Connect with us

News

Finance derivative recognizes the names of the world’s best finance firms and banks 2021 in Netherlands

Published

on

Finance derivative award winner 2022

On 10 January 2022, Finance Derivative announced the Awards 2021 in Netherlands. The overall winners for Sustainable Banks, Internet, Retail, SME, Innovative Banks and Forex Broker and Asset Management Company were announced. Also announced were the overall Global sub-category winners. The grand prizes of World’s Worthy Winners came across this year 2021.

A full report will appear in the December 2021 covering winners list in individual countries and regional sub-categories. Finance Derivative’s Awards are based on submissions from banks that wish to be considered. This year, nearly 500 individual companies & banks from around the world entered the competition. The Awards judging panel was comprised of representatives from global leader in consulting, technology and outsourcing solutions. Based on the judge’s panel evaluations, Finance Derivative’s Editor made the final selections.

Winners were selected based on strength of strategy for attracting and servicing online customers, success in getting clients to use digital offerings, growth of online customer base, breadth of products offered, evidence of tangible benefits gained from digital initiatives, and website design and functionality. Subcategory winners were selected on the basis of relative strength, products and services.

The list of winners announced in Netherlands follows in page 1 of 2.

For editorial information please email: info@financederivative.com

Winners Award Title
Aafiya TPA Services Best Customer Service Insurance Provider UAE 2021
ACB Asset Capital Business Inc. Fastest Growing Forex Trading Company UK 2021
ACB Asset Capital Business Inc. Most Customer Centric Service Provider UK 2021
Access Bank Group Best CSR Bank Nigeria 2021
Access Bank Group Best Mobile Banking App Nigeria 2021
Accra City Hotel Best Hotel Financial Controller West Africa 2021 – Mr. Divine Matey
Accra City Hotel Best General Manager West Africa 2021 – Mr. Roman Krabel
Ahli United Bank B.S.C., Best Private Bank Bahrain 2021
Ahli United Bank B.S.C., Best Retail Bank Bahrain 2021
Al Hilal Life Best Life And Health Insurance company Bahrain 2021
Alizz Islamic Bank Best Islamic Banking Brand Oman 2021
AsiaPay Best Payment Solution Provider Asia Pacific 2021
AvaTrade Best Forex Broker Ireland 2021
Axia Investments Best Regional Forex Trading Platform MENA 2021
Banco de Fomento-BFA-Angola Best Commercial Bank Angola 2021
Banco de Investimento Global Most Trusted Investment Bank Portugal
Banco de Investimento Global Most Leading Corporate Bank Portugal
Banco de Investimento Global Fastest Growing Retail Bank Portugal 2021
Banco Industrial, S.A. Most Effective Issuing Bank Guatemala 2021
Banco Santander Chile Best IR Team Chile 2021
Bank Dhofar Best Mobile Banking Application Oman 2021
Bank Dhofar Best Commercial Bank Oman 2021
Bank Dhofar Best Investment Bank Oman 2021
Bank for Investment & Development of Vietnam-BIDV Best SME Bank Vietnam 2021
Bank of Ayudhya – Krungsri Best Consumer Digital Solution Provider Thailand 2021
Bank Of Mauritius Best Public Financial Services Institutions Mauritius 2021
Bao Viet Securities Best M&A Advisory Firm Vietnam 2021
Being She Best International Women Empowerment Organization UAE 2021
BlackStone Futures (pty) ltd Most Preferred Forex Broker South Africa 2021
BPI Capital Corporation Best Investment Bank Philippines 2021
Bualuang Securities Public Company Limited Most Trusted Securities Firm Thailand 2021
Cellcard (CamGSM Co Ltd) Most Reliable Telecom Operator Cambodia 2021
China Asset Management Company Best Fund Management Company China 2021
China Asset Management Company Best Asset Management Company China 2021
Chinggis Khaan Bank Best Investment Bank Mongolia 2021
CI Asset Management Best Money Market Fund Company Egypt 2021
CI Asset Management Best Asset Manager Egypt 2021
CM Trading Best Financial Broker Company Africa 2021
Commercial Bank of Ceylon PLC Best Trade Finance Bank Sri Lanka 2021
Commercial Merchant Credit (Pvt)Ltd Most Trusted Micro Financial Service Provider Company Sri Lanka 2021
COSCO SHIPPING Ports Ltd Best Port Operator Hong Kong 2021
COSCO SHIPPING Ports Ltd Best CSR Company (Port Sector) Hong Kong 2021
ČSOB Private Banking Best Private Bank Czech Republic 2021
Cumplo Best Collaborative Financing Platform Chile 2021
Dai-ichi Life Vietnam – Sacombank Most Trusted Bancassurance Provider Vietnam 2021
DLM Capital Group Best Securitisation House Nigeria 2021
Easy Markets Best Crypto Innovation By Broker UAE 2021
Ecommpay-UK Best Payment Solution Providing Company UK 2021
Enobytes Most Outstanding Food & Travel Blog US 2021
Fast Cover Travel Insurance Best Travel Insurance Company Australia 2021
Fine Hygienic Holding Most Innovative Mask Manufacturing Brand MENA 2021
First Bank of Nigeria Ltd Most Customer Trusted Bank Nigeria 2021
First Bank of Nigeria Ltd Most Innovative Retail Banking App Nigeria 2021
First Capital Bank Botswana Best Forex Rates Botswana 2021
First National Bank-Zambia Most Admired Financial Services Brand Zambia 2021
Forex Masters Best Forex Trading Technique Company Africa 2021
Fosun Hani Securities Limited Fastest Growing Investment Bank Hong Kong 2021
Fosun International Limited Best Corporate Communications Hong Kong 2021
Fosun International Limited Best Innovation-driven Consumer Group Hong Kong 2021
FundCalibre Best Fund Research Firm UK 2021
FXPRIMUS Best Partners Programme South East Asia 2021
FXTM Best Education Provider Nigeria 2021
FXTM Most Trusted Broker Nigeria 2021
GCM Yatırım Menkul Değerler A.Ş Best Forex Broker Turkey 2021
GCM Yatırım Menkul Değerler A.Ş Best Online Broker Turkey 2021
Genero Capital LLC Best Private Equity Investments Firm UAE 2021
GFH Financial Group Best Islamic Investment Bank Bahrain 2021
GLS Gemeinschaftsbank eG Best CSR Bank Germany 2021
