Narendra Sahoo,Founder and Director of VISTA InfoSec
Every day millions of people around the globe fall prey to cybercrimes. What makes it alarming is that majority of the data breach/theft is related to debit and credit cards. For these reasons, the PCI DSS standards were set in 2006 to strengthen information security and secure cardholder data. PCI DSS is a compliance requirement for all organizations and financial institutions including banks that deal with card transactions. As per the set guidelines, banks and other financial institutes are expected to have in place comprehensive internal controls, and security frameworks to safeguard sensitive data. Financial institutions heavily deal with millions of transactions daily, which is why it is an incredibly challenging task for them to secure transactions and cardholder data. For the amount of risk they are exposed to, the financial institutes are the most heavily regulated industry in the U.S. and around the world.
In this article today we have discussed how PCI DSS Impacts the banking sector and the risks they are exposed to for non-compliance.
PCI DSS Compliance in a Glance
Payment Card Industry Data Security Standard is the set of security standards administered by the PCI Security Standards Council and established by the top 5 credit card brands namely the American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and Visa Inc. The Compliance Standard applies to –
- Any organization or institute that deals (store, process, transmit) with credit cards including service providers.
- Any organisation (service provider) whose functioning can affect the security of the Card Data Environment of another organization (Client of service provider)
The scope of compliance typically covers data security, security framework policies and procedures, network architecture, and software design. Financial institutions, including issuing banks, (banks that offer credit cards to customers) and acquiring banks (financial institutions that hold merchants’ bank accounts, receive payments through the card processors, and deposit funds on behalf of the merchants), merchants, and service providers who process, store, transact, or enter into a contract with the five-card brands are expected to be PCI DSS Compliant.
Impact of PCI DSS Standard on the Banking Sector
PCI DSS is a set of security standards that banks need to follow diligently to stay compliant. For millions of transactions that they undertake daily and the risk to which they are exposed, requires them to have in place strong security measures to safeguard Cardholder data. Given below are some PCI DSS Standard Requirements that banks are expected to follow and security tests they need to perform to ensure no compromise of the cardholder data environment.
- Test the defense systems in place to ensure network, end-point, and web applications are secure.
- Frequently commissioning a controlled data breach attempt against the bank network to secure networks (Penetration Testing or even a Red Team assessment).
- Perform security tests to detect known vulnerabilities like SQL injection, OS command injection, Cross-site scripting, broken authentication, etc.
- Test networks and check for the presence of authorized and unauthorized wireless access points every quarter.
- Perform Penetration Test on the cardholder environment (CDE) and systems and networks connected to it at least once a year or after a signification change has been made to the application.
- Conduct a VAPT test to identify all possible threats and exploit them to penetrate the system at the application and network level.
- Issues identified should be corrected and re-tested until the time systems and networks are clean and have strong defense systems in place against malicious activities.
- Conduct Internal audits as per the PCI DSS requirements atleast once a year or after any major change to processes or systems.
- Internal awareness training for the employees atleast once a year.
While it extremely challenging to meet the testing requirements of PCI DSS, performing the test and securing systems and networks is mandatory for Banks and other financial institutions. Failure to comply with the bank will have to face severe repercussions in terms of huge penalties, and loss of trust and credibility. We have listed below some serious repercussions and risks banks may be exposed to for non-compliance with PCI DSS.
Consequences and Risk Exposure to Non-Compliance with PCI DSS for Banking Sector
The risk of merchants suffering a data breach has far greater, implications and consequences, resulting in monetary penalties and often, irreparable damage to brand reputation.
Data theft & Security Breach-
Being non-compliant to the PCI DSS Standards simply means the bank may not have the necessary security measures in place to protect data. Having no strong defense systems and security built around the network and systems will lead to a security breach and data theft. This could further have huge financial implications on the institute, leading to huge losses.
