– Narendra Sahoo is a director of VISTA InfoSec
Over a million people across the globe become victims of cybercrime daily. What is more alarming about the situations is that, despite taking numerous precautionary measures, hackers manage to evolve and use advanced techniques to break into systems and illegally access critical data. Having said that, you have every reason to worry about the confidentiality of your business-critical/customer data. Over the years research reports on cybercrimes suggest most of the data breach that occurs is related to debit and credit cards. This is why the PCI SSC Council was incorporated and the PCI DSS standards were set in 2006 to strengthen information security and secure customer data.
About PCI DSS
Payment Card Industry Data Security Standard is a set information security standard that is administered by the PCI Security Standards Council. The set Standard was established by American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc. to safeguard debit and credit card data. The scope of PCI DSS Standard covers organizations implementing data security management, security policies and procedures, network architecture, and software design in place for better information/data security. This will ensure that organizations that accept, process, store, or transmit payment card information maintain secure environments to protect consumers and merchants. Put simply, the PCI DSS standards apply to any organization that holds, processes, or passes cardholder information from any card branded with the logo of any of the card brands. However, PCI DSS compliance is not a legal requirement but an established form of self-regulation. The organizations that process card payments are expected to contractually agree with the payment card brands to comply with PCI requirements.
Implication of PCI DSS on Banking and Financial Industry
Banks that issue Visa, Mastercard, American Express, and Discover cards are contractually expected to comply with the Payment Card Industry Data Security Standard (PCS DSS). Entities that handle card data from one of the five major card brands, namely Visa, Mastercard, Discover, American Express, and JCB International, are required to comply with PCI DSS requirements. As per the PCI DSS compliance, it required that the entities that are contractually obliged to comply are expected to govern and secure payment card data of consumers by all means.
Financial institutions, including issuing banks (banks that offer credit cards to consumers), acquiring banks, ( financial institutions that hold merchants’ bank accounts, receive payments through the card processors, and deposit funds on behalf of the merchants) merchants and service providers who process transactions and enter into contracts with the five-card brands should ensure protection and safety of cardholder data. For that matter, even if an organization processes just four card transactions a month are also expected to be PCI compliant. Moreover, a company that uses a third-party payment processor is also expected to comply with PCI standards. The PCI DSS offers clear guidelines to banking and other financial institutions on ways to detect fraud and prevent data theft/loss and ways to deal with an event of a data breach.
Fines and penalty for Merchants and Banks on non-Compliance
In case of an event of a data breach, the card brands will investigate a merchant’s level of PCI DSS compliance and also assess the bank’s PCI DSS compliance enforcement. Based on the findings the fines are accordingly distributed between the bank and the merchant. Fines typically vary anywhere between $5,000 to $100,000 per month depending on the size of the merchant’s business and the degree of noncompliance. It is however important to note that the fines that bank incurs can be passed to the merchant via high transaction fees or service charges. In case of a repeat violation, additional fines may be levied depending on the merchant’s acquiring bank. Fines levied may also be revised over time and further increase until the merchant is deemed compliant. If the merchant is still not compliant, its power to take credit cards may eventually be revoked.
PCI DSS Requirements of security tests for banks
PCI DSS has set stringent norms that banks are expected to follow diligently to stay compliant. As per the set Standards, banks are required to perform adequate security tests and implement required measures to ensure cardholder data is secure. Below given is a list of security test that banks are expected to conduct-
- Banks are expected to run controlled data breach attempts against the bank network on to ensure the network, end-point and web application are secure
- Perform various security tests to identify known vulnerabilities like SQL injection, OS command injection, Cross-site scripting, broken authentication to name a few.
- Banks need to quarterly conduct tests on authorized and unauthorized wireless access points.
- Perform Penetration testing on networks and applications at least once a year or after a signification change has been made to the application. The aim of running a Pen Test is to identify all possible threats and vulnerabilities and try to exploit them to gain more access to systems both at the application and network level.
Most financial organizations find it challenging to meet the security testing requirements of PCI DSS. However, from the security point of view, the majority of Indian banks and the payments industry have been complying with the PCI DSS Standard policies and requirements and set the Security Standard as a priority. They have embraced the Compliance Standard in a big way by diligently establishing service provider compliance, merchant compliance, and setting frameworks for risk assessment, and security testing for both network and application layer. Moreover, failure to comply with the set standards will have severe consequences in terms of loss of trust and credibility and, not to mention even bear a hefty penalty.
Author Bio: Narendra Sahoo is a director of VISTA InfoSec, One of the foremost companies in InfoSec Compliance, Assessments and Consulting services providing vendor neutral services in areas such as PCI DSS Consulting & Certification, PCI PIN, SOC2, GDPR, HIPAA, MAS TRM, PDPA, PDPB, VA/PT,Web/Mobile Appsec, Red Team Assessment, etc.
