Connect with us

Banking

CONSEQUENCES & RISK EXPOSURE FOR NON-COMPLIANCE WITH PCI DSS FOR THE BANKING SECTOR

Published

on

Narendra Sahoo,Founder and Director of  VISTA InfoSec

 

Introduction

Every day millions of people around the globe fall prey to cybercrimes. What makes it alarming is that majority of the data breach/theft is related to debit and credit cards. For these reasons, the PCI DSS standards were set in 2006 to strengthen information security and secure cardholder data. PCI DSS is a compliance requirement for all organizations and financial institutions including banks that deal with card transactions. As per the set guidelines, banks and other financial institutes are expected to have in place comprehensive internal controls, and security frameworks to safeguard sensitive data. Financial institutions heavily deal with millions of transactions daily, which is why it is an incredibly challenging task for them to secure transactions and cardholder data. For the amount of risk they are exposed to, the financial institutes are the most heavily regulated industry in the U.S. and around the world.

In this article today we have discussed how PCI DSS Impacts the banking sector and the risks they are exposed to for non-compliance.

PCI DSS Compliance in a Glance

Payment Card Industry Data Security Standard is the set of security standards administered by the PCI Security Standards Council and established by the top 5 credit card brands namely the American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and Visa Inc. The Compliance Standard applies to –

  • Any organization or institute that deals (store, process, transmit) with credit cards including service providers.
  • Any organisation (service provider) whose functioning can affect the security of the Card Data Environment of another organization (Client of service provider)

The scope of compliance typically covers data security, security framework policies and procedures, network architecture, and software design. Financial institutions, including issuing banks, (banks that offer credit cards to customers) and acquiring banks (financial institutions that hold merchants’ bank accounts, receive payments through the card processors, and deposit funds on behalf of the merchants), merchants, and service providers who process, store, transact, or enter into a contract with the five-card brands are expected to be PCI DSS Compliant.

Impact of PCI DSS Standard on the Banking Sector

PCI DSS is a set of security standards that banks need to follow diligently to stay compliant. For millions of transactions that they undertake daily and the risk to which they are exposed, requires them to have in place strong security measures to safeguard Cardholder data. Given below are some PCI DSS Standard Requirements that banks are expected to follow and security tests they need to perform to ensure no compromise of the cardholder data environment.

  • Test the defense systems in place to ensure network, end-point, and web applications are secure.
  • Frequently commissioning a controlled data breach attempt against the bank network to secure networks (Penetration Testing or even a Red Team assessment).
  • Perform security tests to detect known vulnerabilities like SQL injection, OS command injection, Cross-site scripting, broken authentication, etc.
  • Test networks and check for the presence of authorized and unauthorized wireless access points every quarter.
  • Perform Penetration Test on the cardholder environment (CDE) and systems and networks connected to it at least once a year or after a signification change has been made to the application.
  • Conduct a VAPT test to identify all possible threats and exploit them to penetrate the system at the application and network level.
  • Issues identified should be corrected and re-tested until the time systems and networks are clean and have strong defense systems in place against malicious activities.
  • Conduct Internal audits as per the PCI DSS requirements atleast once a year or after any major change to processes or systems.
  • Internal awareness training for the employees atleast once a year.

While it extremely challenging to meet the testing requirements of PCI DSS, performing the test and securing systems and networks is mandatory for Banks and other financial institutions. Failure to comply with the bank will have to face severe repercussions in terms of huge penalties, and loss of trust and credibility. We have listed below some serious repercussions and risks banks may be exposed to for non-compliance with PCI DSS.

Consequences and Risk Exposure to Non-Compliance with PCI DSS for Banking Sector

The risk of merchants suffering a data breach has far greater, implications and consequences, resulting in monetary penalties and often, irreparable damage to brand reputation.

Data theft & Security Breach-

Being non-compliant to the PCI DSS Standards simply means the bank may not have the necessary security measures in place to protect data. Having no strong defense systems and security built around the network and systems will lead to a security breach and data theft. This could further have huge financial implications on the institute, leading to huge losses.

