– Narendra Sahoo is a director of VISTA InfoSec
Over a million people across the globe become victims of cybercrime daily. What is more alarming about the situations is that, despite taking numerous precautionary measures, hackers manage to evolve and use advanced techniques to break into systems and illegally access critical data. Having said that, you have every reason to worry about the confidentiality of your business-critical/customer data. Over the years research reports on cybercrimes suggest most of the data breach that occurs is related to debit and credit cards. This is why the PCI SSC Council was incorporated and the PCI DSS standards were set in 2006 to strengthen information security and secure customer data.
About PCI DSS
Payment Card Industry Data Security Standard is a set information security standard that is administered by the PCI Security Standards Council. The set Standard was established by American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc. to safeguard debit and credit card data. The scope of PCI DSS Standard covers organizations implementing data security management, security policies and procedures, network architecture, and software design in place for better information/data security. This will ensure that organizations that accept, process, store, or transmit payment card information maintain secure environments to protect consumers and merchants. Put simply, the PCI DSS standards apply to any organization that holds, processes, or passes cardholder information from any card branded with the logo of any of the card brands. However, PCI DSS compliance is not a legal requirement but an established form of self-regulation. The organizations that process card payments are expected to contractually agree with the payment card brands to comply with PCI requirements.
Implication of PCI DSS on Banking and Financial Industry
Banks that issue Visa, Mastercard, American Express, and Discover cards are contractually expected to comply with the Payment Card Industry Data Security Standard (PCS DSS). Entities that handle card data from one of the five major card brands, namely Visa, Mastercard, Discover, American Express, and JCB International, are required to comply with PCI DSS requirements. As per the PCI DSS compliance, it required that the entities that are contractually obliged to comply are expected to govern and secure payment card data of consumers by all means.
Financial institutions, including issuing banks (banks that offer credit cards to consumers), acquiring banks, ( financial institutions that hold merchants’ bank accounts, receive payments through the card processors, and deposit funds on behalf of the merchants) merchants and service providers who process transactions and enter into contracts with the five-card brands should ensure protection and safety of cardholder data. For that matter, even if an organization processes just four card transactions a month are also expected to be PCI compliant. Moreover, a company that uses a third-party payment processor is also expected to comply with PCI standards. The PCI DSS offers clear guidelines to banking and other financial institutions on ways to detect fraud and prevent data theft/loss and ways to deal with an event of a data breach.
Fines and penalty for Merchants and Banks on non-Compliance
In case of an event of a data breach, the card brands will investigate a merchant’s level of PCI DSS compliance and also assess the bank’s PCI DSS compliance enforcement. Based on the findings the fines are accordingly distributed between the bank and the merchant. Fines typically vary anywhere between $5,000 to $100,000 per month depending on the size of the merchant’s business and the degree of noncompliance. It is however important to note that the fines that bank incurs can be passed to the merchant via high transaction fees or service charges. In case of a repeat violation, additional fines may be levied depending on the merchant’s acquiring bank. Fines levied may also be revised over time and further increase until the merchant is deemed compliant. If the merchant is still not compliant, its power to take credit cards may eventually be revoked.
PCI DSS Requirements of security tests for banks
PCI DSS has set stringent norms that banks are expected to follow diligently to stay compliant. As per the set Standards, banks are required to perform adequate security tests and implement required measures to ensure cardholder data is secure. Below given is a list of security test that banks are expected to conduct-
- Banks are expected to run controlled data breach attempts against the bank network on to ensure the network, end-point and web application are secure
- Perform various security tests to identify known vulnerabilities like SQL injection, OS command injection, Cross-site scripting, broken authentication to name a few.
- Banks need to quarterly conduct tests on authorized and unauthorized wireless access points.
- Perform Penetration testing on networks and applications at least once a year or after a signification change has been made to the application. The aim of running a Pen Test is to identify all possible threats and vulnerabilities and try to exploit them to gain more access to systems both at the application and network level.
Conclusion
Most financial organizations find it challenging to meet the security testing requirements of PCI DSS. However, from the security point of view, the majority of Indian banks and the payments industry have been complying with the PCI DSS Standard policies and requirements and set the Security Standard as a priority. They have embraced the Compliance Standard in a big way by diligently establishing service provider compliance, merchant compliance, and setting frameworks for risk assessment, and security testing for both network and application layer. Moreover, failure to comply with the set standards will have severe consequences in terms of loss of trust and credibility and, not to mention even bear a hefty penalty.
Author Bio: Narendra Sahoo is a director of VISTA InfoSec, One of the foremost companies in InfoSec Compliance, Assessments and Consulting services providing vendor neutral services in areas such as PCI DSS Consulting & Certification, PCI PIN, SOC2, GDPR, HIPAA, MAS TRM, PDPA, PDPB, VA/PT,Web/Mobile Appsec, Red Team Assessment, etc.