Non-compliance to PCI DSS can result in huge penalties ranging from $5,000 to $100,000 per month by the credit card companies. The penalties levied shall depend on the volume of transactions, and the degree of non-compliance. Further, the penalties levied shall be based on the discretion of the payment brand and the brand may decide to levy penalty based on per record that has been breached Moreover, the fines get reassessed monthly and may raise over time until the merchant achieves compliance. However, fines that the bank incurs can be passed to the merchant via high transaction fees or service charges if in case the merchant is found to be non-compliant. This will further strain or affect the relationship between the bank and the company.
Compensation costs for non-compliance
A huge amount of compensation costs would involve in case of non-compliance to PCI DSS Standards. The banks or merchants will have to probably compensate the clients with credit card monitoring, identity theft insurance, or in any other form of compensation.
Tarnished Reputation due to non-compliance
Security breaches and data theft shall not just have financial implications but will also cause irreversible damage to the reputation of your brand. Once your security is compromised, it will be very difficult to regain their trust in your bank. The image and reputation of your bank will be at stake and greatly tarnished if found non-compliant and face a security breach.
Once there is a blot on reputation, it will significantly impact the business revenue and sales. There is a huge possibility of the bank facing loss due to an incident of a breach. Infringement can lead to loss of consumers, followed by loss of revenue. The financial implications are far more significant than the amount of money it would probably take to ensure compliance with PCI DSS.
Direct Intervention of Regulatory Bodies-
Non-compliance to PCI DSS followed by a security breach could call for the direct intervention of Regulatory Bodies and involve frequent Federal Audits. This would further involve imposing strict regulations and penalties. Consequences like this could severely impair the banking business.
The bottom line is that no matter how strong your defense is and the number of assessments you conduct, it just needs one slip for the breach to happen. So, no system is totally impenetrable, but at the end of the day, incase of breach, you need to present your bank in a way that it has followed all the compliance requirements and did its best to secure the systems to the best of its knowledge and ability.This is where the banks need to work on by conducting due dellligence as detailed in the standard and summarized above in the article.
Moreover, we belive complying with the security standards is extremely important not just for the banking business, but also for the safety of their clients. While the standard requirements and testing process may seem to be rigorous, but the consequences of non-compliance can be destructive for the banking business. Banks in general have their take on the set standards. Depending on the risk levels (which are often high in the banking sector) and exposures, banks generally balance between the cost, security, and functionality, while investing in an effective security control framework.
Author Bio: Narendra Sahoo (PCI QSA, PCI QPA, CISSP, CISA, and CRISC) is the Founder and Director of VISTA InfoSec, a global Information Security Consulting firm, based in the US, Singapore & India. Mr. Sahoo holds more than 25 years of experience in the IT Industry, with expertise in Information Risk Consulting, Assessment, & Compliance services. VISTA InfoSec specializes in Information Security audit, consulting and certification services which include GDPR, HIPAA, CCPA, NESA, MAS-TRM, PCI DSS Compliance & Audit, PCI PIN, SOC2, PDPA, PDPB to name a few. The company has for years (since 2004) worked with organizations across the globe to address the Regulatory and Information Security challenges in their industry. VISTA InfoSec has been instrumental in helping top multinational companies achieve compliance and secure their IT infrastructure.
REDUCING FRICTION ONLINE HAS BECOME BUSINESS CRITICAL
Andrew Shikiar, Executive Director at the FIDO Alliance
The global pandemic has pushed the importance of remote access and authentication right up the agenda for many businesses. All those occasions where people would normally show up in person to open a bank account or pick-up some high street essentials were simply not possible for large parts of the year. Even as restrictions have eased across the country, these kinds of face-to-face transactions remain an unappealing prospect or a last-resort to many.
Not surprisingly, this has led to unprecedented demand for online and remote services. This brings with it a host of challenges and opportunities, and we have seen many examples of companies brilliantly adapting and reacting to this new way of life. But one issue that businesses and individuals have been grappling with for years – that of frictionless transactions and authentication – has now been put under a brighter spotlight as it is increasingly critical to get right.
Friction impacts the bottom line
The core challenge facing businesses is how to strike the right balance between giving customers the best possible experience of online service, and the necessary regulatory and security implications that directly affect – and often contradict – that ideal user experience.
We’ve all likely experienced the very real kinds of friction I’m talking about – it’s the account you gave up on registering for, or the purchase you abandoned because the process was just too frustrating.