Hefty Penalties

Non-compliance to PCI DSS can result in huge penalties ranging from $5,000 to $100,000 per month by the credit card companies. The penalties levied shall depend on the volume of transactions, and the degree of non-compliance. Further, the penalties levied shall be based on the discretion of the payment brand and the brand may decide to levy penalty based on per record that has been breached Moreover, the fines get reassessed monthly and may raise over time until the merchant achieves compliance. However, fines that the bank incurs can be passed to the merchant via high transaction fees or service charges if in case the merchant is found to be non-compliant. This will further strain or affect the relationship between the bank and the company.

 Compensation costs for non-compliance

A huge amount of compensation costs would involve in case of non-compliance to PCI DSS Standards.   The banks or merchants will have to probably compensate the clients with credit card monitoring, identity theft insurance, or in any other form of compensation.

Tarnished Reputation due to non-compliance

Security breaches and data theft shall not just have financial implications but will also cause irreversible damage to the reputation of your brand. Once your security is compromised, it will be very difficult to regain their trust in your bank. The image and reputation of your bank will be at stake and greatly tarnished if found non-compliant and face a security breach.

Revenue loss

Once there is a blot on reputation, it will significantly impact the business revenue and sales. There is a huge possibility of the bank facing loss due to an incident of a breach. Infringement can lead to loss of consumers, followed by loss of revenue. The financial implications are far more significant than the amount of money it would probably take to ensure compliance with PCI DSS.

Direct Intervention of Regulatory Bodies-

Non-compliance to PCI DSS followed by a security breach could call for the direct intervention of Regulatory Bodies and involve frequent Federal Audits. This would further involve imposing strict regulations and penalties. Consequences like this could severely impair the banking business.

 

Conclusion

The bottom line is that no matter how strong your defense is and the number of assessments you conduct, it just needs one slip for the breach to happen. So, no system is totally impenetrable, but at the end of the day, incase of breach, you need to present your bank in a way that it has followed all the compliance requirements and did its best to secure the systems to the best of its knowledge and ability.This is where the banks need to work on by conducting due dellligence as detailed in the standard and summarized above in the article.

Moreover, we belive  complying with the security standards is extremely important not just for the banking business, but also for the safety of their clients. While the standard requirements and testing process may seem to be rigorous, but the consequences of non-compliance can be destructive for the banking business. Banks in general have their take on the set standards. Depending on the risk levels (which are often high in the banking sector) and exposures, banks generally balance between the cost, security, and functionality, while investing in an effective security control framework.

 

Author Bio: Narendra Sahoo (PCI QSA, PCI QPA, CISSP, CISA, and CRISC) is the Founder and Director of VISTA InfoSec, a global Information Security Consulting firm, based in the US, Singapore & India. Mr. Sahoo holds more than 25 years of experience in the IT Industry, with expertise in Information Risk Consulting, Assessment, & Compliance services. VISTA InfoSec specializes in Information Security audit, consulting and certification services which include GDPR, HIPAA, CCPA, NESA, MAS-TRM, PCI DSS Compliance & Audit, PCI PIN, SOC2, PDPA, PDPB to name a few. The company has for years (since 2004) worked with organizations across the globe to address the Regulatory and Information Security challenges in their industry.  VISTA InfoSec has been instrumental in helping top multinational companies achieve compliance and secure their IT infrastructure.

 

Banking

TO ENABLE BETTER LENDING FOR PEOPLE AND BUSINESSES, WE HAVE TO LOOK TO OPEN BANKING

Published

on

By

By Iain McDougall, CCO of Yapily

 

A recent FCA study found over 14 million people were grappling with financial issues at the end of 2020, representing more than a quarter of the UK adult population. The picture is similarly tough for SMEs, too, which have been impacted hugely by lockdowns, loss of earnings and more; it’s estimated the pandemic will cost SMEs an extra £173,000 in debt per year.

This is resulting in a lack of lending options for both consumers and businesses, as well as expensive or high interest loans, or worse, rejection from lenders all together. This in turn is driving unaffordable lending, and penning consumers and businesses in an ongoing and irresolvable debt cycle – at a time when they need the most support.