Gold-i Ltd-UK Most Influential Fintech Company UK 2021
Greenstone Equity Partners Best Advisory Service UAE 2021
Greystone Wealth Management Best Discretionary Fund Management Group Great Britain 2021
Homes 4 Life Real Estate Best Real Estate Residential Brand UAE 2021
HotForex Best Client Services Company Global 2021
Inter-Horizon Securities Most Trusted Advisory Services Provider Zimbabwe 2021
Intouch Holdings PLC Best Technology Public Company Thailand 2021
InvestChile Most Leading Investment Promotion Agency Chile 2021
Investment One Financial Services Limited Most Innovative Financial Services Nigeria 2021
JFD Group Ltd Best Forex Broker Europe 2021
Joyalukkas Exchange Most Innovative Remittance App UAE 2021
KCB Group Most Socially Responsible Bank Kenya 2021
KCB Group PLC Most Outstanding Leadership in Sustainable Finance Africa 2021
KCB Group PLC Best Customer Service Bank Kenya 2021
KDEDEC Consultancy and Training Company Most Leading Consultancy And Training Company Turkey 2021
Khan Bank of Mongolia Best Retail Bank Mongolia 2021
Krungthai – AXA Life Insurance PCL. Best Companies To Work For In Asia 2021
LegacyFx Most Innovative Forex Broker South Africa 2021
LegacyFx Most Competent Trading Professionals Middle East 2021
LegacyFx Fastest Growing Broker Europe 2021
Liquid Telecom-Kenya Best Telecommunications Company Kenya 2021
LOLC Technology Services Limited Best Electronic Payment Solutions Provider Sri Lanka 2021
Mashreq Best Smart Retail Bank Middle East 2021
MasterCard Best Corporate Accelerator Middle East 2021
MauBank Ltd Most Leading SME Bank Mauritius 2021
Maybank Kim Eng-Singapore Best Institutional Broker Singapore 2021
Maybank Kim Eng-Singapore Best Retail Broker Singapore 2021
Maybank Kim Eng-Thailand Best Retail Broker Thailand 2021
Megaworld Corporation Best Real Estate Developer Philippines 2021
MREIT,INC Most Trusted Real Estate Investment Trust Company Philippines 2021
MetLife Emeklilik ve Hayat Most Leading Life Insurance Company Turkey 2021
Metropole Property Strategists Best Property Investment Consultants Australia 2021
Natal Joint Municipal Pension-Provident Funds Best Retirement Fund Managing Company South Africa 2021
National Bank of Kenya Best Digital Customer Service Providing Bank Kenya 2021
National Development Bank PLC Most Innovative Digital Solutions Provider Sri Lanka 2021
National Development Bank PLC Best Project Financing Bank Sri Lanka 2021
National Development Bank PLC Best Commercial Bank Sri Lanka 2021
National Development Bank PLC Best Banking CEO Sri Lanka 2021-Mr. Dimantha Seneviratne
National Development Bank PLC Best Initiative Empowering Women’s Market Segment “Sri Lanka Vanithabhimana” Sri Lanka 2021
One Asset Management Limited Most Leading Mutual fund Management Company Thailand 2021
Pacífico Seguros Most Leading Insurance And Reinsurance Company Peru 2021
Pangaea Securities Limited Best Mergers & Acquisitions Advisory Firm Zambia 2021
Petronas Dagangan Bhd Best Corporate Governance Malaysia 2021
Petronas Dagangan Bhd Best IR Team Malaysia 2021
Petronas Dagangan Bhd Best Oil & Gas for Retail & Marketing Malaysia 2021
Petsy Pty Ltd Fastest Growing Animal Insurance Company Australia 2021
PortugalRur Best Rural Real Estate Brand Portugal 2021
Profile Software Best Investment Management Software Solutions Provider UK 2021
Profile Software Best Wealth Management Solutions Provider UK 2021
Proshare Nigeria Most Reliable Financial Intelligence Services Providing Firm Nigeria 2021
PVcom bank Best Trade Finance Bank Vietnam 2021
PVcom bank Best Card Service Provider Vietnam 2021
PVcom bank Best Bank for Customer Services Vietnam 2021
Pyramedia Best In Media And Marketing UAE 2021
QInvest LLC Most Trusted Investment Solution Provider Qatar 2021
QInvest LLC Best Islamic Fund Managers Qatar 2021
RIF Trust Investments LLC Best Global Citizenship & Residency Advisory Firm UAE 2021
Sberbank of Russia Most Leading Financial Institution Russia 2021
SeABank Best Digital Transformation Business Vietnam 2021
Shorooq Investments PLLC Fintech Investor Of The Year UAE 2021
Stanbic IBTC Asset Management Best Non Pension Asset Management Company Nigeria 2021
Stanbic IBTC Bank PLC Most Leading Commercial Bank Nigeria 2021
Stanbic IBTC Pension Managers Best Pension Fund Administrator Nigeria 2021
Standard Bank-Malawi Best CSR Bank Malawi 2021
Steward Bank Most Innovative Bank Zimbabwe 2021
Strategic Management Partners, Inc. Turnaround Consulting Firm of the Year USA 2021
SUBIC BAY METROPOLITAN AUTHORITY Most Influential Women Philippines 2021 -ATTY. WILMA T. EISMA
Taipei Fubon Commercial Bank Co., Ltd Best Mobile Banking Application for Micro and SME Taiwan 2021
Taipei Fubon Commercial Bank Co., Ltd Best Micro Finance Bank Taiwan 2021
Taipei Fubon Commercial Bank Co., Ltd Best Risk Governance and Intellectual Anti-hacking Initiative Taiwan 2021
Taipei Fubon Commercial Bank Co., Ltd Best Intelligent Information Security Management Taiwan 2021
Taipei Fubon Commercial Bank Co., Ltd Best Trade Finance Bank Taiwan 2021
Taipei Fubon Commercial Bank Co., Ltd Best Blockchain Enabled Supply Chain Finance Solution Taiwan 2021
THAI UNION GROUP PCL. Best Group CEO Thailand [Food Industry]-Thiraphong Chansiri 2021
U&I MICROFINANCE BANK Ltd Most Innovative Microfinance Bank Kenya 2021
uab bank Limited Best CSR Bank Myanmar 2021
Vanguard Life Assurance Company Ltd-Malawi Best Life Assurance Company Malawi 2021
Vattanac Bank Best Customer Service Providing Bank Cambodia 2021
Vattanac Bank Best Bank In Corporate Governance Cambodia 2021
Vietcombank Fund Management Best Asset Management Company Vietnam 2021
Wema Bank Most Innovative Digital Bank Nigeria 2021
Wema Bank Best Digital Bank Nigeria 2021
Xero Capital Markets Ltd Most Transparent Broker Asia 2021
Yapı Kredi Asset Management Best Pension Funds Management Company Turkey 2021
Yapı Kredi Asset Management Best Asset Management Company Turkey 2021
Yapi Kredi Bank Best Private Bank Turkey 2021
Zeepay Best Mobile Payment Platform Ghana 2021