Friction like this has direct bottom line impacts through the loss of sales and/or disaffected customers – and it is substantially more pronounced in the current climate. People have less money to spend, they are spending a greater proportion of this reduced pot online, and businesses are competing for their livelihoods to claim their share. Providing a frictionless experience can be the difference between success and failure.
Banking and retail lose out
Nowhere is this problem more keenly felt than in the retail and banking industries. Countless transactions simply don’t happen each year due to issues with passwords or mobile One Time Passwords (OTPs) at the point of signing-up or checking-out.
Data from Statista shows that 69.57% of digital shopping carts and baskets are abandoned and the purchase not completed. And Mastercard’s analysis estimates that up to 20% of mobile e-commerce transactions are abandoned or otherwise fail (e.g., from undelivered SMS OTPs) mid-way.
In addition, independent web usability research institute Baynard found that one out of five consumers abandoned their online shopping carts citing the checkout process as “too long and complicated”. That means 20% of customers taking their custom elsewhere, likely to a competitor, because the process presented too much friction.
Passwords are a major part of the problem
Organisations have struggled to strike that balance between frictionless yet secure online log-ins in large part because of historical dependence on passwords – which simply aren’t fit for purpose in today’s online economy. Passwords were designed to be simple but, as we can all likely attest, they have become incredibly cumbersome and difficult to manage.
The demands placed on consumers to remember and keep track of the array of different passwords they need, and the different requirements of password complexity which varies from provider to provider, is proving to be untenable.
Not only are passwords a major cause of consumers giving up on purchases or preventing them from signing up for new services, but they also fail in delivering on their primary objective: to protect accounts and sensitive data. All too often the password has proven to be a single point of failure, and one that is all too easy for hackers and fraudsters to get hold of – a trend accelerated by the coronavirus pandemic.
There has been a move toward developing and adopting open standards that enable any online service provider to authenticate users in a way that is both highly secure and almost completely frictionless – with all major platform and cloud service providers coalescing around a common approach.
It’s clear from the way consumers have embraced using their fingerprints and FaceID to unlock their devices that simple, natural gestures work – and that they are often preferred over using a password. By adopting the latest authentication standards, organisations can enable their customers to use these same easy gestures on their every-day devices to prove their identity and approve even the most sensitive of transactions.
The standards also improve security by moving away from the traditional model where your password or similar piece of ‘secret’ information is stored on a server, to one where credentials are stored on an individual’s device. This means they cannot be phished or divulged through other means of social engineering, while also inherently stopping the large-scale breaches that impact millions or billions of users in one go.
Due to these developments, the kind of poor user experience that leads to abandoned shopping carts and lost customers during the sign-up process is completely avoidable. There is now nothing stopping banks, retailers, and a range of other businesses from offering a superior, and low-friction user experience while also maintaining the safety and integrity of the networked economy.
BANKING ON THE FUTURE: WHY PAYMENTS TRANSFORMATION IS THE KEY TO SUCCESS
Simon Wilson, Co-Head, Payments at Icon Solutions
Standardisation, regulation and technological innovation means payments are well on the way to becoming instant, invisible and free. This is good news for everybody.
Well, not quite everybody. Banks are now faced with the significant challenge of transforming business models and legacy technology systems to meet the demands of a new era in payments.
Banking is historically a conservative and risk-averse industry where the pace of change varies between sedate and glacial. But now is not the time to ‘wait and see’ and finding the right approach to payments transformation must be the immediate and fundamental priority for banks.
Understanding the need to transform
Firstly, we must ask: Why has payments transformation become an urgent priority?
For one thing, increased competition has seen banks’ market share of the global banking and payments industry reduce from 96% in 2010 to 72% today. Fintechs, challengers, payments companies and big tech have entered the playground and started taking banks’ lunch money, demonstrating a level of innovation and agility that incumbent banks are struggling to keep up with.
And of course, there is Covid-19. We have seen years, if not decades, of change in a matter of months. The crisis has torpedoed traditional and reliable revenue streams such as cross-border payments to accelerate margin pressure, while driving a rapid shift to online banking channels and a massive uplift in digital volumes.