One of the biggest causes of this lies in lenders relying on credit scores and credit bureau data to inform their decisions, which simply aren’t accurate enough to truly get the full picture of a borrower’s financial situation.

The case for using Open Banking data in lending decisions has never been stronger.

Data accessed through Open Banking permits lenders to retrieve accurate information about the borrower’s financial history. This can provide more accurate assessments, and therefore enable fairer lending decisions.

 

Credit scores aren’t helping consumers

Take NHS workers as an example. Despite working tirelessly throughout the pandemic, NHS workers make up a sizable portion of the UK adult population currently struggling with debt.

Iain McDougall

An independent report from the University of Edinburgh Business School, in partnership with Salad Projects, found NHS workers are heavily reliant on long-term overdrafts and high-cost credit, where APR is as high as 1,333%. Almost all (93%) respondents said they use one or more types of credit or loan, compared with 75% in the wider UK population (according to the Financial Lives Survey). More than half (58%) use up to three loan providers and 68% use up to four loan providers.

This situation is the result of relying solely on credit scores. While these are the near-universally accepted method of determining credit terms, each credit reference agency has a different method for calculating a credit score. They rely solely on financial history, whether they’ve previously defaulted, or failed to get credit, and not a consumer’s actual financial position, whether they’ve recently got a pay rise or new income, to see how likely it is they will pay back any money borrowed. This can mean, no matter if a consumer’s financial position has changed, they can’t get a better loan because of a previous discrepancy.

 

The challenges facing SMEs

These issues are not just limited to consumers. SMEs, particularly those in the hardest hit industries like hospitality and travel, have struggled to access credit throughout the pandemic.

While many may have been thriving pre-pandemic, their lack of ability to turn a profit during lockdowns, meant they needed extra support. In an effort to keep these industries alive, we saw numerous government backed loan schemes launched, such as the Bounce Back Loan Scheme, to help struggling businesses survive. In total, these schemes have provided almost £180 billion worth of lending to date, supporting over a quarter of businesses in the UK.

However, the soaring demand from businesses in need of these vital funds meant lenders were unable to keep up and many businesses did not receive support quickly enough. What’s more, providers may register these types of loans with credit reference agencies, which means companies that previously had strong credit ratings may see their credit scores negatively affected by any delayed or missed repayments.

This is why it’s vital for lenders to get lending limits right the first time round, so SMEs can avoid potentially adding to their already growing list of debt and thrive in a post-pandemic world.

 

Enhancing lending with Open Banking 

Using Open Banking can add a much-needed layer of trust and loan personalisation for businesses and individuals. By basing credit decisioning on real-time financial data, lenders will be able to create a more accurate picture of their financial situation; and so make fairer credit offers.

Through adopting Open Banking principles, lenders will be able to onboard new customers and grant loans more efficiently, providing businesses with the cashflow required to maintain their workforce and support the economy.

With the borrowers’ consent, it will also give lenders oversight into how the economy is recovering, and enable them to monitor the rate at which the individual or business can expect the loan to be repaid. Meaning they can step in and provide extra support if and when required.

Open Banking provides what credit scores alone simply cannot – real-time insight into an individual’s or a businesses financial position right now, not three to six months ago. By leveraging the data that is readily available to them, lenders could achieve far better and more responsible outcomes. This will reduce the risk of loan default – for both businesses and individuals – and lead to more responsible lending decisions that can help people and businesses bounce back after what has been a difficult year.

 

Continue Reading

Banking

BRAND CONFIDENCE: HOW HAS OPEN BANKING EVOLVED AND DO CUSTOMERS TRUST IT?

Published

on

By

By Geoff Boudin, Director at Revive Management

 

The open banking industry is growing by 24% year-on-year, and is expected to be worth more than £31 billion by 2026. The implementation of the 2018 Payment Services Directive known as PSD2, was intended to boost competition in the name of open banking. The directive, which set out to make payments more secure, by requiring banks to share the data of customers who authorise it with third parties. This allows customers to share their financial information with authorised service providers such as budgeting apps and other third-party money management tools. It was initially called for by the Competition and Markets Authority (CMA) to level the financial playing field and empower consumers by giving them more ownership over their financial data.  So, two years on, what impact is open banking having on consumers? Do they trust it? If so, how can brands build on this trust to offer more a more personalised yet non-intrusive experience that delivers the data to further improve their service offering.

