Narendra Sahoo (PCI QSA, PCI QPA, CISSP, CISA, CRISC) is the Founder and Director of VISTA InfoSec.
More than often when software developers design platforms for digital payments, they are unaware of why and how the applications are used for handling cardholder data (CHD). On the other hand, most merchants are not aware of whether these applications store CHD. This results in unencrypted data storage and exposure to various cyber threats. While some Merchants may have to store sensitive cardholder data for payment processing, transaction history, or recurring billing, it is important that the developer is aware of such requirements and accordingly designs applications with the necessary security measures for safe handling such sensitive data. Addressing these issues the PCI Council along with the support of major card brands developed the Payment Card Industry Data Security Standard (PCI-DSS).
The Standard which is a widely accepted set of requirements ensures optimum security of sensitive cardholder data and protection against evolving cyber threats. PCI-DSS requirements apply to all entities that store, process, or transmit cardholder data. The requirements outlined clearly state that cardholder data can only be stored for a “legitimate legal, regulatory, or business reason.” So for those businesses that have a legitimate reason to store data must understand the PCI requirements and know what measures they must take to protect that data. Elaborating the PCI requirements in detail our article explains the PCI Rules that vendors and merchants must follow for storing sensitive credit card data. So, let us first take a closer look at the PCI Guidelines for Data Retention.
PCI Guidelines for Data Retention
Merchants must avoid storing cardholder data unless they have a legitimate legal, regulatory, or business reason to do so. That said, the data classified as the Cardholder Data (CHD) which includes the 16-digit primary account number (PAN), cardholder name, service code, and expiration date are the kind of data that can probably be stored. However, it is important to note that the Sensitive Authentication Data (SAD) cannot be stored after authorization of a transaction, even after encryption. Data that is classified SAD include the full magnetic stripe data found on the back of the card, data on the EMV chip, the CVV, PIN, and PIN block. SAD data are extremely valuable and should be protected at all costs for it is a valuable tool for attackers to use the card-present and card-not-present environment.
So, to ensure maximum protection of sensitive data, Merchants should develop a data retention and storage policy that strictly limits storage and retention time based on the business, legal, and/or regulatory requirement. Further, Merchants must also implement necessary PCI DSS requirements and ensure general protection of the cardholder data environment.
|Data elements||Storage Permitted||Protection Required|
|Primary Account Number (PAN)||Yes||Yes|
|Sensitive Authentication Data||Full Magnetic Strip Data||No||N/A|
Source – PCI SSC
What does PCI say about Data Storage?
The PCI DSS outlines in its Requirement 3, guidelines to protect stored cardholder data. Requirement 3 applies only if the Merchant stores the cardholder data. Merchants who do not store cardholder data have stronger protection against the threat as they eliminate the primary target for hackers. While merchants who have a legitimate business reason to store Cardholder Data, need to understand what data elements PCI DSS allows them to store and what measures they must take to protect those data. For getting a better perspective and understanding of PCI DSS Require 3, let us take a closer look at the PCI rules for the storage of data.
PCI Rule for Storage of cardholder data
Focusing on the PCI Requirement 3, it provides guidelines for protecting stored Cardholder Data. Requirement 3 constitutes multiple sub-requirements that the Merchants are required to understand and follow. It is important that Merchants who own the responsibility of securing Cardholder Data must understand the requirements outlined and know the differences between Account Data, Cardholder Data, and Sensitive Authentication Data. While the Account Data constitutes all the data that is there on a credit card, the Cardholder Data (CHD) includes the 16-digit PAN, expiration date, and cardholder name, and the Sensitive Account Data (SAD) includes sensitive track data the magnetic stripe, CVV, PIN, and PIN Block. SAD data is very sensitive data that cannot be stored after authorization. If at all, SAD storage is allowed only for issuers for the purpose of testing and error correction. Storage of cardholder data should be limited to what is necessary and only to meet legal, regulatory, or business needs. Given below are PCI Rules outlined with a detailed explanation of the requirement and what is expected of the merchants to ensure the protection of stored cardholder data.