About Us:

Finance Derivative is a global finance and business analysis magazine, published by FM. Publishing, Netherlands.

Being one of prime print and online magazine providing broad coverage and analysis of the Finance industry, International Business and the global economy empowering the businesses and Corporate Companies around the world. The leadership articles are read by industry professionals at all levels of banking, financial services, payment solutions and insurance as well as technology and consulting executives.

Finance Derivative features the Global News and & Analysis from the finance world and corporate excellence, be it Trading and Banking, Wealth Management, Businesses, Technology and Financial services which are impacting the World economy. We provide our users with the excellent digital experience on website as well as the digital magazine, video blogs, research reports and events. With an accustomed team of professional industry Journalists, we bring a minute coverage on a comprehensive range of topics from the industry.

Visit www.financederivative.com

News

How to reignite your store with streamlined operations and a distinctive customer experience

Published

on

By

Colin Neil, MD, Adyen UK

 

Retailers know that prioritising customer experience is vital to success today. This, amongst the management of complex supply chains and the cost of living crisis is a lot to oversee.

Further, the pandemic has accelerated technology’s role in building a relationship between store and customer. Consumer adoption of digital, cashless payments has accelerated. PwC’s ‘Payments 2025 and Beyond’ report predicted that cashless transactions could triple in volume by 2030. This trend aligns with our own experience of 2021, in which we’ve witnessed a 70% jump in transaction volumes. It demonstrates the rapid digital transformation of retail as pandemic trends amplified the role of ecommerce in online and offline sales.

