Connect with us

Banking

HOW DOES PCI DSS IMPACT BANKING AND BANKING APPLICATIONS?

– Narendra Sahoo is a director of VISTA InfoSec

 

Over a million people across the globe become victims of cybercrime daily.  What is more alarming about the situations is that, despite taking numerous precautionary measures, hackers manage to evolve and use advanced techniques to break into systems and illegally access critical data.  Having said that, you have every reason to worry about the confidentiality of your business-critical/customer data. Over the years research reports on cybercrimes suggest most of the data breach that occurs is related to debit and credit cards. This is why the PCI SSC Council was incorporated and the PCI DSS standards were set in 2006 to strengthen information security and secure customer data.

 

About PCI DSS

Payment Card Industry Data Security Standard is a set information security standard that is administered by the PCI Security Standards Council.  The set Standard was established by American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc. to safeguard debit and credit card data. The scope of PCI DSS Standard covers organizations implementing data security management, security policies and procedures, network architecture, and software design in place for better information/data security. This will ensure that organizations that accept, process, store, or transmit payment card information maintain secure environments to protect consumers and merchants. Put simply, the PCI DSS standards apply to any organization that holds, processes, or passes cardholder information from any card branded with the logo of any of the card brands. However, PCI DSS compliance is not a legal requirement but an established form of self-regulation. The organizations that process card payments are expected to contractually agree with the payment card brands to comply with PCI requirements.

 

Implication of PCI DSS on Banking and Financial Industry

Banks that issue Visa, Mastercard, American Express, and Discover cards are contractually expected to comply with the Payment Card Industry Data Security Standard (PCS DSS). Entities that handle card data from one of the five major card brands, namely Visa, Mastercard, Discover, American Express, and JCB International, are required to comply with PCI DSS requirements. As per the PCI DSS compliance, it required that the entities that are contractually obliged to comply are expected to govern and secure payment card data of consumers by all means.

Financial institutions, including issuing banks (banks that offer credit cards to consumers), acquiring banks, ( financial institutions that hold merchants’ bank accounts, receive payments through the card processors, and deposit funds on behalf of the merchants) merchants and service providers who process transactions and enter into contracts with the five-card brands should ensure protection and safety of cardholder data.  For that matter, even if an organization processes just four card transactions a month are also expected to be PCI compliant. Moreover, a company that uses a third-party payment processor is also expected to comply with PCI standards. The PCI DSS offers clear guidelines to banking and other financial institutions on ways to detect fraud and prevent data theft/loss and ways to deal with an event of a data breach.

 

Fines and penalty for Merchants and Banks on non-Compliance 

In case of an event of a data breach, the card brands will investigate a merchant’s level of PCI DSS compliance and also assess the bank’s PCI DSS compliance enforcement. Based on the findings the fines are accordingly distributed between the bank and the merchant. Fines typically vary anywhere between $5,000 to $100,000 per month depending on the size of the merchant’s business and the degree of noncompliance. It is however important to note that the fines that bank incurs can be passed to the merchant via high transaction fees or service charges. In case of a repeat violation, additional fines may be levied depending on the merchant’s acquiring bank. Fines levied may also be revised over time and further increase until the merchant is deemed compliant. If the merchant is still not compliant, its power to take credit cards may eventually be revoked.

 

PCI DSS Requirements of security tests for banks

PCI DSS has set stringent norms that banks are expected to follow diligently to stay compliant. As per the set Standards, banks are required to perform adequate security tests and implement required measures to ensure cardholder data is secure. Below given is a list of security test that banks are expected to conduct-

  • Banks are expected to run controlled data breach attempts against the bank network on to ensure the network, end-point and web application are secure
  • Perform various security tests to identify known vulnerabilities like SQL injection, OS command injection, Cross-site scripting, broken authentication to name a few.
  • Banks need to quarterly conduct tests on authorized and unauthorized wireless access points.
  • Perform Penetration testing on networks and applications at least once a year or after a signification change has been made to the application. The aim of running a Pen Test is to identify all possible threats and vulnerabilities and try to exploit them to gain more access to systems both at the application and network level.