WHY BANKS NEED TO EMBRACE OPEN SOURCE COMMUNITIES
Nikolai Stankau, Director Business Development, EMEA Financial Services at Red Hat, the world’s largest enterprise open source solutions provider.
Banks and financial services have long been benefiting from using open source software, which is code that is developed in a decentralised and collaborative way. Open source software is cost-effective, flexible, is developed rapidly, and tends to have more longevity than its proprietary peers because it is developed by communities rather than a single author or company. According to Red Hat’s own research, 93% of IT leaders in financial services state that enterprise open source is important to their organisation.
Alongside adopting open source products, which many banks already do, there’s opportunity for these organisations to have a greater influence in the development of industry software, by engaging in ‘upstream’ open source community projects.
The advantages of engaging in upstream communities
In open source projects, code is developed as a shared process by a community of thinkers and developers anywhere in the world. Collaborating directly with these communities – what’s known as ‘upstream’ participation – can give banks a major competitive advantage on their journey to innovate. From there, software can either be downloaded at no cost, or consumed via a trusted open source vendor that secures and stabilises the software to make it suitable for an enterprise to use. This is also known as the ‘downstream’.
A company that contributes its developers’ time and resources to an open source community gets rewarded with the output of hundreds of developers working on the same code. This leads to a magnification effect, by virtue of the fact you’re expanding your team many times over while also benefiting from a much more diverse pool of talent. The result is that organisations can be captains of the product development process and work together with the community to design features and functionalities that meet their needs and keep up with customer demands.
An added benefit for banks engaging in these communities is it provides a great access point for sourcing new talent, as well as helping to retain existing talent. Developers are attracted to organisations that engage in upstream development because it allows them to be at the forefront of open source innovation and new community-led initiatives.
It’s common for multiple organisations in the industry to come together and collaborate on a project, which can drive significant benefits for the community as a whole. A good example is Fintech Open Source Foundation (FINOS), which is a community set up by banks to promote industry collaboration, by delivering software that addresses common industry challenges and drives faster innovation. The concept had its origins in Symphony, a open sourced messaging and collaboration tool that was adapted and improved upon by developers from other banks, ultimately helping the company to become a major business valued at around $1.4bn.
Where to join forces versus compete
Although the benefits of engaging in upstream communities are manifold, some organisations have concerns around intellectual property as well as the productivity of developers contributing to open source projects rather than exclusively working on the bank’s own proprietary software. To this latter point – in reality, the development of new solutions and features built inhouse often requires many months, whereas product ideas shared in a community setting can be executed in much shorter time frames. As the saying goes, many hands make light work.
Regarding the essential consideration of IP and competitiveness: a lot of where banks can differentiate is at the application layer; in the services they develop and offer, rather than at the underlying operating system or middleware foundations – these tend to be common and standard, and are what empowers organizations to get to market as fast as possible. Thus the greatest opportunity for banks lies in platforms such as Linux-based Kubernetes, which is now the industry standard for container orchestration and one of the most important technologies used in the financial services industry. Kubernetes attracts many contributors from diverse organisations all over the world.
Some IT leaders also recognise structural roadblocks: transitioning an organisation to new ways of thinking and operating is a process that isn’t achieved overnight. Not all banks have the legal or tech mechanisms in place to be able to share their code externally, and company policies can prevent their employees from engaging in open source communities. In a heavily regulated industry, it takes time for some organisations to create the necessary changes before they can harness the potential of upstream communities.
The future is open
As the software ecosystem expands, and in the face of accelerated digital transformation driven by the ‘new normal’ of the COVID-19 pandemic, banks and financial services have the opportunity to evaluate how they can get involved in open source. There are many ways to do this: they can invest financially in communities, provide technical leadership and resources, or contribute code. With organisations under more pressure than ever to gain a competitive advantage, playing a role in open source communities will help them create better products, speed up time to market and position themselves at the forefront of financial innovation.
MORE THAN REGULATION – HOW PSD2 WILL BE A KEY DRIVING FORCE FOR AN OPEN BANKING FUTURE
Ralf Ohlhausen, Executive Advisor, at PPRO
Whilst initially seen as simply a regulation exercise, the second Payment Service Directive, also known as PSD2, has been a key driving force behind Open Banking, an initiative that presents a hopeful vision for the future of the financial services sector. Thanks to the advancement of technology, the payments industry is currently seeing disruption to legacy banking systems, and a move towards a world of Open Data. With Open Banking, third-party providers (TPPs) can offer customers a wealth of new and automated services beyond their standard bank offerings, such as what products to buy or even advice on who to bank with.