Operationally, there’s a lot for retailers to think about. The question is: Which are the technologies that will allow them to truly transform the customer experience?

Consider Android mPOS

Traditional mobile POS (mPOS) terminals are a great way to unshackle sales from a static cash-desk, helping to reduce queues and improve the overall shopping experience. However, they’ve also presented some operational challenges. These devices only take payments; they’re unable to scan barcodes or check stock, meaning that sales teams become burdened with a utility-belt’s worth of additional devices to fulfil these needs.

But recently, the entrance of the new Android mPOS terminal has caused a stir since it’s an all-in-one solution that can manage a multitude of functions, via installed apps. This includes: checking a customer’s previous orders and eliminating the need for separate cash registers, barcode scanners, and even customer facing displays.

These devices represent a fundamental change in the role of the payment terminal. Thanks to its app management system, retailers can manage the functions they use every day in a single hand-held device, from inventory management, to loyalty programmes, returns and more.

Palisis, a provider of sales and operations solutions for tourism and transportation businesses, and Immfly, an in-flight digital services provider, are among the first of our customers to roll out the terminals. In doing so, they’re simplifying the management of their business and freeing up staff to focus on the customer experience. Here’s how:

  1. Streamlining operations

Android mPOS terminals let you consolidate your store’s business functions into one device. This is a big benefit for your bottom line, since managing multiple systems and hardware can lead to high costs, from set up to ongoing maintenance. Furthermore, customisation from a centralised location gives an overview of all a retailer’s terminals. Adyen’s Terminal Fleet Manager, for example, is capable of multiple configurations – including terminal location, logo, refunds, receipts etc – remotely.

Consolidating these systems reduces cost of ownership, helping you free up budget for other investments and innovations. It’s also simpler for staff to use the one system, making their jobs much easier, especially during busy periods.

  1. Flexibility to grow

When systems are consolidated on a single device, it’s easier to update and scale technology as your business evolves. For example, if you process payments on a centralised platform, like Adyen, the same software and end-to-end encryption can be quickly rolled out across all your stores, anywhere in the world. You can also cater to customers’ preferred local payment methods, as well as the major global ones, without needing additional terminals or worrying about local acquiring headaches.

On top of that, if all customer-facing channels and backend systems are connected via one platform, you can monitor online and in-person payments in one place. You can recognise and reward loyal customers in real-time, future-proofing the customer experience with invaluable data insights. 

  1. Convenience for customers

Mobile devices allow customers to make purchases from anywhere. This has led some retailers to consider doing away with the till area completely. Tesco’s entered this space last year, and Sainsbury’s partnered with Amazon to introduce the experience too. With no cash desks, the store is given over completely to product and service.

Getting your roll out right

Take a look at what our customers Immfly and Palisis have been able to achieve with their roll out. Immfly needed to be able to create and process drinks and snack orders during flights, without involving any extra hardware for air stewards to handle and manage. Its Android S1F2 devices integrate cash register systems directly onto WiFi-enabled terminals via an app, which sync stock levels throughout the flight. Payments can also be taken while offline on both long and short haul flights. These capabilities also mean leading ticketing and reservation tech provider Palisis can use them in many different weather conditions, from ski slopes to tour buses in the world’s biggest cities.

The best customer experiences are convenient and modern payment terminals can help retailers deliver this. Just remember, when you’re looking to roll out any new in-store tech, it’s important to research and pilot the scheme thoroughly. In that way, you’ll be sure to have the best possible impact on your customer experience and ultimately your revenue.

 

Continue Reading

News

PCI DSS Compliance in the Cloud – Everything you should know

Published

on

By

Introduction

PCI DSS 4.0 is the latest and updated version of PCI DSS that was introduced on March 31st, 2022. This updated standard is set to go effective 2 years from now in 2025. PCI DSS is an international payment security standard established to ensure the secure processing of payment cards online. While the security standard is not a mandate, yet it is seen as an industry best practice that should be adopted by every organization and services provider dealing with payment card data. Any organization storing, processing, and transmitting card data must comply with PCI DSS Compliance. By this, we mean any Service Providers including those offering Cloud Service are required to comply with the payment standard. In fact, the PCI Council clearly states that Cloud security is a shared responsibility between the Cloud Service Provider and its clients.

So, while Merchants need to ensure PCI DSS Compliance, Cloud Service providers also need to ensure the security of card data and accordingly meet the PCI compliance requirements. But when we talk about compliance we need to now keep in mind that the requirements have to be met as per the evolved PCI DSS 4.0 version. Although the fundamentals of PCI DSS still remain the same yet the PCI Council has evolved the standard with additional requirements and stringent security requirements.  Elaborating on this, we have today explained how PCI Compliance impacts Cloud Service Providers, the technical and operational requirements they need to meet, and key considerations for them to ensure compliance.