 

Conclusion 

Most financial organizations find it challenging to meet the security testing requirements of PCI DSS. However, from the security point of view, the majority of Indian banks and the payments industry have been complying with the PCI DSS Standard policies and requirements and set the Security Standard as a priority. They have embraced the Compliance Standard in a big way by diligently establishing service provider compliance, merchant compliance, and setting frameworks for risk assessment, and security testing for both network and application layer. Moreover, failure to comply with the set standards will have severe consequences in terms of loss of trust and credibility and, not to mention even bear a hefty penalty.

 

Author Bio: Narendra Sahoo is a director of VISTA InfoSec, One of the foremost companies in InfoSec Compliance, Assessments and Consulting services providing vendor neutral services in areas such as PCI DSS Consulting & Certification, PCI PIN, SOC2, GDPR, HIPAA, MAS TRM, PDPA, PDPB, VA/PT,Web/Mobile Appsec, Red Team Assessment, etc.

 

Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

Banking

WHAT STRATEGIES CAN BANKS USE TO COMPETE WITH NEW DIGITAL PLAYERS?

Banks are experiencing a gradual loss of their monopoly, due to the arrival of new players born from digital transformation. To face these new challenges, banks need to develop new strategies in order to compete with this developing market, says Professor Catherine Karyotis from NEOMA Business School.

The development of technology and the subsequent introduction of open banking systems, payment automation and instant payments has meant that there have been many upheavals within the banking community that require drastic transformations.

One of the biggest competitors for traditional banks are Neobanks – financial technology firms that offer internet-only services and lack physical branches. Neobanks appeal to consumers who don’t mind doing most of their money management through a mobile app.

But how can traditional banks compete with these direct banks that operate exclusively online?

“In order to contend with these new platforms, traditional banks must adapt in order to stand out and capitalize on the trusted relationships that have been established between them and their customers,” says Professor Karyotis.

Therefore, banks must focus more on their customers to continue offering an added value to them in order to have the edge on these digital players. It is about understanding consumers and thinking about their behaviour in order to respond to them in the best way possible.

“A new type of customer relationship needs to be established and the sources of value creation need to be revised to improve customer experience. To be customer-centric is to put the customer, and not the product offer, at the center of the company’s concerns.” says Professor Karyotis.

The traditional banks appeal is disappearing. They need to reinvent themselves and make innovations to their economic models and/or partnerships with the new entrants to emphasize their knowledge and skills that are built on trust. And to accomplish this, their employees must capitalize on their social skills too.

 

Continue Reading

Banking

BANKS SHOULD NOT TAKE DATA PRIVACY FOR GRANTED IN THEIR BREXIT TRANSITION PLANS

Rich Vibert, CEO and Co-founder, Metomic

 

UK banks are not as prepared as they should be for Brexit. This is unsurprising given the political wrangling, the challenges posed by COVID-19 and the daunting prospect of a double-dip recession. However, with less than 3 months to go, banks and financial services businesses need to get a firm grip on the impact Brexit will have on their customer’s data privacy, and fast.

We need to talk about data privacy in finance

Before diving into the nuances of post-Brexit data protection, the challenges banks currently face when it comes to data privacy must be addressed. A glaring 62 percent of the data breached last year came from the financial services sector, according to Bitglass. Even more worrying, an Accenture report from March revealed that one-third of financial organisations lacked a clear plan or resources to address privacy risks related to customer data. This is a worrying starting point and Brexit will only bring more challenges as data protection regulation will evolve.

