Connect with us

Business

What should you be know about PAN data in PCI DSS?

Published

on

Narendra Sahoo (PCI QSA, PCI QPA, CISSP, CISA, CRISC) is the Founder and Director of VISTA InfoSec

 

Introduction

PAN Number or Primary Account Number as we call it is a very sensitive data often used when making online payments or transactions. Customers often share this data with merchants from whom they purchase products or services online. However, customers do expect the merchants and financial institutes to protect the data and prevent incidents of threat. Storing the PAN data for most merchants is a necessity as they may have a legitimate business reason to store cardholder data. But storing PAN data has its share of risk on a business’s network security. Over the years businesses have been storing this data on their server for easy and quick access without realizing the risk it holds and the impact it may have on business.

In fact, most of the data breach incidents that have occurred over the years are due to the storage of unencrypted PAN data on the merchant’s/Service Provider’s servers. While the PCI Council clearly states not to store PAN data yet most merchants for increased consumer convenience store PAN data on their network. Storing customer’s PAN data increases the security risk and, also increases the scope of PCI compliance. So, unless businesses have a legit commercial reason to store PAN data, should not store it. Covering more on this in detail we have today shared details about PAN data and PCI DSS that businesses must know to ensure compliance. So, before getting straight to it let us understand the term PAN Data.

 

What is PAN Data?

PAN Data is basically the 15 or 16 digit numbers on the front of your debit/credit card which is also known as the Primary Account Number. They are also called payment card numbers and are often found on payment cards like credit and debit cards. The PAN account number is printed or embossed on the front of this payment card. The PAN number is issued by customers to merchants at the Point of Sale (POS) that identifies the issuer and the cardholder account while making payments. Customers when making an online purchase share the PAN number to make payments online. These PAN details are used by the merchants to process the payments online.

 

How does PAN Impact PCI DSS Compliance?

Payment Card Industry Data Security Standard clearly states that merchants dealing with online payments or accepting credit/debit card payments must avoid storing sensitive PAN numbers. The PCI DSS Requirement 3 addresses the protection of stored cardholder data. So, considering the storage of PAN data will automatically increase the scope of PCI DSS Compliance for the merchants. This way merchants will have to take additional measures for securing the stored PAN data in the network.

Storing unencrypted PAN data on the network will increase the potential risk of breach and end up having a significant impact on business. It is therefore necessary to secure PAN Data in form of encryption or other techniques as suggested in PCI DSS requirements. Explaining the requirement we have shared the PCI DSS data storage requirements in detail.

 

PAN Data storage in PCI DSS

Merchants may at times for commercial purposes may have to store PAN Data in their server. For these reasons, they will have to take extra precautions and implement additional measures to ensure the security of data and compliance with PCI DSS. The PCI Council outlines the requirement of encryption of cardholder data stored with the merchant. However, it is important to note that not all elements of cardholder need to be encrypted when stored on the server. It is only the PAN data that needs to be encrypted, the rest of the Sensitive Authentication Data (SAD) such as Stripe Data, are not allowed to be even stored by merchants.

What is more important to know and understand about PAN Data storage is that the only times that PAN is not considered to be cardholder data would be when details such as the the cardholder’s name and/or expiry date are not mentioned.  But this does not really happen and so merchants will have to implement measures to secure PAN data. Merchants must equip their data network to deal with PAN securely especially when it is transmitted at the POS.

Moreover, PCI DSS requirement 3.4 states that all merchants must use one of the following techniques to render PAN unreadable. This requirement applies when the PAN Data is stored or when the data is at rest anywhere including portable digital media, backup media, and logs. The techniques of rendering the PAN data unreadable includes

  • Strong cryptography of the PAN
  • PAN truncation (removal of the middle digits),
  • Index tokens and pads
  • Key-management processes

PCI DSS requirement 3.3 specifically requires the PAN data to be masked whenever on display. So, this way, the only digits of the PAN that may be visible are the first six and last four digits. With this only authorized businesses with legitimate commercial needs can see the rest of the information.

 

Final Thought

Despite all the clarity given in terms of the possible threat with storing PAN data nearly 65% of the merchants continue to store unencrypted PAN data on their servers and network. Further, what adds to the problem is that merchants are not able to handle and appropriately secure these stored PAN and cardholder data. Understanding the importance of PAN data and securing them is crucial. This is to prevent incidents of breach and theft. So, the only possible way to prevent this is by implementing measures of defense for handling such sensitive data. Ensuring that the PAN is  protected using one-way hashing or truncation methodologies is one way of assuring the customer’s security of the cardholder data. This way it would also help businesses ensure maintaining PCI DSS Compliance and securing sensitive data.

