
The size of the payments card market in India
is very big and it’s increasing day by day.
“Threat report 2013” as published by Symantec
internet security countries leading the chart in
bank cards threat is USA, China & India. Out of
which India isaccounting for 6.5% of the total
targeted attack in 2012. Various countries
have already taken several steps to prevent
the fraud in relation to credit card hence we
should protect ourselves against the frauds
moving in to India &we can’t ignore the fact
that “Fraudsters are a step ahead of Market”.
In India due to the rise in fraud arising out of
debit/credit card transactions the Reserve
Bank of India (RBI) has stipulated some safety
measures for Credit/Debit card transactions. In
the recent notification dated 28 Feb 2013
named as “Security & Risk Mitigation Measures
for Electronic Payment Transactions” RBI has
directed banks to put in place some safety
measures as follows ( below relating to PCI DSS
only) :a.
Banks should ensure that the terminals
installed at the merchants for capturing card
payments(including
the
double
swipe
terminals used) should be verified for PCIDSS(Payment Card Industry – Data Security
Standards) & PA-DSS (Payment ApplicationData Security Standards)(By June 30, 2013).
b.
Bank should ensure that all acquiring
infrastructure that is currently operational on IP
(Internet Protocol) based solutions are
mandatorily made to go through PCI-DSS and
PA-DSS certification. This should include
acquires, processors/aggregators and large
merchants.(By June 30, 2013).
Considering the rapid growth of the cards
payment markets & merchants in India, sooner
we have to adopt additional factor of
authentication for card present transactions in
various terminals dealing with debit/credit
cards. The way frauds related to credit/debit
cards are spreading across various corner in
India, it becomes imperative for organizations
to covers them under PCI-DSS.
5.
Requirements of PCI DSS
PCI DSS classified in to 6 categories defining 12
requirements as mentioned belowa. Building & maintaining a secure
network
(Includesinstallation
&
maintenance of firewall & vendor
supplied passwords).
b. Protecting card holder data (Includes
protection & encrypt transmission of
card holder data).
c. Maintaining
a
vulnerability
management
program
(Includes
antivirus software & development &
maintenance of secure system).
5. d. Implementing strong access control
measures(Includes access card holder
data by business need-to-know, unique
ID & physical access to card holder
data).
e. Regularly monitoring & testing of
networks
(Includes
tracking
&
monitoring access & testing of security
system).
f. Maintaining an information security
policy (Maintenance of policy to
address information system).
6.
Certification &Reporting
Normally there are 2 ways by which business
houses can check that they have achieved
PCI DSS certification. These are:a. Self-Assessment Questionnaire.
b. Vulnerability scanning.
The questionnaire & the scanning process will
help to identify if there is any weakness or
vulnerability exist in the network or not. The
reason
behind
SAQ
(Self-Assessment
Questionnaire) is to enable organizations in self
evaluating compliances with the PCI-DSS. The
PCI-DSS SAQ consists of 2 components: a set of
questions relating to PCI-DSS requirements &
an attestation of compliance. The attestation
is your certification that you have performed
appropriate assessment.
PCI-DSS compliance requires that merchants
have comprehensive vulnerability scan at
least every quarter. PCI-DSS recommends that
all outward facing scans should be scanned in
order to protect the data from hacking.
PCI-DSS SAQ identifies &mitigates risk from the
inside (behind the firewall) while the scanning
identify & mitigate risk from the outside.
Various Credit card companies have defined
4 level of classification. Falling under which
merchants are subject to certain reporting
requirement. Check this link to get an idea on
how VISA has defined the merchant levelshttp://usa.visa.com/merchants/risk_management/
cisp_merchants.html#anchor_2
Reports are the official mechanism by which
merchants
and
other
entities
verify
compliance with PCI-DSS to their respective
acquiring financial institutions or payment card
brand. Depending on payment card brand
requirements, merchants and service providers
may need to submit an SAQ or annual
attestations of compliance for on-site
assessments. Quarterly submission of a report
for network scanning may also be required.
7.
Conclusion
PCI DSS helps all the E-commerce merchants
by disclosing various guidelines for customer
data security & protection. Customers can
ensure security & trust over the merchants
getting certified under PCI DSS while doing Etransactions.
The PCI Security Standards Council collects
various feedbacks on the PCI Security
Standards from companies and stakeholders.
This valuable input says that the standards as
issued by “Council” can continue to provide a
strong security framework for protecting the
data relating to various card holders.