PCI DSS Compliance for Cloud Service Providers

In the payment card industry security and privacy of card data is a major concern, especially when the services are outsourced. There is a very common misconception that prevails concerning PCI DSS Compliance. While some believe PCI DSS Compliance is for Merchants to comply with, some say it is the Cloud Service Providers who need to comply with the payment security standard. But in reality, data security and PCI DSS Compliance is a shared responsibility between both Merchants & Cloud Service Providers.

For these reasons, it is important that all the security-related roles and responsibilities are well-defined between both parties. This should further be documented to ensure accountability. However, it is also important to understand that the responsibility defined should be based on the type of Cloud Service Model which could be Infrastructure as a Service Provider (IaaS), Software as a Service Provider (SaaS), and Platform as a Service Provider (PaaS). Depending on the level of control over the Cloud Infrastructure, the responsibilities concerning PCI DSS Compliance can be defined between Merchants and Service Providers. Besides, PCI Compliance clearly mandates sharing of responsibilities among both Merchants and Service Providers where ever applicable.

If the payment card data is stored, processed, or transmitted in the cloud environment, PCI DSS automatically applies to that environment and will require validation of the Merchants and Cloud Service Provider’s access to the environment. The allocation of responsibility between the Merchant and Cloud Service Provider does not exempt either from their responsibility to secure data as per PCI DSS requirements. For this, clear policies, procedures, and processes must be defined and agreed upon between the Merchant and Cloud Service Providers. This should include defining all the security control requirements, roles, and responsibilities for operation, management, and reporting as per the PCI Requirement.

How Responsibilities can be shared based on the Cloud Model? 

PCI DSS 3.2.1v which is now the older version of PCI DSS, had the responsibilities clearly defined among the merchants and the third-parties involved as outlined in the below table. While this can still be applicable in a given scenario, yet it is also important to note that this may now not be the only approach towards implementing the shared responsibilities. Since the PCI Council has now introduced customized approach along with the option of the traditional defined approach, in the PCI DSS 4.0, the responsibilities between the Merchants and Service Providers may vary accordingly, based on the contracts, agreements and NDAs defined and signed between both the parties. So, in that sense the application of the table may change accordingly.

 

PCI DSS Requirements Responsibility Assignment of Management of Controls
  IaaS PaaS SaaS
1 Install and maintain a firewall configuration to protect cardholder data Both Both CSP
2 Do not use vendor-supplied defaults for system passwords and other security parameters Both  Both CSP
3. Protect stored cardholder data Both Both CSP
4. Encrypt transmission of cardholder data across open, public networks Client Both CSP
5. Use and regularly update anti-virus software or programs Client Both CSP
6. Develop and maintain secure systems and applications Both Both Both
7. Restrict access to cardholder data by businesses need to know Both Both Both
8. Assign a unique ID to each person with computer access Both Both Both
9. Restrict physical access to cardholder data CSP CSP CSP
10. Track and monitor all access to network resources and cardholder data Both Both CSP
11. Regularly test security systems and processes Both Both CSP
12. Maintain a policy that addresses information security for all personnel Both Both Both
PCI DSS Appendix A: Additional PCI DSS Requirements for Shared Hosting Providers CSP CSP CSP

Source: PCI Council

PCI DSS Compliance Requirements in Cloud

PCI DSS Compliance comprises 12 requirements that Merchants and Service Providers need to comply with. The standard applies to anyone who stores or processes cardholder data. This extends the applicability to even the third-party service providers including the Cloud Service Providers. So, now with the advent of PCI DSS 4.0, there are security controls and compliance requirements that have evolved in terms of introducing additional requirements, making certain security controls stringent, and having brought in flexibility in terms of allowance to adopt a customized approach to payment security. All of these evolved requirements should now be taken into consideration in the Cloud environment. So, elaborating on it we have shared the PCI Requirements specific to Cloud.

Build and Maintain a Secure Network and Systems

The payment systems and network need to be secured against unauthorized access by malicious

Individuals. This is to protect sensitive cardholder data and sensitive authentication data from any

Breach, theft, or comprise of the data.

Requirement 1: Install and Maintain Network Security Controls

Network Security Controls (NSCs), are security control technologies that help manage network traffic between physical network segments, based on pre-defined policies or rules. Network Security Controls like Firewalls that are generally an integral part of network security work as a front-end defense for protecting cardholder data. Deploying firewalls across all systems and networks within the card environment ensures protection against unauthorized access from an untrusted source, filtering the traffic entering (ingress) and leaving (egress) the network. Traditionally this functionality was provided by physical firewalls, but now it can be provided by virtual devices, cloud access controls, virtualization/container systems, and other software-defined networking technology as well. So, Cloud Service Providers are expected to implement adequate Network Security Controls to secure data and limit network access to and from the cardholder data environment across any computer network (public and private networks).

