Narendra Sahoo,Founder and Director of VISTA InfoSec
Every day millions of people around the globe fall prey to cybercrimes. What makes it alarming is that majority of the data breach/theft is related to debit and credit cards. For these reasons, the PCI DSS standards were set in 2006 to strengthen information security and secure cardholder data. PCI DSS is a compliance requirement for all organizations and financial institutions including banks that deal with card transactions. As per the set guidelines, banks and other financial institutes are expected to have in place comprehensive internal controls, and security frameworks to safeguard sensitive data. Financial institutions heavily deal with millions of transactions daily, which is why it is an incredibly challenging task for them to secure transactions and cardholder data. For the amount of risk they are exposed to, the financial institutes are the most heavily regulated industry in the U.S. and around the world.
In this article today we have discussed how PCI DSS Impacts the banking sector and the risks they are exposed to for non-compliance.
PCI DSS Compliance in a Glance
Payment Card Industry Data Security Standard is the set of security standards administered by the PCI Security Standards Council and established by the top 5 credit card brands namely the American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and Visa Inc. The Compliance Standard applies to –
- Any organization or institute that deals (store, process, transmit) with credit cards including service providers.
- Any organisation (service provider) whose functioning can affect the security of the Card Data Environment of another organization (Client of service provider)
The scope of compliance typically covers data security, security framework policies and procedures, network architecture, and software design. Financial institutions, including issuing banks, (banks that offer credit cards to customers) and acquiring banks (financial institutions that hold merchants’ bank accounts, receive payments through the card processors, and deposit funds on behalf of the merchants), merchants, and service providers who process, store, transact, or enter into a contract with the five-card brands are expected to be PCI DSS Compliant.
Impact of PCI DSS Standard on the Banking Sector
PCI DSS is a set of security standards that banks need to follow diligently to stay compliant. For millions of transactions that they undertake daily and the risk to which they are exposed, requires them to have in place strong security measures to safeguard Cardholder data. Given below are some PCI DSS Standard Requirements that banks are expected to follow and security tests they need to perform to ensure no compromise of the cardholder data environment.
- Test the defense systems in place to ensure network, end-point, and web applications are secure.
- Frequently commissioning a controlled data breach attempt against the bank network to secure networks (Penetration Testing or even a Red Team assessment).
- Perform security tests to detect known vulnerabilities like SQL injection, OS command injection, Cross-site scripting, broken authentication, etc.
- Test networks and check for the presence of authorized and unauthorized wireless access points every quarter.
- Perform Penetration Test on the cardholder environment (CDE) and systems and networks connected to it at least once a year or after a signification change has been made to the application.
- Conduct a VAPT test to identify all possible threats and exploit them to penetrate the system at the application and network level.
- Issues identified should be corrected and re-tested until the time systems and networks are clean and have strong defense systems in place against malicious activities.
- Conduct Internal audits as per the PCI DSS requirements atleast once a year or after any major change to processes or systems.
- Internal awareness training for the employees atleast once a year.
While it extremely challenging to meet the testing requirements of PCI DSS, performing the test and securing systems and networks is mandatory for Banks and other financial institutions. Failure to comply with the bank will have to face severe repercussions in terms of huge penalties, and loss of trust and credibility. We have listed below some serious repercussions and risks banks may be exposed to for non-compliance with PCI DSS.
Consequences and Risk Exposure to Non-Compliance with PCI DSS for Banking Sector
The risk of merchants suffering a data breach has far greater, implications and consequences, resulting in monetary penalties and often, irreparable damage to brand reputation.
Data theft & Security Breach-
Being non-compliant to the PCI DSS Standards simply means the bank may not have the necessary security measures in place to protect data. Having no strong defense systems and security built around the network and systems will lead to a security breach and data theft. This could further have huge financial implications on the institute, leading to huge losses.
Non-compliance to PCI DSS can result in huge penalties ranging from $5,000 to $100,000 per month by the credit card companies. The penalties levied shall depend on the volume of transactions, and the degree of non-compliance. Further, the penalties levied shall be based on the discretion of the payment brand and the brand may decide to levy penalty based on per record that has been breached Moreover, the fines get reassessed monthly and may raise over time until the merchant achieves compliance. However, fines that the bank incurs can be passed to the merchant via high transaction fees or service charges if in case the merchant is found to be non-compliant. This will further strain or affect the relationship between the bank and the company.
Compensation costs for non-compliance
A huge amount of compensation costs would involve in case of non-compliance to PCI DSS Standards. The banks or merchants will have to probably compensate the clients with credit card monitoring, identity theft insurance, or in any other form of compensation.
Tarnished Reputation due to non-compliance
Security breaches and data theft shall not just have financial implications but will also cause irreversible damage to the reputation of your brand. Once your security is compromised, it will be very difficult to regain their trust in your bank. The image and reputation of your bank will be at stake and greatly tarnished if found non-compliant and face a security breach.