Banking

Wealth Managers and the Future of Trust: Insights from CFA Institute’s 2022 Investor Trust Study

Published

on

Author: Rhodri Preece, CFA, Senior Head of Research, CFA Institute

 

Corporate responsibility is more important than ever. Today, many investors expect more than just profit from their financial decisions; they want easy access to financial products and to be able to express personal values through their investments. Crucial to meeting these new investor expectations is trust in the financial services providers that enable investors to build wealth and realise personal goals. Trust is the bedrock of client relationships and investor confidence.

The 2022 CFA Institute Investor Trust Study – the fifth in a biennial series – found that trust levels in financial services among retail and institutional investors have reached an all-time high. Reflecting the views of 3,588 retail investors and 976 institutional investors across 15 markets globally, the report is a barometer of sentiment and an encouraging indicator of the trust gains in financial services.

Wealth managers may want to know how this trust can be cultivated, and how they can enhance it within their own organisations. I outline three key trends that will shape the future of client trust.

 

THE RISE OF ESG

ESG metrics have risen to prominence in recent years, as investors increasingly look at environmental, social and governance factors when assessing risks and opportunities. These metrics have an impact on investor confidence and their propensity to invest; we find that among retail investors, 31% expect ESG investing to result in higher risk-adjusted returns, while 44% are primarily motivated to invest in ESG strategies because they want to express personal values or invest in companies that have a positive impact on society or the environment.

The Trust Study shows us that ESG is stimulating confidence more broadly. Of those surveyed, 78% of institutional investors said the growth of ESG strategies had improved their trust in financial services. 100% of this group expressed an interest in ESG investing strategies, as did 77% of retail investors.

There are also different priorities within ESG strategies, and our study found a clear divide between which issues were top of mind for retail investors compared to institutional investors. Retail investors were more focused on investments that tackled climate change and clean energy use, while institutional investors placed a greater focus on data protection and privacy, and sustainable supply chain management.

What is clear is that the rise of ESG investing is building trust and creating opportunities for new products.

TECHNOLOGY MULTIPLIES TRUST

Technology has the power to democratise finance. In financial services, technological developments have lowered costs and increased access to markets, thereby levelling the playing field. Allowing easy monitoring of investments, digital platforms and apps are empowering more people than ever to engage in investing. For wealth managers, these digital advancements mean an opportunity for improved connection and communication with investors, a strategy that also enhances trust.

The study shows us that the benefits of technology are being felt, with 50% of retail investors and 87% of institutional investors expressing that increased use of technology increases trust in their financial advisers and asset managers, respectively. Technology is also leading to enhanced transparency, with the majority of retail and institutional investors believing that their adviser or investment firms are very transparent.

It’s worth acknowledging here that a taste for technology-based investing varies across age groups. More than 70% of millennials expressed a preference for technology tools to help navigate their investment strategy over a human advisor. Of the over-65s surveyed, however, just 30% expressed the same choice.

 

THE PULL OF PERSONALISATION

How does an investor’s personal connection to their investments manifest? There are two primary ways. The first is to have an adviser who understands you personally, the second is to have investments that achieve your personal objectives and resonate with what you value.

Among retail investors surveyed for the study, 78% expressed a desire for personalised products or services to help them meet their investing needs. Of these, 68% said they’d pay higher fees for this service.

So, what does personalisation actually look like? The study identifies the top three products of interest among retail investors. They are: direct indexing (investment indexes that are tailored to specific needs); impact funds (those that allow investors to pursue strategies designed to achieve specific real-world outcomes); and personalised research (customised for each investor).

When it comes to this last product, it’s worth noting that choosing advisors with shared values is also becoming more significant. Three-quarters of respondents to the survey said having an adviser that shares one’s values is at least somewhat important to them. Another way a personal connection with clients can be established is through a strong brand, and the proportion of retail investors favouring a brand they can trust over individuals they can count on continues to grow; it reached 55% in the 2022 survey, up from 51% in 2020 and 33% in 2016.

 

TRUST IN THE FUTURE

As the pressure on corporations to demonstrate their trustworthiness increases, investors will also look to financial services to bolster trust. Wealth managers that embrace ESG issues and preferences, enhanced technology tools, and personalisation, can demonstrate their value and build durable client relationships over market cycles.

