The Payment Card Industry Data Security Standard
Introduction
Digital payment & economy is growing at an astounding pace across the globe irrespective of the continents. In the preceding year, the global transaction value was US$3859 Billion (source: Statistica).
With such volumes rising year after year, Fintech organizations face a lot of challenges in placing the appropriate checks and balance to ensure that the digital payment ecosystem is secure and uncompromised.
The threats are never ending, and organizations need to comply with payment standards & regulatory obligations. Fintech related risks needs to be clearly identified, prioritized and tracked with appropriate mitigation & contingency plans
Organizations today wants to move to a defined security approach, but are not able to do due to various reasons. One of the most preferred and successful method is to perform a Fintech related risk-based assessment. This would help the organization in reducing their risks, thereby increasing the security maturity and business values.
There are many security standards & frameworks available and organizations can decide on choosing a particular method based on the domain / area of business.
What is PCI-DSS?
PCI – DSS – Payment Card Industry Data Security Standards is a regulation which is mandated for the Fintech Industry. It applies to all organization which stores, process and/or transmit cardholder information.
PCI Security council was established by the major brands Viz.
Visa, MasterCard Amex, Discover & JCB.
Who requires PCI-DSS to be implemented?
The PCI Data Security Standards is applicable for organizations which accepts or process card payments. The standard emphasises on building a robust network, protecting cardholder sensitive information’s, implementing strong access related controls and continuous monitoring and testing of the network.
The PA DSS – Payment Application Data Security Standard is for organizations which develops the payment systems / applications.
The PCI PTS – PIN transaction security is for organizations which manufactures devices used in payment related activities.
How to Implement PCI DSS
Given the lack of compliance professionals, Organizations should look upon SaaS compliance tools to ease their journey. They should also bring in the right people for consultancy so that the journey is smooth and achieved on time. There are other ways to look upon as well. Some organizations would reach for a MSSP vendor who can take care of all the needed compliance and regulatory activities.
There could be mixed opinions on the cost involved, time and expertise needed, but all these would be overshadowed by a data breach. The financial & reputational damage due to these breaches are haunting organizations and it would take lots of years to come out of it.
The most important myth today is that the organization is considered as robust or an unbreakable system which is not the case.
Complying with PCI DSS
PCI DSS implementation begins with scope identification and it is based on the size/value of the business and or the risk levels
The typical lifecycle is as follows:
The organization should look into choosing a QSA – Qualified Security Assessor who is qualified by the PCI council. The assessor would validate the scope of assessment, evaluate the system components and produce the final report.
The organization should then choose a scanning vendor. The ASV (approved scanning vendor) can decide on the usage of commercial tools for the scanning. As a standard practice, these scans are not intrusive in nature and shall not contribute to a system downtime.
The PCI DSS addresses security controls to ensure that common risks and attacks are effectively mitigated. So, there are possibilities that organizations can become non-compliant after the assessment gets over.
The security posture needs to be monitored and improved all the time and the management should invest in a compliance program journey
This can be achieved by setting up a team or a bunch of individuals who are well-versed in various regulations & compliance requirements
The crown jewels of the organization have to be identified. It would be suicidal if it’s not known and should be categorised and prioritised based on line of business
The organization should discover its vulnerabilities, and address the same.
Data discovery and asset inventory to be conducted on a regular frequency. This would also help us identify the pitfalls in data management
Organizations can look into third party SaaS tools which would automate or prioritize the risks and would give the compliance scores so that the management is aware of the progress and the teams can also fix the gaps identified by the tools
There is no denial that humans are the weakest link in the ecosystem. Organizations should invest in regular training programs and the same should be audited. The pitfall here is the trainings are generic and not suited to relevant stakeholders which should be avoided
Fortify your SOC
Organizations need to ensure that the monitoring and investigation teams are not understaffed or shared from other teams. Their roles should be clearly defined & they should have details to the network architecture, data flows, data repositories, access to forensic tools and make use of it.
Organizations should ensure that the root cause is being religiously done for all the incidents and corrective and preventive measures are taken.
Various mini teams within SOC could be formed which takes care of different activities and weightages on investigation can be defined accordingly. For instance, if the system stores or process cardholder information a high weightage can be given and no alert should be left unattended
The technology used (both hardware & software) are to be reviewed annual/bi-annual to ensure it is meeting the security requirements & also identify the threats/vulnerabilities and risks
Conclusion:
The curious case of being assessed successfully, but still being non-compliant to regulations is a serious concern Fintech organization should avoid. The issues need to be addressed at multiple angles viz: Compliance failure within the org or Poor Assessments which ignored the real issues.
Successful implementation would be possible only when there is ample support from relevant stakeholders. Organizations must constantly have the goal of safeguarding the cardholder data.
The SaaS tools and the MSSP should be carefully deployed and integrated with other operational assets. Thus, by employing a clear and implementable approach the objective would be reached – Reducing business impact and staying compliant.
