Connect with us

Banking

CONSEQUENCES & RISK EXPOSURE FOR NON-COMPLIANCE WITH PCI DSS FOR THE BANKING SECTOR

Published

on

Narendra Sahoo,Founder and Director of  VISTA InfoSec

 

Introduction

Every day millions of people around the globe fall prey to cybercrimes. What makes it alarming is that majority of the data breach/theft is related to debit and credit cards. For these reasons, the PCI DSS standards were set in 2006 to strengthen information security and secure cardholder data. PCI DSS is a compliance requirement for all organizations and financial institutions including banks that deal with card transactions. As per the set guidelines, banks and other financial institutes are expected to have in place comprehensive internal controls, and security frameworks to safeguard sensitive data. Financial institutions heavily deal with millions of transactions daily, which is why it is an incredibly challenging task for them to secure transactions and cardholder data. For the amount of risk they are exposed to, the financial institutes are the most heavily regulated industry in the U.S. and around the world.

In this article today we have discussed how PCI DSS Impacts the banking sector and the risks they are exposed to for non-compliance.

PCI DSS Compliance in a Glance

Payment Card Industry Data Security Standard is the set of security standards administered by the PCI Security Standards Council and established by the top 5 credit card brands namely the American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and Visa Inc. The Compliance Standard applies to –

  • Any organization or institute that deals (store, process, transmit) with credit cards including service providers.
  • Any organisation (service provider) whose functioning can affect the security of the Card Data Environment of another organization (Client of service provider)

The scope of compliance typically covers data security, security framework policies and procedures, network architecture, and software design. Financial institutions, including issuing banks, (banks that offer credit cards to customers) and acquiring banks (financial institutions that hold merchants’ bank accounts, receive payments through the card processors, and deposit funds on behalf of the merchants), merchants, and service providers who process, store, transact, or enter into a contract with the five-card brands are expected to be PCI DSS Compliant.

Impact of PCI DSS Standard on the Banking Sector

PCI DSS is a set of security standards that banks need to follow diligently to stay compliant. For millions of transactions that they undertake daily and the risk to which they are exposed, requires them to have in place strong security measures to safeguard Cardholder data. Given below are some PCI DSS Standard Requirements that banks are expected to follow and security tests they need to perform to ensure no compromise of the cardholder data environment.

  • Test the defense systems in place to ensure network, end-point, and web applications are secure.
  • Frequently commissioning a controlled data breach attempt against the bank network to secure networks (Penetration Testing or even a Red Team assessment).
  • Perform security tests to detect known vulnerabilities like SQL injection, OS command injection, Cross-site scripting, broken authentication, etc.
  • Test networks and check for the presence of authorized and unauthorized wireless access points every quarter.
  • Perform Penetration Test on the cardholder environment (CDE) and systems and networks connected to it at least once a year or after a signification change has been made to the application.
  • Conduct a VAPT test to identify all possible threats and exploit them to penetrate the system at the application and network level.
  • Issues identified should be corrected and re-tested until the time systems and networks are clean and have strong defense systems in place against malicious activities.
  • Conduct Internal audits as per the PCI DSS requirements atleast once a year or after any major change to processes or systems.
  • Internal awareness training for the employees atleast once a year.

While it extremely challenging to meet the testing requirements of PCI DSS, performing the test and securing systems and networks is mandatory for Banks and other financial institutions. Failure to comply with the bank will have to face severe repercussions in terms of huge penalties, and loss of trust and credibility. We have listed below some serious repercussions and risks banks may be exposed to for non-compliance with PCI DSS.

Consequences and Risk Exposure to Non-Compliance with PCI DSS for Banking Sector

The risk of merchants suffering a data breach has far greater, implications and consequences, resulting in monetary penalties and often, irreparable damage to brand reputation.

Data theft & Security Breach-

Being non-compliant to the PCI DSS Standards simply means the bank may not have the necessary security measures in place to protect data. Having no strong defense systems and security built around the network and systems will lead to a security breach and data theft. This could further have huge financial implications on the institute, leading to huge losses.