PSD2 has been created to ensure that banks create mechanisms to enable third-party providers (TPPs) to work securely, reliably and rapidly with the bank’s services and data on behalf of and with the consent of their customers. PSD2 requires EU member banks to give authorised, i.e. licensed TPPs, access to customers’ accounts either via Application Programme Interfaces (APIs) or their user interfaces. It also mandates the use of Strong Customer Authentication (SCA), which requires multiple factors of authentication from a customer to initiate electronic payments and grant access to transaction data.
Despite the progress of PSD2, however, there are still challenges to overcome to achieve widespread adoption and to meet Open Banking objectives. So, what are the current roadblocks that European banks and financial services need to overcome to make Open Banking a beneficial reality for all?
Delays to API development
A crucial factor standing in the way of the acceleration towards Open Banking has been the delay to API development. These APIs are the technology that TPPs rely on to migrate their services and customer base to remain PSD2 compliant.
One of the contributing factors was that the RTS, which apply to PSD2, left room for too many different interpretations. This ambiguity caused banks to slip behind and delay the creation of their APIs. This delay hindered European TPPs in migrating their services without losing their customer base, particularly outside the UK, where there has been no regulatory extension and where the API framework is the least advanced.
A lack of awareness
Levels of awareness of the new regulations and changes to how customers access bank accounts and make online payments are very low among consumers and merchants. This leads to confusion and distrust of the authentication process in advance of the SCA roll-out. Moreover, because the majority of customers don’t know about Open Banking yet, they aren’t aware of the benefits. Without customer awareness and demand it may be very hard for TPPs to generate interest and uptake for their products.
Recently some regulators and banks, such as the Central Bank of Ireland, have made decent efforts to raise awareness of the changes with PSD2 campaigns. But it isn’t reaching the general public. When it does, it’s often because of scaremongering or fear, uncertainty and doubts around data security fuelled by incumbents to protect their business. This also isn’t the right way to approach the issue as it will lead to people being more afraid, rather than aware. Instead, it is the role of payment service providers to educate their customers about Open Banking requests or opportunities, to ensure the public are aware of the changes to payment authentication procedures when SCA comes into play and are empowered to move their data.
TPPs have a real vested interest in getting customers on board with Open Banking. They should build on their customer relationships to grow trust and raise levels of education around the changes. When customers sign up for a new service, TPPs need to tell them explicitly what to expect before they have to do it, plus what explicit consent is required to access their account information in exchange for value-added services.
Outweighing the challenges with opportunities
Although the introduction of the PSD2 regulation hasn’t been seamless for the banking and fintech industry, it is set to offer many benefits and advantages for the end-customer, and the financial industry. In fact, the regulation will create an integrated and frictionless European payments system, that will provide the customer with more choice, control and security over their finances than ever before.
One of PSD2’s primary goals is to provide greater protection against fraud for banking customers, who may have previously been open to risk through weak authentication and unregulated data-sharing practices. The new rules insist on enhanced security requirements, including the use of Strong Customer Authentication (SCA) to protect customers while making electronic payments.
Furthermore, TPPs unencumbered by legacy technology have long been able to innovate faster than traditional banks. Now, this regulation will provide regulated and secure access to customer data, allowing them to develop products even more quickly. The new regulation also promotes technology on a European level and encourages fintechs to do what they do best: innovate.
It’s also important to not forget that PSD2 regulation increases market competition allowing customers to choose a wider range of suppliers for their banking and payment services without having to switch their bank for that. The decoupling of banking services from the underlying account infrastructure will make it easier for customers to opt for the banking services that best fit their needs. It also increases the number of financial providers, services and products which customers will be able to choose from.
The future of Open Banking
The financial services landscape is becoming a firmly consumer-centric environment. Across the UK and Europe, we’ll continue to see the rollout of technologies that put control in the hands of consumers. Open Banking will be pivotal in its role, opening up new avenues and opportunities for both banks and payment service providers (PSPs).
Thanks to Open Banking, the ability to share data securely in the retail banking sector has led to a sophisticated ecosystem where the customer is in charge of their payments and choice of banking services. Over the next decade, we should expect to see the same level of transformation in our digital services and data sharing, leading to a complete rebalance of services where customers will be able to actively own their data and use it the way they like.
Europe is currently leading the Open Banking race, so the successful implementation of PSD2 and SCA is extremely important to maintain the lead and build a future with Open Finance and Open Data as well.
DON’T RISK IT ALL WITH NON-COMPLIANCE
By Paul Sleath, CEO at PEO Worldwide Did you know non-compliance costs more than twice the cost of maintaining or...