Requirement 2: Apply Secure Configurations to All Systems and Components

Using vendor-supplied defaults system passwords can be a huge threat to the systems in

Cardholder Data Environment. This is because defaults passwords are easy to hack and at times even available on public domains. So using default password settings and other security parameters will mean leaving the doors open for hackers to hack into systems. Generally, organizations verify and access cloud resources manually for identifying and validating cloud misconfigurations, default settings, and other security vulnerabilities. However, it is recommended that organizations implement measures with a practical approach and use advanced tools and software to check defaults configured and validate cloud security. Applying secure configurations to system components reduces the possibility of compromise by an attacker to systems. Changing default passwords, removing unnecessary software, functions, and accounts, and disabling or removing unnecessary services all help to reduce the potential attack surface.

Protect Account Data

Protecting account data is an important requirement in PCI DSS and both Merchants and Service

Providers are expected to meet this requirement. Cloud Service Providers must implement measures to ensure the prevention of unauthorized access to sensitive payment data or cardholder data. Protecting account data does not just mean ensuring the prevention of unauthorized access but also preventing data compromise.

Requirement 3: Protect Stored Account Data

Protection of stored account data is an essential requirement in PCI DSS and one way to ensure this is by limiting the storage of the data in the environment and limiting the retention period. Organizations are expected to follow a key rule which is not to store card data that is not needed or required for business. PCI DSS requires Cloud Service Providers to implement appropriate security measures that ensure the account data stored in the environment is safe. Further, the organization needs to ensure secure configuration and management of passwords, and encryption keys that are deployed to secure data. Cloud Service Providers are expected to implement security measures such as encryption, truncation, masking, and hashing that are critical components of account data protection.

Requirement 4: Protect Cardholder Data with Strong Cryptography During Transmission Over Open, Public Network Maintain a Vulnerability Management Program

Cryptography is the key to ensuring the data confidentiality, integrity, and security. So, encryption is one way of protecting cardholder data when in transit. PCI DSS requires Cloud Service Providers to encrypt data that is processed and in transit to prevent hackers from intercepting and accessing card data sent over open networks. For these reasons, organizations are expected to render the card data unreadable. Implementing strong encryption protocols such as TLS 1.2, SFTP, or IPSec as per PCI DSS becomes a mandate as per requirements. Further, the organization must maintain an inventory of the entity’s trusted keys and certificates used to protect PAN during transmission.

Requirement 5: Protect All Systems and Networks from Malicious Software

Malware can damage the system and compromise the confidentiality, integrity, or availability of the data, applications, or operating system. Malware can enter the network through the use of the Internet (public & private network), computer and mobile devices, and storage devices, resulting in unauthorized access, data theft, and compromise of data. So, it is recommended that organizations including the Cloud Service Providers use anti-malware solutions to address all the issues of malware and protect systems from current and evolving malware threats. Further, there must be measures in place to perform periodic scans to detect such malware.

Requirement 6: Develop and Maintain Secure Systems and Software

The applicability of PCI DSS requirements may vary from organization to organization and the types of cloud services offered. This simply means when using a managed service, the cloud user does not have any responsibilities in ensuring that the provider’s systems are secure. But in an IaaS and PaaS model, the merchants need to ensure that their Cloud Service Providers are tested for vulnerabilities in systems, apply security updates, and adopt secure development practices. PCI DSS requires verification of all code developed for public web applications, and implementation of a web application firewall (WAF) on all cloud resources that comprise or deal with sensitive cardholder data. Further appropriate software patches must be implemented, evaluated, and further tested sufficiently to ensure they do conflict with existing security configurations. Applying Software Lifecycle (SLC) Processes and Secure Coding techniques is crucial.

Implement Strong Access Control Measures

Ineffective access controls can result in unauthorized access to data and result in a data breach. So organizations must implement strong access controls with access rights granted on a need-to-know basis and ensure the least privilege based on job classification and function.

Requirement 7: Restrict Access to System Components & Cardholder Data by Business Need-to-Know

Access to cardholder data should be limited to only authorized individuals based on their roles and responsibilities. For this, merchants and service providers need to clearly define and document their roles and responsibilities. Access should be then accordingly granted based on a need-to-know basis to ensure the data is accessed by only authorized personnel. Higher number of access granted will inversely increase the risk exposure and chances of a data breach in the card environment. So access granted with the least privilege should be based on job classification and function. Further, all user accounts and related access privileges, including third-party/vendor must be reviewed every 6 months and documented to ensure user accounts and access remain appropriate based on job function.

Requirement 8: Identify Users and Authenticate Access to System Components

PCI DSS 4.0 requires measures specific to identifying and authenticating user access to sensitive systems and data.  This requires the implementation of Multifactor Authentication to secure access to systems components and to prevent misuse of data access. There is also a need for assigning unique user IDs to every individual having access to the data and CDE including the third-party Cloud Service Providers. Individuals accessing system components should be assigned a unique ID to ensure that the activities around the data are only performed by authorized users. Further, this ensures easy tracking and monitoring of activities in the environment and also ensures accountability on the part of the Cloud Service Providers having access to the card data. For this, merchants need to develop a secure password policy and share the same with Cloud Service Providers to ensure they are aware of the same and meet the requirements of the policy. The  Unique IDs for users and administrators should be managed throughout an account’s lifecycle.