Once there is a blot on reputation, it will significantly impact the business revenue and sales. There is a huge possibility of the bank facing loss due to an incident of a breach. Infringement can lead to loss of consumers, followed by loss of revenue. The financial implications are far more significant than the amount of money it would probably take to ensure compliance with PCI DSS.
Direct Intervention of Regulatory Bodies-
Non-compliance to PCI DSS followed by a security breach could call for the direct intervention of Regulatory Bodies and involve frequent Federal Audits. This would further involve imposing strict regulations and penalties. Consequences like this could severely impair the banking business.
The bottom line is that no matter how strong your defense is and the number of assessments you conduct, it just needs one slip for the breach to happen. So, no system is totally impenetrable, but at the end of the day, incase of breach, you need to present your bank in a way that it has followed all the compliance requirements and did its best to secure the systems to the best of its knowledge and ability.This is where the banks need to work on by conducting due dellligence as detailed in the standard and summarized above in the article.
Moreover, we belive complying with the security standards is extremely important not just for the banking business, but also for the safety of their clients. While the standard requirements and testing process may seem to be rigorous, but the consequences of non-compliance can be destructive for the banking business. Banks in general have their take on the set standards. Depending on the risk levels (which are often high in the banking sector) and exposures, banks generally balance between the cost, security, and functionality, while investing in an effective security control framework.
Author Bio: Narendra Sahoo (PCI QSA, PCI QPA, CISSP, CISA, and CRISC) is the Founder and Director of VISTA InfoSec, a global Information Security Consulting firm, based in the US, Singapore & India. Mr. Sahoo holds more than 25 years of experience in the IT Industry, with expertise in Information Risk Consulting, Assessment, & Compliance services. VISTA InfoSec specializes in Information Security audit, consulting and certification services which include GDPR, HIPAA, CCPA, NESA, MAS-TRM, PCI DSS Compliance & Audit, PCI PIN, SOC2, PDPA, PDPB to name a few. The company has for years (since 2004) worked with organizations across the globe to address the Regulatory and Information Security challenges in their industry. VISTA InfoSec has been instrumental in helping top multinational companies achieve compliance and secure their IT infrastructure.
ADVANTAGES OF OFFSHORE BANKS: WHAT THEY HAVE TO OFFER MILLENIALS
Contrary to popular belief, offshore banking isn’t just for the super-rich, nor is it illegal.
In reality, and with professional advice, the average person can open a perfectly legal offshore bank account within a matter of hours – ideal for busy, on-the-go millennials.
For the generation facing increasing financial challenges, it is more important than ever for millennials to acquire savings sooner, rather than later. With climbing house prices, higher relative costs of living, and the need to save more money for retirement, many millennials are planning their futures’ by setting up savings accounts in overseas institutions. But is this the most secure way of holding your hard-earned savings?
While the answer to this question is largely dependent on individual circumstance, there are many potential benefits to banking offshore; from earning higher interest rates and tax benefits, to having the ability to bank in foreign currencies. Offshore banking can be particularly beneficial for those who regularly travel overseas for work, as it allows you to receive multiple currencies without the need to pay for exchange fees. As such, there’s no risk of you losing out on exchange rate fluctuations.
Banking with confidence and having more security is a significant factor for people choosing to bank offshore. It can offer greater asset protection against possible future threats, such as divorce lawyers, creditors and legal action – which is essential for millennials with substantial amounts of money. This makes offshore banking a secure solution for managing your money well. However, it is worth noting that the security of your savings will depend on the regulations of where your bank is based.
For an added level of reassurance, many jurisdictions also offer strict, financial privacy and confidentiality agreements. This means that your personal information will not be passed on to any third parties, so your assets are shielded to safeguard your individual or company information.
At Turner Little, we offer privacy-assured banking to suit your bespoke needs. Whether you’re an individual or a business, our services include arranging bank accounts and credit cards with both UK and offshore institutions. So get in touch with us today and see how we can help you prepare for your future.
CODAT PARTNERS WITH VISA TO GIVE EUROPEAN BANKS ACCESS TO SME FINANCIAL DATA
Codat – a London-based technology company that connects the internal systems of small businesses to banks, fintechs and other financial institutions, allowing business data to flow back and forth in real time – has formed a strategic partnership with Visa.
Via a single API, Codat enables financial service organisations to integrate with a wide and growing range of accounting, banking, and commerce integrations platforms. It means banks and lenders can get a holistic financial profile of a small business in a matter of minutes rather than days, allowing credit risk to be assessed faster and more accurately, and speeding up time to decision for the applicant.
The partnership agreement is tied to the launch of the Visa Fintech Partner Connect program in Europe – a new marketplace where Visa is partnering with a roster of carefully selected fintech businesses. It will provide Visa’s clients with access to a suite of next-generation digital banking solutions and capabilities from across the financial services spectrum, helping them to quickly bring new solutions to market.
Working with Codat, Visa’s clients will be able to create a fully digital journey for their SME customers, from onboarding, to underwriting, to account and portfolio management, with a single point of connectivity between their customers’ accounting platforms and data sources. Codat’s connectivity to an SME’s financial data will form the most up-to-date picture of a business’s financial health.