|PCI Rule 3.1- Keep Cardholder Data Storage to Minimum||PCI-DSS requirement 3.1 clearly states that the Cardholder Data should be limited to what is necessary for legal, regulatory, or business needs. The requirement also states that entities must develop data retention policies, secure deletion policies, and every quarter identify and remove any Cardholder Data that exceeds the retention period. A data discovery tool may be used for identifying such data. Entities must define measures to delete the data securely when no longer needed.|
|PCI Rule 3.2- Do Not Store Sensitive Authentication Data After Authorization||PCI-DSS requirement 3.2 states that Sensitive Authentication Data (SAD) cannot be stored after authorization, even if it is encrypted. The data must be immediately deleted and ensured it is unrecoverable after the authorization process. SAD includes the full track data, CVV, and PIN data that are extremely valuable to attackers. Unauthorized access to such sensitive data can lead to fraudulent transactions over both card-present and card-not-present transactions. Only payment card issuers or entities that have a legitimate business need related to the issuing services can store the data.|
|PCI Rule 3.3- Mask Primary Account Number (PAN) When Displayed||PCI DSS requirement 3.3 states that the PAN number must be masked when displayed. PNA number is the 16 digit number displayed at the front of the card. The requirement clearly states that not more than the first six and last four digits number must be displayed. Only personnel with a legitimate business need can see more than the first six/last four digits of the PAN. The entity must establish a policy and procedure that ensures the masked display of PAN.|
|PCI Rule 3.4 Make PAN Unreadable Wherever Stored||PCI DSS requirement 3.4 states that the PAN Data that is stored for an unavoidable reason must be rendered unreadable wherever it is stored. The PCI-DSS explicitly elaborates some of the acceptable methods for rendering the PAN data unreadable. This includes Hashing, Truncation, or Encryption methods. While the hashed index method simply involves displaying only the index data that point to records in the database where the sensitive data resides, truncation involves removing a data segment by simply displaying only the last four digits. Index token on the other hand is an encryption algorithm that combines sensitive plain text data with a random key or pad to render the data unreadable. Strong cryptography is another method that involves using mathematical formulas to render plain text data unreadable. PAN data rendered unreadable makes it extremely difficult and time-consuming to decrypt the data and difficult for attackers to hack.|
|PCI Rule 3.5 Protect Keys Used To Store Cardholder Data
|PCI DSS requirement 3.5 states the use of cryptography and requires entities to take measures to protect encryption keys from disclosure and misuse. Data that are encrypted can be decrypted if the attacker gains access to encryption keys. For these reasons, the encryption keys must be developed strong and stored separately in the least possible location and form with limited access granted to individuals. While securing the encryption key entities must consider both external threats and the internal threats from employees. Further, entities are expected to document a description of the cryptographic architecture including details of all algorithms, protocols, and keys used for the protection of cardholder data, including key strength and expiry date, description of the key usage for each key, and an inventory of any HSMs and other SCDs used for key management.|
|PCI Rule 3.6 Document and Implement all Key Management Processes and Procedures for Encryption Keys Used to Encrypt Cardholder Data
|PCI DSS requirement 3.6 states that the entities must build key management programs and document every aspect of key management including the process, procedures, and implementation of encryption keys used for encrypting cardholder data. This includes the secure generation, distribution, and storage of cryptographic keys and policies that require key changes at the end of the crypto period or if the integrity of the key is compromised or weakened due to various reasons. Establishing a good Key Management Process is essential be it manual or automated as part of the encryption product based on industry standards to ensure all key elements stated in requirement 3.6 are addressed.|
|PCI Rule 3.7 Security Policies and Operational Procedures are Documented and Communicated to all the Affected Parties
|PCI DSS requirement 3.7 states that the entities must have in place policies and procedures that are not just documented but also communicated to individuals involved in the protection of Cardholder Data (CHD) and also ensure that they are enforced and duly followed. The policies and procedures should just be documented for the sake of the audit. Entities must ensure that these policies and procedures are well understood by the employees and made aware of their responsibility towards the protection of CHD.|
It is important to note that these above listings are the direct controls for stored card data. However, there are a few other controls such as network controls, hardening requirements of the assets, and even what can be seen in requirement 10 of PCI DSS that mandates the logging and reporting required for all access to card data.
Merchants and Payment Application Developers must both be aware of the requirements and understand how and why the digital payment solutions handle cardholder data (CHD). They must also establish strong security measures to protect stored cardholder data as per the PCI-DSS compliance requirements. Further, to fulfill the Require 3 of PCI DSS Compliance we strongly recommend Merchants reduce their PCI scope by streamlining the card data flow, storing only data that is necessary, and implementing network segmentation to reduce the risk exposure from the rest of the network.
HOW MERCHANTS CAN IMPROVE THE ONLINE PAYMENTS EXPERIENCE
By Alan Irwin, Senior Director of Product at Global Payments UK
The dramatic increase in online shopping over the past 18 months has encouraged many businesses to invest in developing their omnichannel shopping experiences. The reasons vary – some are keen to capitalise on the trend of older shoppers migrating towards ecommerce and some are trying to make up for loss of sales in brick-and-mortar stores during the pandemic. It is also true that many businesses are shifting their models to sell direct to consumers to avoid high marketplace fees and are therefore building their ecommerce channels for the first time.