What’s behind a post-Brexit data protection law

Data protection in the UK is currently subject to the EU’s General Data Protection Regulation (GDPR)But once the Brexit transition period ends, organisations in Britain will fall under a UK data protection law that is still to be announced. Thankfully, there is a large chance that the UK will incorporate GDPR principles into its own law, but uncertainty and confusion still remains. And should new local measures be implemented, banks will need to move quickly to become compliant.

However, even with a GDPR-based compliance framework in place, challenges will remain. One of these is ensuring banks are able  to transfer data to other European countries; this is important as a quarter of the financial services sector’s annual revenue currently comes from business related to the EU. Financial organisations must also consider the potential consequences of a no-deal Brexit. The UK government has declared it is willing to reach an adequacy agreement, maintaining a free flow of data between countries. However, given the current stalemate, financial institutions should not take that as a given. In a worst case scenario, a no-deal could lead to UK businesses sending data to the EU in 2021 and simply not getting it back. This is not acceptable for a sector that depends on constant transfers of sensitive information such as credit scores. Unpicking the mess will require the investment of time and funds that many businesses can ill-afford.

 

Customer data at risk, reputation at risk

UK citizens are already wary of the way their data is being treated. The government’s acknowledgment that the UK track and trace system wasn’t GDPR compliant and the privacy concerns around the COVID contact tracing app are just a few of examples that have damaged citizen trust. As such, they need to be reassured that post-Brexit their data will be treated in the right way, not only by the government but by financial institutions. Especially as data breaches are proven to compromise corporate reputation; 49% of customers would not sign up to a service that has suffered a data breach, according to Ping Identity. This has to be addressed if banks are going to survive and ensure that that customer trust is maintained.

 

A privacy-first mindset for banks

While the future of data regulation in this country remains in flux, we know that privacy and data protection is top of mind for consumers. To maintain the trust and loyalty of their customers, financial services organisations must think ahead and be prepared for any outcome. Fundamentally, this is more about a change of mindset than it is about exorbitant costs. Your ultimate goal should be to deploy a privacy-first approach across the business. This means putting the customer at the heart of your strategy and investing in technology that will help you have clear and continuous visibility over what is happening to all customer data – from transactions to investments.

Fortunately, simple mechanisms can be put in place to help businesses achieve this. For example, there are solutions that allow businesses to embed data protection rules and protect sensitive data within their IT infrastructure. This puts compliance on auto-pilot, minimising risk. These are the types of investment that banks should be making now, as they will save them thousands of hours per year of auditing and developing data management processes.

Data privacy can no longer be treated as an afterthought. The financial services firms that embrace a privacy-first mindset starting now will be better prepared to protect their customers’ data, and therefore preserve trust and their own reputations, regardless of the Brexit outcome.

 

Continue Reading

Magazine

Trending

Finance2 days ago

HOW TECH CAN ALLEVIATE WORKPLACE ANXIETY IN THE FINANCIAL SERVICES SPACE

– Raj Krishnamurthy, Freespace   Financial institutions are attempting to understand the short, medium and long-term challenges the pandemic has...

News2 days ago

MODULR LAUNCHES ITS CARD ISSUING API FOR HASSLE-FREE CARD PROGRAMME MANAGEMENT

The payments platform has added the ability to issue physical cards following popular demand, managing the complex supplier landscape on...

Wealth Management2 days ago

WILL WORKING FROM HOME BE GOOD FOR ALL INSURANCE STAFF & CUSTOMERS IN THE LONG TERM?

Keith Stonell, Vice President, EMEA, Guidewire Software   “Work from home if you can,” may be today’s maxim, especially with...

Finance2 days ago

WHAT DO YOU GET IF YOU CROSS A GLOBAL PANDEMIC WITH A LATE PAYMENT EPIDEMIC?

Glen Morgan is co-founder and CEO of itsettled   How to respond to the most typical reasons for non-payment. Covid-19...

Business3 days ago

THE REASON WHY YOU NEED A LAWYER FOR YOUR BUSINESS

– Peter Before we get into deeper into the law of business, let’s find out who the lawyer is or...