Through its commitment to integrating with a wide range of data sources, Codat ensures Visa and Codat clients will always be offered the broadest and richest access to key business financial data.
“This is a major stamp of approval and validation of the quality, security and scalability of the platform our team has built,” said Pete Lord, CEO at Codat. “Visa has recognised that we address a universal pain point in SME financial services: the manual, slow, and limited exchange of financial data between businesses and their service providers. Our modern API technology provides the means to do this better, giving Visa’s clients the ability to offer SMEs a suite of improved and more agile products and services, as well as reduce their own operating costs.”
DATA DILEMMAS IMPACTING ESGS
Mario Mantrisi, Chief Strategy and Knowledge Officer, Kneip It’s been well documented over the past few months that the...
SIX PILLARS FOR A SUCCESSFUL CLOUD
by Giuseppe Paternò, IT Infrastructure Architect, Security Expert, and Cloud Solution Guru COVID-19 pandemic is pushing many companies to...
MARQETA CONTINUES EUROPEAN GROWTH, SIGNING THREE NEW DIGITAL BANKING CUSTOMERS
Marqeta is supporting the development and launch of three new digital banks across the UK and Europe Marqeta, the...
TECHNOLOGY IS OUR FIRST DEFENCE AGAINST MONEY LAUNDERING
Jesse Chenard, CEO of MonetaGo Fraud is an age-old problem that has plagued every industry since businesses began trading. It...
STOCARD BUILDS ON SUCCESS AS IT EXPANDS STOCARD PAY TO FOUR MORE EUROPEAN COUNTRIES
Stocard, the leading European mobile wallet with over 50 million users, launches its payment functionality, Stocard Pay, in Germany, France,...
3 KEY DIGITAL MARKETING TRENDS FOR 2021
– Emma Digital marketing is an industry where the trends are changing on a daily basis, meaning those in the...
SBER ANNOUNCES PARTICIPATION IN A PRIVATE EQUITY FUND
Sber in cooperation with a leading Middle East sovereign wealth fund announces its commitment as a cornerstone investor into an...
HOW INSURERS CAN KEEP UP WITH A NEW WAVE OF MILLENNIAL PET OWNERS
Chris Blatchly, Chief Digital Officer & Consulting Leader for Insurance, Cognizant In the midst of COVID-19, puppies and kittens...
ADVANTAGES OF OFFSHORE BANKS: WHAT THEY HAVE TO OFFER MILLENIALS
Contrary to popular belief, offshore banking isn’t just for the super-rich, nor is it illegal. In reality, and with professional...
A GUIDE TO LLC TAXES FOR SMALL BUSINESSES
By Tricia Joyce Starting a small business can be an exciting, if sometimes stressful, journey. While finally being able...
NAVIGATING SUDDEN DIGITAL ACCELERATION – HOW MERCHANTS CAN KEEP UP IN A NEW AGE OF PAYMENT INNOVATION
James Booth, VP Head of Partnerships, EMEA at PPRO Recent months have brought momentous change for businesses across the...
CODAT PARTNERS WITH VISA TO GIVE EUROPEAN BANKS ACCESS TO SME FINANCIAL DATA
Codat – a London-based technology company that connects the internal systems of small businesses to banks, fintechs and other financial institutions,...
DELOITTE STUDY: IS YOUR BANK READY FOR TOMORROW?
Banks in the Middle East and around the world have been racing to catch up with the ever-evolving technological trends...
88% OF FINANCIAL SERVICES FIRMS IN THE UK ARE UNDER PRESSURE TO MAKE DECISIONS FASTER
79% of these organisations are not confident in their data literacy levels 72% of FSI firms agree shorter decision making...
UNIONBANK BECOMES THE FIRST BANK FROM THE PHILIPPINES TO JOIN BIAN
UnionBank to collaborate with BIAN and its members to define the future of banking standards Union Bank of the Philippines (UnionBank) is...
THE IMPACT OF RETIREMENT REFORM IN SOUTH AFRICA
Receiving the same tax treatment Changes to retirement benefits for provident fund members, initially meant to come in five years...
NEW DIGITAL FIRST BANK – MONUMENT – ANNOUNCES ITS KEY TECHNOLOGY PROVIDERS
Monument selects Mambu, Salesforce, Amazon Web Services, Persistent Systems and Accenture as key providers for its technology build Monument is...
UBER AND MARQETA ANNOUNCE GLOBAL CARD ISSUING PARTNERSHIP
Marqeta will serve as a global card issuing partner for Uber, providing them with critical financial infrastructure across key verticals. ...
LEADERSHIP FROM THE DIGITAL BOARDROOM
Gavin Fallon, General Manager, UK, Nordics & South Africa at Board International Modern enterprises are highly complex organisations, operating...
SUBSCRIPTIONS: THE NEXT BIG PAYMENT TREND
By Nick Raper, Head of UK at Nuapay Ask the next person you speak to whether they’ve ever had...