The checkout experience is arguably the most important and delicate part of the ecommerce transaction, as it can make the difference between a happy customer likely to return, and a shopping cart abandoned out of frustration and confusion. A survey from March 2020 suggested that 88% of online shopping orders were abandoned, i.e. not converted into a purchase. A seamless, customer-centric online payment experience is therefore critically important in ensuring completed transactions. But with so many payment providers available, what should businesses be looking for when trying to keep friction to a minimum?
Keep clicks to a minimum
Less touchscreen interaction equals less abandonment. Adapting the payment page to fit any device and supporting popular mobile digital wallets like Google Pay ensures a seamless, stress- and hassle-free checkout experience for the customer and keeps clicks to a minimum. Friction can present itself in the most minor features – for example, when the customer is navigating the payment form, the appropriate keypad should be shown to the customer when required. It’s much easier to enter a card number using the dial pad instead of switching between QWERTY keypad layouts.
Simplifying online forms with autofill and tokenisation also significantly reduces friction at checkout and shortens necessary time taken. Ensuring checkout forms are tagged correctly for “autofill” is a great way to offer customers a single-click to input the payment, shipping, and billing data that they have stored in their browser profile. Similarly offering a guest checkout option will help convert customers who are in a hurry or looking for a one-off purchase. This can also be achieved by offering to store the payment details (called ‘tokenisation’) for express repeat and one-click purchases.
Make it easy to understand
A tailored payments approach can increase both domestic and international global sales. By offering a checkout experience in the customer’s language, the option to pay in their currency of choice, and use their preferred method of payment (whether it’s PayPal, Alipay or card), businesses can build loyalty quickly and put customers at ease. It is equally important for merchants to ensure they always display simple direction and information about next steps to instil confidence and prevent customer drop-off. The customer should be informed of what is happening at every stage in the process, for example, whether they will proceed to SCA (Secure Customer Authentication) next or go straight through to completion.
In addition, validating forms in real-time means merchants can highlight potential errors to the customer early on, and payment providers should provide this functionality. This could be an invalid expiry date, an incorrect digit in the card number or incorrect CVV number based on card type. When issues are only flagged at the end of the process, this forces the customer to go back through the steps to figure out the error. Real-time signposting of problems removes this potential friction and reduces the potential for a declined transaction.
Ensure seamless security
Merchants should work with a payment partner who offers the right blend of security and compliance management without it coming at a cost to the end-to-end checkout experience for the user. Instilling trust and security in your checkout flow while utilising the right solutions to drive seamless authentication flows will increase customer confidence and help prevent drop-off.
The greatest level of security and control comes from either utilising hosted payment fields that the
merchant can natively integrate into their checkout flow, or a hosted payment page where they can
manage the look and feel. Showcasing your brand on the checkout page with trust signals and logos also adds to building trust with the customer.
Staying ahead of regulations is also important. Secure Customer Authentication (SCA) will soon be mandatory in the UK for all eligible digital transactions, and this doesn’t have to be a friction-full process. Tools like Transaction Risk Analysis (TRA) and Exemption Optimisation Service (EOS) can quickly score transactions and drive exemptions where there is the right blend of transaction risk.
The devil is in the details
These three rules for successful ecommerce checkout experiences may seem straightforward, but it is important to apply them at a micro level. It can take only one minor point of friction to cause a customer to abandon their cart, and this will inevitably be replicated across other similar customers. It is critical to identify friction points early on and anticipate customer needs throughout the process. Discussing these points and any opportunities to improve customer checkout experience with your ecommerce team and payment provider is an important first step towards ensuring your entire shopping experience remains competitively seamless and loyalty is won. It may be that your payment provider cannot address them, in which case it could be time to move on in order to stay competitive.
NAVIGATING FINANCIAL SERVICES IN 2021: LOW-CODE TO THE RESCUE
Nick Ford, Chief Technology Evangelist, Mendix
Financial services are the poster child of great digital transformation: today, Britons can pay from their watches, check their balance directly from their phone at any time and even automate trading. This level of innovation isn’t only about customers: traders are able to operate faster than ever before thanks to better predictive analysis and forecasting tools, and finance teams are able to collaborate from anywhere in the world.
While we embrace all this innovation, it’s easy to forget that the reality of the sector is incredibly complex. The radical changes induced by COVID-19 have highlighted how challenging maintaining innovation today really is, while putting more pressure on IT teams to accelerate the digital transformation of the sector even further.