Business3 days ago

SOCIAL MEDIA AND THE FINANCIAL INDUSTRY: TOP 5 REASONS TO DEVELOP A LONG-TERM STRATEGY

Social media is not just for people to share stories and opinions anymore, and it has not been just that...

News3 days ago

2020: THE YEAR THAT CHANGED US ALL

There isn’t an industry that hasn’t felt the impact of 2020. Every sector has had to adapt to deal with...

News3 days ago

TECHNOLOGY: THE SAVING GRACE OF THE MONTH-END HEADACHE IN FINANCIAL REPORTING

The end of the month is a challenging time for many accountants and financial analysts as they race to close...

Banking3 days ago

WHAT STRATEGIES CAN BANKS USE TO COMPETE WITH NEW DIGITAL PLAYERS?

Banks are experiencing a gradual loss of their monopoly, due to the arrival of new players born from digital transformation....

News3 days ago

VIVA WALLET BRINGS GOOGLE PAY TO ITS CUSTOMERS IN 11 COUNTRIES

Today, Viva Wallet, the European digital-first payments provider, is announcing its customers can now enjoy the benefits of Google Pay, the most popular mobile payment...

News3 days ago

SINNAD ENABLES FINANCIAL INSTITUTIONS IN BAHRAIN TO OFFER SECURE AND TOKENISED MOBILE PAYMENTS

SINNAD, a leading GCC third-party payment service provider based in Bahrain, has teamed up with trusted partner Compass Plus to enable its...

TAX HAVENS TAX HAVENS
Finance3 days ago

HOW TO ENSURE YOUR CHILD’S ASSETS ARE PROTECTED

Making money is one thing, but protecting it is another – this is particularly true if you want to pass...

Business3 days ago

HOW DOES COLLABORATION TECHNOLOGY BENEFIT HR AND RECRUITERS?

People management plays a large role in human resources today. Both customer and employee expectations are higher than they have...

Finance3 days ago

THE IMPORTANCE OF THOUGHT LEADERSHIP CONTENT IN THE FINANCIAL SERVICES SECTOR

The collapse of Lehman Brothers in 2008 marked a turning point in the financial services industry. Not only did the...

News3 days ago

BIAN SPEARHEADS THE NEW FRONTIER OF BANKING WITH UPDATES TO ITS SERVICE LANDSCAPE

Not for profit organization announces its 9th update to innovation model   Today, BIAN, the independent not-for-profit association, announces Service...

News3 days ago

ORACLE BRINGS BIG BANK ANTI-MONEY LAUNDERING PROTECTION TO SMALLER INSTITUTIONS

New cloud application suite helps mid-sized banks stay safe, compliant, and ready for growth   Oracle today announced new cloud...

Technology3 days ago

HOW TO ACHIEVE THE BEST POSSIBLE CUSTOMER EXPERIENCE THROUGH ARTIFICIAL INTELLIGENCE

By Craig Charlton, CEO of SugarCRM   Before high definition televisions were introduced, home entertainment was limited to a grainy...

News3 days ago

MEEZAN BANK INKS DEAL WITH BPC BANKING TECHNOLOGIES TO ACCOMMODATE PAKISTAN’S DIGITAL PAYMENTS BOOM

Pakistan’s largest Islamic bank kicks off its digital transformation programme with the upgrade of its legacy payment platform   Partnership...

News5 days ago

ESSENTIAL SCREEN BREAK COMPLIANCE AT AN ALL-TIME LOW AMONG REMOTE WORKERS DURING PANDEMIC

Fewer UK workers are taking Health and Safety (HSE) recommended screen breaks than ever while working remotely, a new survey...

News5 days ago

GALA TENT LAUNCHES OPEN BANKING SOLUTION FOR TELEPHONE PAYMENTS

Gala Tent, the UK’s largest manufacturer and supplier of commercial marquees and gazebos, has launched an open banking application programme...

Trending