BANKIA TRANSFORMS THE CUSTOMER AND EMPLOYEE EXPERIENCE WITH BIANKA BY IPSOFT
Developed with cognitive artificial intelligence, IPsoft’s conversational agent can carry out transactional tasks, perform different roles in customer service and...
by Devan Nathwani, FIA and Investment Strategist at Secor Asset Management Defined Benefit pension schemes are one of the most significant institutional...
TOUCH-FREE AUTHENTICATION FOR ALL: WHY WE NEED A SAFER PAYMENT METHOD IN THE ‘NEW NORMAL’
David Orme, SVP, Sales & Marketing, IDEX Biometrics ASA Ever since March, when the World Health Organization encouraged people to...
WHY BANKS NEED TO EMBRACE OPEN SOURCE COMMUNITIES
Nikolai Stankau, Director Business Development, EMEA Financial Services at Red Hat, the world’s largest enterprise open source solutions provider. ...
FOR PE TO SNAP UP “GOOD” COMPANIES, THEY MAY NEED TO WADE INTO “BAD” ECONOMIES
By Martin Soderberg, Partner at SPEAR Capital There’s no shortage of global challenges for investors currently, especially for those...
THE BASICS OF BUSINESS FINANCE
When you’re starting your business, you’ve got a lot to be thinking about. You need to find affordable suppliers, market...
HOW THE IMPORTANCE OF E-COMMERCE PLATFORMS GREW DURING THE PANDEMIC
Never in history has the world relied more on the internet than during this Covid-19 pandemic. With governments imposing lockdowns...
UNBANKED AND UNCONNECTED: SUPPORTING FINANCIAL INCLUSION BEYOND DIGITAL
Darren Capehorn, Director, Icon Solutions Many of us take it for granted, but accessing basic financial services is fundamental...
MORE THAN REGULATION – HOW PSD2 WILL BE A KEY DRIVING FORCE FOR AN OPEN BANKING FUTURE
Ralf Ohlhausen, Executive Advisor, at PPRO Whilst initially seen as simply a regulation exercise, the second Payment Service Directive,...
TIME TO THINK OUTSIDE OF THE BLACK BOX
Mike Brockman, CEO, ThingCo If you have the unbridled joy of parenting a teenager you’ll probably know what telematics...
BANKING’S SECOND WAVE OF TRANSFORMATION: INTEGRATING THE CLOUD-ENABLED FUTURE BANK
Keith Pearson, Head of Financial Services EMEA, ServiceNow The last six months have seen significant changes to the financial services landscape, with operational resilience, economic recovery, cost reduction and an...
RISK AND INVESTMENT SPECIALIST, CARDANO, TAKES TO DOCUMENT AND EMAIL MANAGEMENT IN THE CLOUD WITH ASCERTUS AS IMPLEMENTATION PARTNER
Ascertus also providing document comparison tool, compareDocs Cardano, a privately-owned, purpose-built risk and investment specialist, has chosen Ascertus Limited as its implementation...
HOW SALARY SLIPS HELP YOU UNDERSTAND TAX DEDUCTIONS ON YOUR SALARY
A salary slip is defined as a document that is provided by your employer which contains the breakdown of your...
BRANCHES ARE THE HUMAN FACE OF YOUR BANK?
Sudeepto Mukherjee, Senior Vice President, Financial Services Lead EMEA & APAC Publicis Sapient Branches have always played a pivotal...
RISE IN E-COMMERCE FOR SMALL BUSINESSES IS A BIGGER RISK THAN JUST STOCK CONTROL
With consumer confidence in the high street at an all-time low, many SME shops and businesses have moved to online...
TIME TO FOCUS ON YOUR ‘WEALTHBEING’
Tony Mudd, Divisional Director, Development & Technical Consultancy. St James’s Place FIVE WAYS TO SAFEGUARD YOUR FINANCIAL FUTURE The...
PAYROLL AGILITY IN THE CORONAVIRUS CRISIS – HOW FINANCE FIRMS CAN ACHIEVE IT
by Hannah Grimshaw, BPO Payroll Lead, Symatrix The government has published guidance with regards to the next steps for...
WHY IT’S TIME TO ADAPT TO THE VIRTUAL WORLD: HOW TO MASTER ONLINE NEGOTIATIONS
By Tony Hughes, CEO at Huthwaite International, a leading global provider of sales, negotiation and communication skills development Virtual...
BNP PARIBAS PERSONAL FINANCE COLLABORATES WITH EXPERIAN AND ARYZA TO HELP CUSTOMERS THROUGH THE COVID-19 PANDEMIC
The consumer finance specialist will be using the Open Banking tool to help customers create an affordable payment plan based...