Hefty Penalties

Non-compliance to PCI DSS can result in huge penalties ranging from $5,000 to $100,000 per month by the credit card companies. The penalties levied shall depend on the volume of transactions, and the degree of non-compliance. Further, the penalties levied shall be based on the discretion of the payment brand and the brand may decide to levy penalty based on per record that has been breached Moreover, the fines get reassessed monthly and may raise over time until the merchant achieves compliance. However, fines that the bank incurs can be passed to the merchant via high transaction fees or service charges if in case the merchant is found to be non-compliant. This will further strain or affect the relationship between the bank and the company.

 Compensation costs for non-compliance

A huge amount of compensation costs would involve in case of non-compliance to PCI DSS Standards.   The banks or merchants will have to probably compensate the clients with credit card monitoring, identity theft insurance, or in any other form of compensation.

Tarnished Reputation due to non-compliance

Security breaches and data theft shall not just have financial implications but will also cause irreversible damage to the reputation of your brand. Once your security is compromised, it will be very difficult to regain their trust in your bank. The image and reputation of your bank will be at stake and greatly tarnished if found non-compliant and face a security breach.

Revenue loss

Once there is a blot on reputation, it will significantly impact the business revenue and sales. There is a huge possibility of the bank facing loss due to an incident of a breach. Infringement can lead to loss of consumers, followed by loss of revenue. The financial implications are far more significant than the amount of money it would probably take to ensure compliance with PCI DSS.

Direct Intervention of Regulatory Bodies-

Non-compliance to PCI DSS followed by a security breach could call for the direct intervention of Regulatory Bodies and involve frequent Federal Audits. This would further involve imposing strict regulations and penalties. Consequences like this could severely impair the banking business.

 

Conclusion

The bottom line is that no matter how strong your defense is and the number of assessments you conduct, it just needs one slip for the breach to happen. So, no system is totally impenetrable, but at the end of the day, incase of breach, you need to present your bank in a way that it has followed all the compliance requirements and did its best to secure the systems to the best of its knowledge and ability.This is where the banks need to work on by conducting due dellligence as detailed in the standard and summarized above in the article.

Moreover, we belive  complying with the security standards is extremely important not just for the banking business, but also for the safety of their clients. While the standard requirements and testing process may seem to be rigorous, but the consequences of non-compliance can be destructive for the banking business. Banks in general have their take on the set standards. Depending on the risk levels (which are often high in the banking sector) and exposures, banks generally balance between the cost, security, and functionality, while investing in an effective security control framework.

 

Author Bio: Narendra Sahoo (PCI QSA, PCI QPA, CISSP, CISA, and CRISC) is the Founder and Director of VISTA InfoSec, a global Information Security Consulting firm, based in the US, Singapore & India. Mr. Sahoo holds more than 25 years of experience in the IT Industry, with expertise in Information Risk Consulting, Assessment, & Compliance services. VISTA InfoSec specializes in Information Security audit, consulting and certification services which include GDPR, HIPAA, CCPA, NESA, MAS-TRM, PCI DSS Compliance & Audit, PCI PIN, SOC2, PDPA, PDPB to name a few. The company has for years (since 2004) worked with organizations across the globe to address the Regulatory and Information Security challenges in their industry.  VISTA InfoSec has been instrumental in helping top multinational companies achieve compliance and secure their IT infrastructure.

 

Banking

LEGACY INFRASTRUCTURES MUSTN’T HOLD BACK INNOVATION IN FINANCIAL SERVICES

Published

on

By

Ian Perry, Principal Solution Architect at Zscaler

 

We are living in a changed world; one of hybrid home/office work and customers who may never return to bank branches and the services of the high street. According to RFi Group, 73 per cent of UK consumers interact with their main bank via digital banking at least once a week, and only 23 per cent believe nothing can replace what they get in a branch. Meanwhile, institutions including JP Morgan, HSBC and Nationwide have all indicated an intention to retain new higher levels of homeworking.

Now that employees work from a multitude of locations and customers bank and manage their money online the race is on to adapt processes, systems and support structures for safe, secure and productive homeworking and digital access for customers. Inevitably, this calls into question legacy infrastructures in financial services and how they might impact digital progress.

 

New tools, old systems?

The question is, how can banks and other financial institutions securely provide a higher level of remote access to their systems and applications when incumbent infrastructures were developed for an entirely different time?