Regularly Monitor Access to Networks and Data

Malicious Individuals can exploit vulnerabilities and loopholes in systems and networks connected with payment card applications and comprising cardholder data. So both Merchants and Service Providers must regularly monitor access networks to identify and remediate vulnerabilities. Tracking and monitoring access to cardholders can be achieved through logs.

Requirement 10: Log and Monitor All Access to Systems Component and Cardholder Data

Tracking and monitoring all access to system components and cardholder data must be achieved by maintaining a log. The process of logging is crucial for effective vulnerability management. The process facilitates thorough tracking, monitoring, and analysis of network and card data access especially when an incident occurs. If not it is extremely difficult to find the cause of the data breach in the card environment. The audit logs and monitoring process supports the detection and identifying anomalies and suspicious activities including forensic analysis of incidents and events. Further, these logs prevent destruction and unauthorized modifications of data. For these reasons, having Google Cloud logging metrics and alerts is essential for monitoring and tracking to meet the PCI DSS Requirement 10.

Requirement 11: Test Security of Systems and Networks Regularly

Organizations are expected to regularly perform security tests on systems and networks to identify vulnerabilities. For instance, all wireless access points need to be regularly tracked and monitored to identify vulnerabilities and unauthorized access points. So, with regular systems and network tests performed the network intrusions, unauthorized changes, and unexpected file changes can be immediately detected and addressed. For this, tests such as the Vulnerability Test and Penetration Tests must be regularly performed to identify exploitable vulnerabilities and security weaknesses. It is also important that the Cloud Service Providers ensure segmentation of CDE from other networks to ensure complete isolation and segregation of network comprising, transmitting sensitive data.

Source: PCI Council   

Key PCI DSS Considerations to account for in Cloud

PCI Council in its Guidelines for Cloud has clearly outlined certain considerations that must be thought through for ensuring PCI DSS Compliance. Given below are the key considerations explained.

Scoping Consideration

Merchants looking to collaborate with Cloud Service Providers must understand the security impact of this consideration on the cardholder data environment. Depending on the cloud deployment type, for instance, in private-cloud deployment, the organization can implement adequate segmentation to isolate in-scope systems from other systems and services or consider the entire cloud in scope for PCI DSS. Whereas in the public cloud, the Merchants and the Cloud Service Provider will need to work together to define scope boundaries and the roles and responsibilities towards data security as both parties will have their systems and services within the scope of PCI DSS.

Segmentation Considerations

Merchants availing Cloud Services need to ensure that using the public or shared cloud will require adequate isolation of the environment from the rest. Further isolation or segmentation of the environment may also be required at the Merchants CDE from other non-CDE components as well to reduce its PCI DSS scopeThe segmentation and isolation are required to be maintained at the network, operating system, application layers, and most importantly isolation of data stored. In a hybrid environment, the responsibility for segmentation is shared by the Cloud Service Provider and the Merchant. It is the Merchants responsibility to ensure that the device, application, or peering transit networks connecting to the Cloud Service Provider is secure.  Further, the Merchants must ensure isolation is maintained on their side of the CDE and by the Cloud Service Provider at all times.  For this, Merchants should conduct Penetration tests annually or after significant changes are introduced in the environment to ensure compliance (Requirement 11.4.5)

Understanding PCI DSS Responsibilities

Merchants will have to work with their Cloud Service Providers to define the roles and responsibilities in protecting card data. The responsibilities between Merchants and the Cloud Service Provider for meeting PCI DSS are based on various factors including the purpose of using the cloud service, the scope of PCI DSS outsourced to the Cloud Service Provider, services and system components that fall within the scope, Cloud service model opted by Merchant’s avail (IaaS, PaaS or SaaS) are some factors to be considered carefully. Merchants need to know and understand the scope of responsibility given and accepted by the Cloud Service Provider for each PCI DSS requirement, and the services and system components to be validated for each PCI requirement.  The roles and responsibilities need to be clearly defined to ensure both Merchants and Cloud Service Providers meet the requirements respectively without considering it to not be in their scope.

PCI DSS Responsibilities for Different Cloud Service Categories

PCI DSS Requirements are shared responsibilities between Merchants and Cloud Service Providers. Depending on the Cloud Service Model availed the responsibilities may either be shared or remain to be one’s individual responsibility. For most of the outsourced operations, Merchants will need to ensure maintaining and verifying the PCI DSS requirements are met and the Cloud Service Providers based on their roles and responsibility maintain and verify the requirement for its customers (Merchants). While certain aspects of the service functionality will be clear to the scope and define boundaries, there may be certain aspects that may result in an overlap of responsibilities. This needs to be clearly defined in the contract between the Merchant and Cloud Service Provider. So while it may be the responsibility of the Cloud Service Provider to meet certain requirements it is still the responsibility of the Merchants to monitor and ensure that the Service Provider meets the requirements and ensure ongoing compliance with all the applicable requirements. There must be records of the same verifying security controls are in place and there is ongoing compliance with PCI DSS. Merchants need to constantly ensure and validate their compliance in accordance with PCI DSS and the payment brand.