Breaking the shackles
In the context of increased competition and unprecedented digitalisation, the banking industry is waking up to the fact that payments are about adding value, not just processing. There is increasing recognition that capitalising on the potential of emerging payment rails, monetising the standardised datasets unlocked by ISO 20022 and launching new external services are huge opportunities to diversify and retain relevance. The introduction of overlay services such as Request to Pay or the European Payments Initiative are also poised to spur on the move to digital payments.
Decades of inaction on legacy infrastructure, however, is limiting options. Banks across the globe find themselves lumbered with expensive, inflexible and unreliable technology estates. The ability to respond to marketplace innovation, let alone lead it, is constrained by the need to devote massive amounts of cash, time and ever-dwindling internal resource to simply keep the lights on.
It is apparent that doing nothing is no longer an option, but transformation is a nebulous concept. There is no one single way to effectively transform. Different organisations have unique considerations based on their technology, capabilities, resource and culture, and there are various routes to take.
‘Don’t outsource your heart, your soul…and your spinal cord’
One option is to make payments someone else’s problem and outsource them. This can be an appealing proposition to get a seemingly perennial cost centre off the books, particularly in the current climate. But speaking at Sibos, J.P. Morgan CEO Jamie Dimon cautioned against the risk of inadvertently “outsourcing your heart, your soul and your spinal cord.”
For it is true that payments are the beating heart and soul of an organisation. Payments represent 80% of all interactions, providing critical customer touchpoints, data and service opportunities. As for the spinal cord, not much can happen when mission-critical payment systems go down.
The big problem, as Dimon notes, is that a lot of companies who have outsourced “have no idea what they are doing.”
Banks can find themselves stuck with equally costly, complex and cumbersome alternatives, falling even further behind the innovation curve and losing control in the process. “You end up paying too much money and then you’re beholden to costs that are going up.” But most importantly, “you’re not even doing a better job serving your client.” Outsourcing a commodity execution service may well be the right strategic approach for some, but you need to ensure you have the other pieces of the payment process running smoothly and that you really are not leaving money on the table or developing risk longer term by constraining future choice.
Still, the alternative is not necessarily better. Modernisation needs to happen now, so it is not surprising that enthusiasm for years-long, ruinously expensive and inherently risky in-house transformation projects has dimmed somewhat.
Best of both worlds
Yet it is wrong to say that the only choice is buy or build. There is a middle-ground. A collaborative approach to payments transformation that allows banks to move quickly to seize opportunities, while retaining control, significantly reducing costs and adding value.
This begins with banks understanding their starting point, defining a crystal-clear strategic vision for the role that payments play within the organisation and identifying market opportunities. Indeed, as McKinsey notes, “success for banks will depend on thoughtfully assessing capabilities [and] determining the role of payments in market strategies.”
Banks should then consider low-risk and lightweight options for upgrading legacy infrastructure to meet their strategic objectives, while minimising business impact. Payment platforms based on Cloud-native, open source technology promote flexibility, scalability and independence, rather than restrictive and expensive vendor dependencies.
Collaboration also plays a critical role. Finding the right fintech and service provider partners can allow banks to simplify complexity, reduce manual heavy-lifting and lower their cost base, driving efficiencies that enable resource to be focused on delivering for customers. As Dimon explains, “If I can’t build it better than you can, I’m better off just using yours.”
This combination of strategy, enabling technologies and true collaboration provides a foundation for innovation. It can help drive new revenues, further develop existing business lines and, by moving payments from cost to profit centre, help banks thrive rather than survive.
ONE IN FIVE INSURANCE CUSTOMERS SAW AN IMPROVEMENT IN CUSTOMER SERVICE OVER LOCKDOWN, RESEARCH SHOWS
SAS research reveals that insurers improved their customer experience during lockdown One in five insurance customers noted an improvement...
PASSWORDS, BIOMETRICS AND BEYOND
By: Hicham Bouali, Pre-Sales Director EMEA of One Identity, a specialist in identity and access management At any given...