Of course, the first thing to note is that banks aren’t coming at the problem from a standing start. Oft-cited legacy infrastructures have been added to over time so that many set-ups are now an on-premise/cloud-hosted hybrid. In fact, the finance sector has invested heavily in cloud infrastructures and cloud-based office applications.

The issue is how to harmonise this set-up so that it works for users and organisations as a whole. Here, there is work still to be done. It’s often the case that core banking applications remain in mainframe on-premise networks, whilst other operational tools reside in the cloud. Cloud-based Office 365 is a case in point. It supports digital working, as organisations need it to, but a range of its benefits and functions are at odds with legacy network setups.

Inevitably, when a product or service innovation reaches implementation planning stage, the starting point is the existing network, its systems and processes. The hard part is flipping this approach to assess what the resulting experience will be from the user point of view, but that is exactly what’s needed. It’s an approach that competing market disruptors have been ideally placed to adopt from day one.

However, that needn’t mean that financial institutions must completely overhaul their legacy infrastructure – something that would be expensive and complicated. They can still fully capitalise on the benefits of cloud-based services, among them flexibility, productivity, business continuity and the right customer and user experience.

 

Zero Trust without friction

One way is to take a ‘Zero Trust’ approach. As a result of recognised risks, 72 per cent of companies are prioritising the adoption of such a security model. This resets a data security approach from one that traditionally secured the perimeter to one that protects users, devices and business resources.

It’s a shift in emphasis from securing the network to securing each access and doing so without introducing friction into processes for users. We can think of legacy digital protection methods as a visitor getting a key from reception and being allowed to wander around the building, and compare that to a frictionless cloud experience in which a security guard shows the visitor directly to the room they need.

The Zero Trust model lends itself to high levels of remote access, which is exactly the situation organisations are now in. Employees work from anywhere, from a range of devices, and customers access services previously provided in-person online. Applications are no longer exclusively within the data centre, they are outside the network perimeter meaning that traffic must be enabled to run securely through the internet, rather than through corporate IT. Doing so not only equips organisations for the way things are today, it can also reduce the cost of individual site maintenance and enable the full benefit of cloud-based tools.

The technology now exists to make high levels of security completely invisible and so, with a growing number of security processes now taking place in the cloud, educating customers will be key. The industry must come together to improve user interfaces to signal what’s taking place behind the scenes.

With the right security approach, financial services can deliver on new access priorities to support their workforces and serve customers. Convenience, as well as security, should be the aim along with a strategy that ensures legacy doesn’t hold back innovation. That way, banks and other finance institutions can begin to fully capitalise on the benefits of cloud, adapt to meet customer demands as they evolve and compete in a disrupted market.

 

Continue Reading

Banking

BANKS OF THE FUTURE WILL BE ASSEMBLED, NOT BUILT: HOW BANKS CAN EXPAND AND INNOVATE BY RETHINKING THEIR PARTNERSHIPS

Published

on

By

Author: Kelly Switt, Senior Director, Financial Services Strategy, Ecosystem and Strategic Partnerships, Red Hat

 

The financial services business ecosystem has been radically reshaped in recent years and is arguably more dynamic and ripe for innovation than it has ever been. Banks that take bolder steps to build strategic partnerships have the potential to dramatically transform themselves and the industry. While open banking reforms have encouraged organizations to open up their architectures to each other, there is much potential still to be unlocked: beyond the minimum of meeting regulations by the deadline and exposing the APIs required for aggregation services, there is a vast untapped opportunity for creativity in joint business models. The kind of opportunity that has long since been grasped by web-scale companies and fintech startups.

 

Deutsche Bank, BBVA, and neobank bunq are examples of banks that have understood the value of creating open finance communities. However, the majority of financial organisations are yet to embrace deeper collaborations that truly take advantage of external parties’ ready-built solutions, which would save time and resources and enable inhouse teams to focus on differentiating their business where it really counts. So how can an organisation break free of legacy structures and attitudes to better integrate and engage with partners?