 

What difference has open banking made?

Prior to PSD2, which came into force on 13 January 2018, banks had full authority and jurisdiction over their customers’ financial data. The idea of a bank giving up some of that data to a third party for the benefit of their customers was unheard of. This closed ecosystem, however, runs against the drive towards digital openness, connectivity and convenience. Our digital worlds were opening up and data was becoming democratised, and banks were being left behind. Challenger banks such as Monzo and Atom, which embraced innovative new apps and features, had been making headway for years, and there was a sense that third-party customer-focused innovation was rumbling away under the surface. However, that innovation was stifled until PSD2 laid a path for it, requiring banks to open up access to customers’ data at their behest.

It’s thanks to PS2D and open banking that customers are now able to connect their bank account to a third-party app that can help them better manage their money or sign up to a platform that allows them to access all of their accounts and credit facilities in one place. This allows customers to control their finances as never before.

 

Driving innovation

Empowering and improving the customer experience is one great achievement of open banking. Another is the innovation it has prompted across the entire financial sector. Even traditional banks like HSBC prepared for PSD2 by rolling out its own ‘Connected Money’ app, which allowed its customers to view data from all of their bank accounts – as well as mortgages, loans and credit cards – all in one place. This value-add to the customer experience probably wouldn’t have seen the light of day if not for the competition spurred by PSD2 and open banking. Many other banks and financial services providers have followed suit, offering new customer-centric features based around convenience, visibility and control.

Open banking is a huge step forward in the financial world. So why do some still liken it to a sleeping giant? What’s holding it back?

 

Managing trust and data security

More than 2.5 million consumers in the UK are now happy to connect their accounts to trusted third parties in exchange for some value-added benefit. That’s up from 1.5 million in 2020, no doubt driven by the competitive innovation brought about by PS2D. However, open banking adoption across the rest of Europe seems to have been much slower, and even growth here in the UK is beginning to plateau. While some might blame this on Brexit-induced regulatory changes, such as UK firms no longer being able to use the EU’s certification standards to share customer data after June 2021, there is much more at play.

A Europe-wide survey by thinktank ING polled 13 countries – including the UK – and found that only around 30% of consumers were happy for companies to share their data even after they had given consent. What’s more, only 35% of those polled had even heard of open banking capabilities. This points to issues surrounding data security, trust and awareness – all hurdles that can be overcome by banks, financial services providers and fintech innovators.

To make the most of open banking, banks will have to innovate and forge fintech partnerships with companies using their data sets. That will enable them to enhance existing products and leverage new fintech products being created with their data which will, in turn, benefit their customers.

This process of innovation has already largely begun, but if brands are to take full advantage of all that open banking has to offer, they still need to bridge the trust gap with consumers. We see consumer education, especially in the field of security, as having a key role to play in building confidence and consequently optimising uptake of open banking.

 

Continue Reading

Magazine

Trending

Top 1021 hours ago

DOGECOIN MADNESS

by Nathalie Janson, Associate Professor at NEOMA Business School   After the unstoppable increase of Bitcoin (BTC) since January –...

Business21 hours ago

TOP TIPS FOR BOOSTING YOUR CASH FLOW AND BUSINESS IN 2021

Ian Gass, CEO at Agitate   Many small businesses are still dealing with the disruption caused by the pandemic. Improving financial...

Wealth Management22 hours ago

WHY COMPLICATED INCOME STRUCTURES SHOULDN’T PREVENT HIGH NET WORTH INDIVIDUALS FROM INVESTING IN PROPERTY

Mike Coates, Founder and CEO of Commercial Expert   An investor’s preference is usually to split their investment across different...