Continue Reading

Business

5 tips to ensure CSR efforts come across as genuine

Published

on

By

By Mick Clark, Managing Director, WePack Ltd

 

Corporate social responsibility – or CSR – is playing an increasingly pivotal role in the long-term success of modern-day companies.

The harsh reality is that only a paltry 46 percent of people trust the brands they buy from. And with more competition than ever in all walks of business, a positive brand reputation needs to be earned or customers will simply take their money elsewhere.

That’s why I share my insights on the importance of CSR in modern business and introduce an effective plan to avoid coming off as disingenuous to your employees and customer base.

The value of CSR

The needs of modern employees and consumers are changing. There is a higher emphasis placed on the ethics and morals of companies and their handling of hot button topics like the environment or social issues.

59 percent of UK workers believe their business should be investing in charitable initiatives. 67 percent of people aged 18-19 feel this way, showing a generational shift in favour of companies that support ethical, social, or environmental causes.

Mick Clark

At WePack, we recognise the importance of this and make sure to regularly donate to a variety of charities including RRT (Rapid Relief Team), and donated £6,000 to the charity’s social causes last year.

An example of good CSR can be found in search engine giant, Google. It has had notable success with its CSR initiatives. Its flagship CSR campaign, Google Green, is a companywide commitment to using clean sources of energy, cutting down on its use of fossil fuels and drastically increasing energy efficiency as a direct response to the climate crisis.

It has been so successful that its data centres now require 50 percent less power to run than the average data centre and it’s poured over $1 billion into jumpstarting renewable energy projects.

Customer attitudes are fundamentally changing, and people are far more concerned about the values that their money could be indirectly supporting. In fact, 71 percent of customers prefer buying from businesses that align directly with their values.

In the modern-day, demonstrating high levels of CSR boosts brand perception. Businesses that make it a priority are more attractive – from an investment standpoint – to both customers and potential stakeholders.

For example, more than a third of consumers are also willing to pay more for a product or service if the business prioritises sustainability specifically – so it pays to be responsible.

Businesses with purpose-driven and ethical goals and proven commitments to CSR help retain employees. Millennials will make up 75 percent of the workforce by 2025, and it’s that cohort that is increasingly demanding socially responsible employers.

Those that fail to meet the needs will ultimately see their customers take their purchasing power elsewhere.

Addressing the challenges

As obvious as it may sound for a business to take on as much CSR as possible, many organisations face limitations.

Pressure from investors can disrupt the growth of CSR initiatives. Sometimes, the direction that stakeholders want to take the company doesn’t fully align with plans to target social or environmental issues.

Companies face becoming fixated on linking profitability with CSR programmes. It can be tough to present a genuine CSR programme without it coming across as a marketing ploy – presenting an extra hurdle for businesses to overcome.

Despite the challenges businesses face that are out of their control, many firms unwittingly make their own mistakes that cost them dearly.

For example, businesses can struggle to bolster their CSR programmes if they don’t consult their customers and staff first. A simple survey helps companies decide what issues to put as a priority and target to satisfy their customer base and employees.

Any attempt to create an effective CSR programme needs top-down support. Many businesses wrongly treat CSR as a separate entity, rather than fostering a companywide culture. This can lead any attempt to push back on global issues to appear disingenuous to those looking in.

Shifting the CSR approach

Because of the global shift in public needs and opinions in recent years, businesses need to better demonstrate their efforts to avoid having their campaigns labelled as a box-ticking exercise.

It’s no secret that consumers are doing more research and are becoming more switched on to spotting lacklustre approaches to CSR. Also, everyone can have their say online – it’s much easier to get exposed if your CSR campaign is nothing but an empty publicity stunt.

For example, Volkswagen’s reputation was left in tatters after its ‘greenwashing’ scandal promoted a newer, cleaner diesel vehicle that wasn’t any better for the environment than previous models. The company took it further by fitting a device that helped it cheat emissions tests – resulting in a $125 million fine.

For this reason, CSR campaigns need tangible results to be credible and trustworthy.

Sharing top tips

When it comes to structuring a strong CSR campaign, it’s critical to demonstrate several things to prove your strategy is effective in helping the chosen cause.

Firstly, evidence the fact that your efforts are helping wider communities. Whether it’s through statistics or showing proof of investment in social causes, tangible evidence goes a long way when legitimising your CSR campaign.

Secondly, balance your rhetoric. Effective communications are vital to the success of a campaign. However, it can damage a company’s image when done poorly. Businesses should speak about their chosen issues in their dialogue rather than spending too much time talking about the solutions the company has implemented. This stops them from becoming too self-promotional or sounding braggy.