 

Step 1: Adopting a growth mindset

Establishing deeper strategic relationships with partners requires a mindset shift for much of the industry. Traditionally, banks have tended to see third parties as vendors, treating the relationship as a transactional exchange, in the context of legal agreements that set forth the provisions and conditions of the services to be provided. Instead, banks need to adopt a growth mindset that encourages organisations to look beyond their own four walls, and embraces participation in a wider community. By engaging with an ecosystem of partners and treating them as a valuable additional set of experts, banks can accelerate problem-solving and reach their business goals faster.

 

Step 2: Aligning internally as an organisation

Before bringing in a partner to tackle a business problem, an organisation needs to conduct an internal assessment. It’s important for all departments within an organisation (IT, sales, marketing, etc.) to contribute their perspective on unpacking why a problem exists across the organisation: what are compliance and risk issues? What are the technical challenges? In what ways is the business impacted? Once everyone is grounded on why the problem needs fixing, it is a much clearer path to identify both the business and technology capabilities needed to solve the problem – i.e. the tools as well as the people skills. If different departments aren’t set up to engage with each other, it’s time to dismantle barriers and build bridges to ensure everyone is included in this discovery phase.

 

Step 3: Be open with partners

When the business has galvanised around its key objectives and the capabilities it needs to move forward, the organisation can look at engaging partners that have experience and expertise in the right areas. The more information that is shared with a partner about the company’s challenges, opportunities and goals, the more empowered and committed the partner will be to help meet the desired outcomes. Armed with insights, partners can help connect the dots and invite further parties to a project, leading to a network effect that benefits both the organisation and the wider ecosystem. To ensure that everyone continues moving in the same direction every step of the way, it is crucial to have transparent discussions in which ideas can be exchanged freely, and to make decisions in an open and collaborative way. Disagreement and constructive feedback must be encouraged – partners should be empowered to speak up with concerns – as this is an important part of mitigating risk.

 

Step 4: Humanise business relationships

Business relationships are personal relationships. The most successful ones are built on mutual understanding of what makes each other tick, what motivates someone to behave the way they do and what drives their performance. Getting to know people on a more personal level can create deep-seated relationships where everyone feels fully invested in driving the project forward. The banking sector may not be known for encouraging vulnerability, but revealing a bit more of the human in us is a key ingredient for building trusted relationships. The pandemic has added urgency to the need for greater empathy to lead people through difficulties, and has shown how people can come together through shared emotional experiences to better manage adversity.

 

Step 5: Build on a consistent technology platform

The technical foundation for engaging in any new partnership is a strong integration strategy. An organization may need to rethink its system architectures and shift towards open platform models. In the case of using containers to take advantage of cloud scale, establishing a common platform at the base of the technology stack that runs consistently across an organisation can provide more control, security and stability. A common application management layer that is agnostic to the underlying technology and based on open APIs gives internal teams together with partners greater freedom to collaborate, accelerating innovation. It helps avert the risk of ending up with many custom integrations, which can lead to cost overruns, outages or services-related issues for customers.

 

Unleashing future possibilities

Progress is able to happen much faster when people and teams work together. As more and more businesses in banking and adjacent industries wake up to the opportunities inherent in a move towards greater openness, we will start to see unprecedented innovation in financial services, and myriad other areas of our lives, creating better and more inclusive customer experiences for societies globally. Banks of the future will be assembled, not built.

 

Continue Reading

Magazine

Trending

Business3 days ago

HOW TO CREATE A PROFORMA INCOME STATEMENT FOR YOUR STARTUP?

There are two reasons why you are on this page right now. First, you are just starting with your business,...

News3 days ago

EXPERTS SHARE SIX STEPS TO RAISING MONEY SAVVY KIDS

The ability to manage finances is not something that is known naturally; it must be taught to us as we...

News4 days ago

CORE BANKING FINTECH OHPEN APPOINTS JERRY MULLE AS UK MD TO FUEL CONTINUED GLOBAL EXPANSION

Ohpen, the first fintech platform to bring a bank to the cloud, today announces the appointment of Jerry Mulle as its new UK Managing Director,...

Technology4 days ago

BIOMETRICS: BALANCING SECURITY WITH CONVENIENCE

Jean Fang, Authentication Product Manager and Joël Di Manno, Authentication and Biometrics Laboratory Service Line Manager at Fime   From...