On top of this, the sector is one of the most affected by Brexit. Mendix’s Navigating the UK Landscape research found that businesses in the financial services sector have serious concerns about the impact of Brexit on their industry. Many believe that Brexit has damaged the reputation of the UK as a centre of finance (67%) – as well as creating functional challenges for businesses in the country.
Many financial services organisations are turning to technology, and specifically low-code, to deal with these challenges. This piece will look at how firms in the sector can use low-code to navigate the new world.
A sea of challenges
Financial services are complex: there are thousands of products to choose from, from savings to investment and mortgages. These services are then managed by lots of different companies, creating an additional level of complexity: banks, fintechs, brokers, wealth management specialists, government bodies… the list goes on. To add yet another layer, there’s a network of regulations, which change over time, forcing IT leaders to constantly keep on top of the latest evolution in the sector. Knowing these is only the first step: every time new laws are implemented, the sector needs to adjust to them, and that can mean anything from revising security protocols to radically changing the way information is processed, transmitted or audited.
This may already look complicated, but the real complexity starts underneath, in the realms of processes that the IT manages to keep the company operating as normal. It would be fair to say that the mission of financial IT leaders is often underrated: they deal with antiquated systems dating back decades, inadequate data management processes and minute security and compliance considerations every day, simply to keep the business afloat. Add to this the need to get all staff to work remotely during the lockdown, and the already time-poor IT leaders are now completely swamped.
Brexit also makes things difficult for financial services organisations. Two thirds anticipate costly and complicated processes for crossborder payments and investments, while 59% believe it will be harder to attract foreign investments. Ultimately, 61% admit they will no longer be able to support some of their customers because of the transition.
Tech as a raft
While the sector is mired down with complex processes and inadequate tools, it also needs to deal with a major challenge: fierce competition for tech-savvy customers. Now, all banks, investment firms and wealth management companies are investing in tech to help them cope with new customer demands for easier access to their capital and increased transparency. Two thirds have deployed digital projects to make the business more flexible as a result of Brexit, with data management (62%) and digital processes (62%) particular focal points.
And this is not just about pleasing digitally minded customers: it’s also about improving productivity and operational efficiency, harnessing data, and solving compliance challenges. This balancing act between priorities is gathering pace and spreading across the business: today, IT teams must deliver innovation that’s fast, reliable and secure, and that supports many divisions — all at once. It’s a big challenge, but it’s one that IT leaders are willing to tackle head on: two thirds of IT leaders believe the value of digital transformation initiatives outweighs their inherent risk. Yet, IT leaders know that rushing would be a mistake: although IT teams face high demand for their support, most would not prioritise speed over caution, even if they could innovate faster. This measured pace ensures that financial organisations are delivering the right solutions at the right time, reducing the risk of service disruption and security challenges.
Low-code to the rescue
To manage all these priorities, the IT team needs to look beyond its own team to create revenue-generating services that truly answer the clients’ needs – and it needs to empower all developers with the right tools to do so. This improves collaboration between IT and customer-facing staff to design services that suit the needs of the customer base, while reducing the pressure of an already-stretched IT team. Enter low-code: most leaders (58%) say that low-code has enabled the development of new applications to support their companies post-Brexit.
One example of this is a Financial Institution, which perceived its digital user experience lacking and engaged low-code to install a new user experience for its portal, consumer and wholesale digital services. It was able to do this in just eight months, providing numerous benefits to stakeholders.
Low-code software development provides a simple solution to address these constraints and challenges: based on a visual approach for building applications using drag-and-drop components, it enables non-technical staff to participate in creating business applications, even if they have little to no coding experience. Working separately or in close collaboration, professional developers and business-side “citizen developers” can create, iterate, and release applications in a fraction of the time it takes with traditional methods, all under the watchful governance of IT to ensure their applications comply with enterprise standards and architecture.
A low-code approach allows for flexible, iterative app development for many use cases in the financial services sector, including legacy application upgrades to comply with new regulations, apps supporting smart banking or portfolio management, and mortgage application management. With low-code, the financial services industry has the right tools to untangle its complex processes, simplify its evolution and focus on its core mission: keeping the economy thriving.
FINTECH COMPANY PAYEN CHOOSES AQILLA FOR ITS LIMITLESS SCALABILITY AND SUPERIOR MULTI-CURRENCY FEATURES
Payen is a fast-growing FinTech company that provides gateway Payment and FX services to online merchants. Having launched in 2010,...