To further avoid this, make sure you can directly tie your CSR campaign to corporate values and beliefs. As well as helping to strengthen your comms, it will also guarantee that company values are more than just surface-level – helping to facilitate tangible, long-term change.

Continue Reading

Magazine

Trending

News6 hours ago

Rivery Raises $30M B Round of Venture Funding from Tiger Global

With data needs growing and data talent scarcity, there is huge demand for Rivery’s 100% SaaS solution to create an...

Banking2 days ago

Wealth Managers and the Future of Trust: Insights from CFA Institute’s 2022 Investor Trust Study

Author: Rhodri Preece, CFA, Senior Head of Research, CFA Institute   Corporate responsibility is more important than ever. Today, many...

Interviews2 days ago

Q&A with Andréa Jacquemin, founder and CEO of Beamy

Beamy is a fast-growing scale-up that focuses on pioneering a new approach to SaaS management for large companies. Founded in...

News4 days ago

How to reignite your store with streamlined operations and a distinctive customer experience

Colin Neil, MD, Adyen UK   Retailers know that prioritising customer experience is vital to success today. This, amongst the...

Business4 days ago

5 tips to ensure CSR efforts come across as genuine

By Mick Clark, Managing Director, WePack Ltd   Corporate social responsibility – or CSR – is playing an increasingly pivotal role...

Business4 days ago

How to Build Your Credit Up Safely

by Taylor McKnight, Author for Compare Credit   What Is Credit? Credit is money owed by a person that allows...

News4 days ago

PCI DSS Compliance in the Cloud – Everything you should know

Introduction PCI DSS 4.0 is the latest and updated version of PCI DSS that was introduced on March 31st, 2022....

Banking5 days ago

2022 ESG Investment Trends

Jay Mukhey, Senior Director, ESG at Finastra   Environmental, Social and Governance (ESG) themes have been front and center throughout...

Business5 days ago

PROTECT THE VALUE OF YOUR SAVINGS AND AVOID RISING INFLATION PRESSURE

Planning for the next financial year? Former Bank Manager and successful whisky investor, Roger Parfitt, tells us why cask ownership is...

Technology5 days ago

UK Organisations turn to artificial intelligence to fight sophisticated cyberattacks

New research by cybersecurity expert Mimecast finds that email attacks are becoming more frequent and sophisticated More and more companies...

Finance5 days ago

The power of diversity: The need for female role models in FinTech

By Isavella Frangou, VP of Sales and Marketing, payabl.   As our world is constantly evolving, it’s easy to believe...

Business5 days ago

Securing BNPL Platforms for Merchants

By: James Hunt, Payments SME at Feedzai   The buy now, pay later (BNPL) market has boomed because it offers...

Technology5 days ago

Addressing the talent gap within cybersecurity

By Merlin Piscitelli, Chief Revenue Officer, EMEA at Datasite   Rising geopolitical tensions and increasingly sophisticated cyberwarfare tactics have meant...

Uncategorized5 days ago

Biometric payment card FAQs with Michel Roig, Fingerprints’ President of Payments & Access

We sat down with Michel Roig to answer your frequently asked questions regarding biometric payment cards – their benefits, current...

Banking5 days ago

Opportunities for UK Challenger Banks to address AML Compliance

Author: Gabriel Hopkins, Chief Product Officer, Ripjar   UK challenger banks have revolutionised the banking sector with innovative products and...

Finance5 days ago

HOW GOING DIGITAL COULD HELP CHARITIES OVERCOME THE CHALLENGES OF INFLATION

By Shaf Mansour, not for profit solutions specialist at The Access Group.    The topic of inflation and its impact...

Business5 days ago

How to manage transformational change successfully

Adrian Odds, Marketing and Innovation Director, CDS 2020 accelerated change in the business landscape significantly. Many were already considering –...

Finance5 days ago

Why the pandemic has put the pressure back on fintechs

Ben Walker, Partner & CTO, Airwalk Traditionally, the only genuine threats to the incumbent banking giants were macroeconomic instability and...

News5 days ago

Neobank Fi launches new feature ‘Connected Accounts’ allowing users to sync multiple bank accounts on a single app.

Neobanking app Fi launched its ‘Connected Accounts’ feature to become one of the first fintechs to build a product on...

Finance5 days ago

Accounts Payable fraud: Do you know who’s accessing your finances?

Mark Blakemore, CFO at Compleat Software   The use of social engineering and phishing attacks on accounts payable (AP) departments...

Trending