News4 days ago

THE VALUE OF A HEALTHCARE ADVISER

By Rachel Janssens, principal consultant at Alexander Forbes Health   Navigating the vast number of schemes available and sifting through all...

Wealth Management5 days ago

WHAT WILL TRADING FLOORS OF A POST-COVID WORLD LOOK LIKE?

Ganesh Iyer, Chief Marketing and Strategy Officer, IPC   The last year brought around a monumental change to the way...

Business5 days ago

WAYS TO KEEP YOUR HYBRID WORKPLACE SECURE FROM THE IRREVERSIBLE DAMAGE OF A CYBER ATTACK

By Alex Bransome, CISO at Doherty Associates, specialists in managing and securing cloud services in the finance sector.   A recent in-depth study into 3000 UK...

News6 days ago

CONTOUR DRIVES TRADE GROWTH FOR BANGLADESH BUSINESSES WITH DOMESTIC LETTERS OF CREDIT

Aims to onboard 50+ corporates supported by Bangladeshi and international banks in next six months   Contour has launched its...

Business6 days ago

A LOW-CODE LONDON MARKET – THE KEY TO INDUSTRY FUTUREPROOFING

By Richard Farrell, Chief Innovation Officer at Netcall   Aged 332 years, the London Market isn’t new to the need to modernise....

Banking6 days ago

LEGACY INFRASTRUCTURES MUSTN’T HOLD BACK INNOVATION IN FINANCIAL SERVICES

Ian Perry, Principal Solution Architect at Zscaler   We are living in a changed world; one of hybrid home/office work...

Finance6 days ago

HOW CFOS CAN TAKE A HOLISTIC APPROACH TO ENTERPRISE AGILITY

Frederic Portal, Financials Product Marketing Director, at Workday   Whether brought on by a market shift, technological innovation or as we...

Technology6 days ago

HOW CAN THE PAYMENTS INDUSTRY PREPARE FOR SCA WITH BIOMETRICS?

By Vince Graziani, CEO, IDEX Biometrics ASA   Significant developments are afoot in the retail and payments industry, with vendors...

News6 days ago

NEXO STANDARDS EXPANDS SCOPE BEYOND CARD-BASED TRANSACTIONS

Advancements will ease integration of payment acceptance solutions across a range of transaction technology   nexo standards, which offers the...

News6 days ago

TRUSTONIC AND SYNTHESIS PARTNER TO MAKE PIN ENTRY POSSIBLE AND UNLOCK THE MOBILE POINT OF SALE MARKET

Cybersecurity technology leader Trustonic today announces its partnership with software and consulting company Synthesis Software Technologies to increase the opportunities available to businesses...

Business7 days ago

HOW TO ENHANCE THE CUSTOMER EXPERIENCE IN YOUR RETAIL STORE

Do you own your own retail store? Are you hoping that 2021 is the year you are able to grow...

Finance7 days ago

THREE STEPS TO ENSURE RECOVERY OF COVID LOANS GOES SMOOTHLY

In the wake of the pandemic, the government acted quickly to provide financial Covid support packages to help struggling businesses....

News7 days ago

SALESFORCE EXPANDS ITS FINANCIAL SERVICES OFFERINGS WITH NEW PRODUCTS FOR CORPORATE AND INVESTMENT BANKING

Tailored tools integrated into Financial Services Cloud support the industry’s transition to digital-first, helping deals get done from anywhere New...

Finance7 days ago

FOUR STEPS TO INTEGRATING INTELLIGENT AUTOMATION IN THE FINANCE DEPARTMENT

Marieke Saeij, CEO of Visma | Onguard   It’s clear that Intelligent Automation (IA) is still very much an emerging...

Technology7 days ago

READING BETWEEN THE BUZZWORDS: DISCOVERING THE POWER OF INTELLIGENT AUTOMATION?

by Yad Jaura, Product Marketing Manager at Netcall    The nature of automation means that new technologies, ideas and solutions are frequently...

Finance7 days ago

FOR THE FINANCIAL SERVICES INDUSTRY TO THRIVE POST-COVID-19, AUTOMATION WILL BE KEY

By Anubhav Mehrotra- Vice President and Head of Financial Services, UK & Ireland, HCL Technologies.   The economic challenges emerging...

Trending