THE ACCELERATION TOWARDS A MOBILE FIRST ECONOMY
By Brad Hyett, CEO at phos Over the last year, we have seen a big shift towards contactless payments....
NEW RESEARCH REVEALS KEY ROLE OF KYC COMPLIANCE IN DRIVING CUSTOMER LOYALTY, ADVOCACY AND NEW BUSINESS
The impact of financial crime for institutions goes beyond crippling fines A piece of original research conducted by RegTech...
HOW MERCHANTS CAN IMPROVE THE ONLINE PAYMENTS EXPERIENCE
By Alan Irwin, Senior Director of Product at Global Payments UK The dramatic increase in online shopping over the...
JUMP-STARTING PROCUREMENT TRANSFORMATION WITH A CLEAR AND REALISTIC PLAN
by Alex Klein, COO at Efficio Consulting Following a period of ongoing economic uncertainty, business spend has risen high...
NAVIGATING FINANCIAL SERVICES IN 2021: LOW-CODE TO THE RESCUE
Nick Ford, Chief Technology Evangelist, Mendix Financial services are the poster child of great digital transformation: today, Britons can...
PAYSAFECARD AND NEO EXTEND THEIR SUCCESSFUL PARTNERSHIP
paysafecard, a market leader in eCash payment solutions, and NEO, one of the most successful FIFA teams in the world,...
WHY THE NORDICS WILL CONTINUE TO LEAD THE WAY IN DIGITAL PAYMENTS
Kriya Patel, CEO, Transact Payments While the recent introduction of PSD2 — the second iteration of the EU’s Payment...
COMBINED RISE OF M&A AND CYBER RISK CREATES STORMY SEAS FOR INVESTORS
UK organisations carrying out merger and acquisition (M&A) activities must improve pre-acquisition due diligence of software vulnerabilities By Philippe Thomas,...
PPRO CLAMPS DOWN ON FINANCIAL CRIME RISKS, PARTNERING WITH AND INVESTING IN AI-DRIVEN TRANSACTION MONITORING STARTUP SENTINELS
PPRO, the leading local payments infrastructure provider, has today announced a strategic partnership and minority investment in Sentinels, Europe’s leading transaction...
EMV® IN TRANSIT: WHY AND HOW?
Taoufik Sakhi, Smart Mobility Technical Advisory Director at Fime Today, contactless cards provide a fast and frictionless payment experience,...
INSTANDA ENTERS THE MIDDLE EASTERN MARKETPLACE
INSTANDA expands global footprint by working with new client, NewTechMe First product distributed in the Middle East Announcement signals INSTANDA’s understanding of NewTechMe’s vision to drive digital transformation in UAE...
RGU LEADS EUROPEAN INTER-REGIONAL NORTH SEA PARTNERSHIP TO HELP HOMEOWNERS IMPROVE ENERGY EFFICIENCY
NB: Image from left to right includes: Mike Bauermeister, Kishorn Insulations, Jamal Alabid, RGU, Amar Bennadji, RGU, Richard Laing, RGU,...
JUMIO APPOINTS JENNIFER N. HARRIS TO BOARD OF DIRECTORS
Addition of veteran CFO comes amid period of record growth and product expansion at Jumio Jumio, the leading provider...
WISE LAUNCHES ASSETS, YOUR WISE ACCOUNT INVESTED IN THE WORLD’S LARGEST COMPANIES
Assets offers current account flexibility, with the potential for investment returns Wise, the global technology company building the best way...
A CHECKLIST FOR RETRENCHMENT READINESS
By Shelley van der Westhuizen, head of financial well-being strategy & applied research at Alexander Forbes Your health may not...
EQUIDUCT LAUNCHES TRADING IN EXCHANGE TRADED FUNDS FOR RETAIL INVESTORS IN EUROPE
Equiduct will offer 436 ETFs and ETPs for trading through Apex Equiduct, the pan-European retail exchange, announced today that...
THE IMPORTANCE OF MANAGING DATA RISK IN THE FINANCE FUNCTION
Written by Steph Charbonneau, Senior Director of Product Strategy, Vera by HelpSystems CFOs and financial controllers play a pivotal role in how organisations evaluate and manage...
THE DEMAND FOR BETTER B2B PAYMENTS
By Brandon Spear, CEO, TreviPay Business-to-consumer (B2C) payments started adapting to digital processes when consumer shopping habits began shifting...
HOW TO BUY USDT AND AVOID THE HIGH VOLATILITY OF CRYPTO
Understanding and breaking down all the different types of crypto can feel like a huge task—there are so many variations...