AVATRADE NOW SUPPORTING DEPOSITS VIA PAYPAL AND RAPID TRANSFER
AvaTrade continues to grow its customer offering by adding PayPal and Rapid Transfer to its supported payment methods. AvaTrade’s customers...
GOING GLOBAL: 7 TIPS TO GET STARTED
The idea of selling your products or services to new markets across the globe is an attractive prospect for any...
KASHFLOW AND YAPILY PARTNER TO SUPPORT SMES WITH DIGITAL BOOKKEEPING AND CASH FLOW MANAGEMENT
KashFlow continues its mission to provide SMEs and accountancy firms with software that keeps bookkeeping easy to understand and even...
WHY HIGH NET WORTHS SHOULD BE LOOKING AT ANGEL INVESTING IN A NEGATIVE INTEREST RATE ENVIRONMENT
By Oliver Woolley, Envestors As England gets through its second lockdown, Bank of England policymakers report the UK we...
VIVA WALLET SUPPORTS E-COMMERCE GROWTH THROUGH ITS MARKETPLACE SOLUTION
Viva Wallet’s PSD2-compliant payment solution for online marketplaces removes the requirement for them to become licensed providers of regulated payment services. Viva Wallet is able to handle the streamlined processing of customer transactions through a PSD2-compliant escrow account...
REDUCING FRICTION ONLINE HAS BECOME BUSINESS CRITICAL
Andrew Shikiar, Executive Director at the FIDO Alliance The global pandemic has pushed the importance of remote access and authentication...
QUICK FIXES TO LOWER YOUR CAR INSURANCE
Car insurance is something we all have to pay for, no matter how much we despise it. However, it’s not...
ALL-SEASON TYRES AND HOW TECHNOLOGY IS CHANGING THE FUTURE OF TRANSPORT
Avid vehicle enthusiasts will likely know that summer and winter tyres are developed from different rubber compounds which work at...
EQUIPPING YOUR TEAM WITH THE SKILLS TO MANAGE THE CHANGING LANDSCAPE
By David Wharram, CEO of Coast Digital For businesses to emerge from the COVID-19 pandemic stronger than ever, companies...
BANKING ON THE FUTURE: WHY PAYMENTS TRANSFORMATION IS THE KEY TO SUCCESS
Simon Wilson, Co-Head, Payments at Icon Solutions Standardisation, regulation and technological innovation means payments are well on the way...
DIGITAL FINANCE: UNLOCKING NEW CAPITAL IN DISRUPTED MARKETS
Krishnan Raghunathan, Head of Finance & Accounting Services at WNS, explores how a digitally transformed finance department can give enterprises...
DATA DILEMMAS IMPACTING ESGS
Mario Mantrisi, Chief Strategy and Knowledge Officer, Kneip It’s been well documented over the past few months that the...
SIX PILLARS FOR A SUCCESSFUL CLOUD
by Giuseppe Paternò, IT Infrastructure Architect, Security Expert, and Cloud Solution Guru COVID-19 pandemic is pushing many companies to...
MARQETA CONTINUES EUROPEAN GROWTH, SIGNING THREE NEW DIGITAL BANKING CUSTOMERS
Marqeta is supporting the development and launch of three new digital banks across the UK and Europe Marqeta, the...
TECHNOLOGY IS OUR FIRST DEFENCE AGAINST MONEY LAUNDERING
Jesse Chenard, CEO of MonetaGo Fraud is an age-old problem that has plagued every industry since businesses began trading. It...
STOCARD BUILDS ON SUCCESS AS IT EXPANDS STOCARD PAY TO FOUR MORE EUROPEAN COUNTRIES
Stocard, the leading European mobile wallet with over 50 million users, launches its payment functionality, Stocard Pay, in Germany, France,...
3 KEY DIGITAL MARKETING TRENDS FOR 2021
– Emma Digital marketing is an industry where the trends are changing on a daily basis, meaning those in the...
SBER ANNOUNCES PARTICIPATION IN A PRIVATE EQUITY FUND
Sber in cooperation with a leading Middle East sovereign wealth fund announces its commitment as a cornerstone investor into an...