Source: PCI Council

Final Thought

Understanding the key requirements and considerations for PCI DSS in Cloud is crucial. Moreover, clearly defining roles and responsibilities and being aware of their own responsibility is essential for both Merchants and their Cloud Service Providers to meet PCI DSS Requirements and ensure compliance.

 

Author Bio

Narendra Sahoo (PCI QSA, PCI QPA, CISSP, CISA, and CRISC) is the Founder and Director of VISTA InfoSec, a global Information Security Consulting firm based in the United States, Singapore, UAE & India.

 

Continue Reading

Magazine

Trending

News2 days ago

How to reignite your store with streamlined operations and a distinctive customer experience

Colin Neil, MD, Adyen UK   Retailers know that prioritising customer experience is vital to success today. This, amongst the...

Business2 days ago

5 tips to ensure CSR efforts come across as genuine

By Mick Clark, Managing Director, WePack Ltd   Corporate social responsibility – or CSR – is playing an increasingly pivotal role...

Business2 days ago

How to Build Your Credit Up Safely

by Taylor McKnight, Author for Compare Credit   What Is Credit? Credit is money owed by a person that allows...

News2 days ago

PCI DSS Compliance in the Cloud – Everything you should know

Introduction PCI DSS 4.0 is the latest and updated version of PCI DSS that was introduced on March 31st, 2022....

Banking2 days ago

2022 ESG Investment Trends

Jay Mukhey, Senior Director, ESG at Finastra   Environmental, Social and Governance (ESG) themes have been front and center throughout...

Business3 days ago

PROTECT THE VALUE OF YOUR SAVINGS AND AVOID RISING INFLATION PRESSURE

Planning for the next financial year? Former Bank Manager and successful whisky investor, Roger Parfitt, tells us why cask ownership is...

Technology3 days ago

UK Organisations turn to artificial intelligence to fight sophisticated cyberattacks

New research by cybersecurity expert Mimecast finds that email attacks are becoming more frequent and sophisticated More and more companies...

Finance3 days ago

The power of diversity: The need for female role models in FinTech

By Isavella Frangou, VP of Sales and Marketing, payabl.   As our world is constantly evolving, it’s easy to believe...

Business3 days ago

Securing BNPL Platforms for Merchants

By: James Hunt, Payments SME at Feedzai   The buy now, pay later (BNPL) market has boomed because it offers...

Technology3 days ago

Addressing the talent gap within cybersecurity

By Merlin Piscitelli, Chief Revenue Officer, EMEA at Datasite   Rising geopolitical tensions and increasingly sophisticated cyberwarfare tactics have meant...

Uncategorized3 days ago

Biometric payment card FAQs with Michel Roig, Fingerprints’ President of Payments & Access

We sat down with Michel Roig to answer your frequently asked questions regarding biometric payment cards – their benefits, current...

Banking3 days ago

Opportunities for UK Challenger Banks to address AML Compliance

Author: Gabriel Hopkins, Chief Product Officer, Ripjar   UK challenger banks have revolutionised the banking sector with innovative products and...

Finance3 days ago

HOW GOING DIGITAL COULD HELP CHARITIES OVERCOME THE CHALLENGES OF INFLATION

By Shaf Mansour, not for profit solutions specialist at The Access Group.    The topic of inflation and its impact...

Business3 days ago

How to manage transformational change successfully

Adrian Odds, Marketing and Innovation Director, CDS 2020 accelerated change in the business landscape significantly. Many were already considering –...

Finance3 days ago

Why the pandemic has put the pressure back on fintechs

Ben Walker, Partner & CTO, Airwalk Traditionally, the only genuine threats to the incumbent banking giants were macroeconomic instability and...

News3 days ago

Neobank Fi launches new feature ‘Connected Accounts’ allowing users to sync multiple bank accounts on a single app.

Neobanking app Fi launched its ‘Connected Accounts’ feature to become one of the first fintechs to build a product on...

Finance3 days ago

Accounts Payable fraud: Do you know who’s accessing your finances?

Mark Blakemore, CFO at Compleat Software   The use of social engineering and phishing attacks on accounts payable (AP) departments...

CELLPOINT DIGITAL PARTNERS WITH VYNE TO ENABLE INSTANT OPEN BANKING PAYMENTS FOR MERCHANTS CELLPOINT DIGITAL PARTNERS WITH VYNE TO ENABLE INSTANT OPEN BANKING PAYMENTS FOR MERCHANTS
Banking4 days ago

The evolution of digital banking: What traditional banks must offer to remain competitive

Manoj Mistry, Managing Director, IBOS Association   Financial services continue to experience a massive upheaval as digital transformation is rolled...

Business5 days ago

The future of fintech and finance in the metaverse 

Berivan Demir, Product and Banking Relationship Director of Clear Junction   It will be hard for people to shake their...

Business6 days ago

ESG means business

Authored by John Bowers Actuarial Product Director, EMEA, at RNA Analytics   John Bowers takes a look at the increasingly...

Trending