News22 hours ago

ENTRUST INTRODUCES ADAPTIVE ISSUANCE™ PRODUCTION ANALYTICS SOLUTION TO OPTIMIZE CARD ISSUANCE OPERATIONS

The new solution provides intelligent, data-driven insights to card issuers with Central Issuance systems for improved and timely management decisions...

Technology3 days ago

OPTIMISING DIGITAL EXPERIENCE IN AN INTERNET-RELIANT FINANCIAL SECTOR

Tony Finn, EMEAR Lead, ThousandEyes   It would be unfair to say that the events of the last year have...

Finance3 days ago

CAN THE CLOUD REVOLUTIONISE FINANCE?

By Walter Heck, CTO, HeleCloud    The scale of the Cloud revolution that businesses have gone through over the last few...

Business3 days ago

BRIDGING THE DIGITAL EMPLOYEE EXPERIENCE GAP

Matthew Sturman, senior technical consultant, AppLearn   While the financial sector was arguably some way along the digital transformation curve...

Business3 days ago

6 TIPS FOR KEEPING DATA SECURE WHEN WORKING FROM HOME

Tim Bandos, CISO at Digital Guardian   The importance of data in the financial sector has grown exponentially in recent...

Top 103 days ago

SOFTPOS: EVERYTHING KEY PLAYERS NEED TO KNOW ABOUT DEVICES

By François Drouard, SLM Terminal & Mobile and Emmanuel Desdoigts, Project Manager at Fime   SoftPOS solutions harness untapped potential...

Wealth Management3 days ago

WHAT DOES RETIREMENT MEAN TO YOU?

By Gary Fisher, Head: Member Education Services and Individual Consulting at Alexander Forbes   No matter your age or current...

Business3 days ago

HOW AN OUTDATED PROCUREMENT PROCESS WILL IMPACT CUSTOMER RETENTION

Never before has the business world been held to ransom by an invisible and yet totally disruptive force. We are,...

Technology3 days ago

DIGITAL TRANSFORMATION FOR FINANCE: LEADING WITH SAAS AND COLLABORATION TOOLS

Gary Duggan, VP Technology Solutions EMEA at Riverbed Technology   Throughout the pandemic, software as a service (SaaS) and collaboration...

Finance3 days ago

PREPARING YOUR HEDGE FUND FOR THE MODERN CYBERCRIMINAL

By: Simon Eyre, Head of Europe, Drawbridge   The familiar adage that “every organization is a target” when it comes...

Business3 days ago

UK READY TO SPEED UP THE DIGITAL TRANSFORMATION REVOLUTION

More than half of businesses set to accelerate projects due to pandemic British business is set for a digital revolution...

Finance3 days ago

ADAPTING YOUR ATTITUDE TOWARDS MONEY AS YOU AGE

By Buhle Langa, financial well-being consultant at Alexander Forbes   Much of financial wellbeing begins with the choices that we make...

News3 days ago

DELOITTE: 61% OF EXECUTIVES, DOUBLE PRE-COVID 19 LEVELS, FOCUSED ON TRANSFORMING WORK

Amid unprecedented workforce disruption from the COVID-19 pandemic, organizations are enacting radically new ways of working and operating – and the...

News3 days ago

FINCAD ANNOUNCES COMPREHENSIVE BOND DATA AND ANALYTICS SERVICE

Combines Market-Leading Derivatives Analytics Services with Data and Insight on Fixed Income Securities In One Simple Solution FINCAD, a pioneer...

News3 days ago

ALVEO ANNOUNCES NEW ESG DATA MANAGEMENT CAPABILITY TO HELP MEET SFDR REQUIREMENTS

Alveo, a leading financial data management solutions provider, announces new environmental, social and governance (ESG) data management functionality. The new functionality...

Business3 days ago

THE FUTURE OF REGULATION IS UNFOLDING IN YOUR UNSTRUCTURED DATA

By Simon Cole, CEO at Automated Intelligence.   When you picture the future of finance, what do you see? The...

News4 days ago

AGILE LEADERSHIP: HOW TO CLOSE THE ‘KNOWING-DOING’ GAP

Almost all organisations are looking for faster, smarter ways to deliver their mission critical programmes and/or recovering programmes that have...

Trending