With growing awareness about credit and debit card fraud in India, card companies, along with other players involved in the financial transaction process, are looking seriously at compliance standards such as PCI DSS to boost confidence among customers.

Credit card companies are trying their best to prevent financial frauds from affecting their business – and thereby their customers. Businesses that have had cardholder data compromised are obliged to notify legal authorities and expected to offer free credit protection services to those potentially affected. There are various consequences that entrepreneurs have to face in case of data theft, both accidental and intentional. To avoid these and to generate customer faith, players in the payment card industry are looking seriously at complying with various standards.

The payment card data security framework was created by a group of credit card companies from around the world. The associations subsequently created a uniform set of information security requirements for all national card brands. These requirements became known as the Payment Card Industry Data Security Standard or PCI DSS. PCI DSS is a set of agreed-upon best practices that helps enterprises secure their data and protect customers’ privacy. Apart from credit card providers, retailers, banks and other institutions involved in the card payment segment are also opting for PCI DSS compliance in order to minimise financial frauds.

Many retailers are dragging their feet on complying with the standard because of the perceived expense and complexity, but compliance need not be difficult and will be less expensive than the consequences arising out of a damaging attack. Hence, it makes good business sense to comply. PCI DSS 1.1 is the current global standard, aimed at stamping out debit and credit card fraud.

PCI DSS Framework

The PCI DSS framework is divided into 12 security requirements. These are further broken up into six sub-categories. They build and maintain a secure network, protect cardholder data, maintain a vulnerability management program, implement strong access control measures, regularly monitor and test networks, and maintain an information security policy. While opting for the compliance standard, a company should comply at two levels, such as the merchant level and the service provider level. According to Amuleek Bijral, country manager, RSA, the security division of EMC, there are seven steps on the road to compliance.

Seven Steps To Compliance

Step 1: Get the Facts
Step 2: Form Your Team
Step 3: Find the Data
Step 4: Analyse Your Risks
Step 5: Do a Gap Analysis
Step 6: Develop and Implement a Remediation Plan
Step 7: Perform an Onsite Audit or Assessment
Challenges Involved

We constantly see IT people, struggling to deploy advanced technology prescribed by PCI technology, which includes, intrusion detection, vulnerability scanning, encryption and audit log collection. There are a lot of challenges involved in the process of deployment of PCI DSS. Says Amuleek Bijral, "Some of the primary challenges are tracking and monitoring access to the network and systems with cardholder data, encrypting card data, controlling logical access to systems containing card data, authenticating users accessing systems containing card data, Intrusion detection/intrusion prevention, conducting vulnerability scanning, installing and maintaining firewalls, conducting penetration testing, updating and using antivirus systems and audit trails of transactions."

Card issuers cannot secure what they cannot manage, and cannot manage what they cannot find. Issuers face the significant challenge of finding all credit card data across the enterprise, to ensure that each piece of information is secure. mChek, a player in the mobile payment segment, is PCI DSS 1.1 and ISO 27001 certified. These are global standards accepted by all leading card associations, including Visa, MasterCard and American Express. Several other independent security audits of the mChek platform have been conducted by various banks, telecom operators, Visa, and globally respected companies including Ernst and Young.

Sanjay Swamy, CEO, mChek said, "Combining bullet-proof security with foolproof convenience and ubiquitous reach is the biggest challenge in any mobile payment solution. mChek has invested several millions of dollars and years of research in ensuring that its solution meets these three criteria, and we are proud to say that mChek today provides users with a safe, smart and simple solution to any payment scenario."

Low Adoption In India

The number of entrepreneurs implementing international best practices to protect data is abysmally low in India. Although entrepreneurs are eager to protect customer data, their level of awareness of international security standards such as PCI-DSS is surprisingly low, at just 46 percent. Says Bijral, "More disappointing was the finding that only 26 percent actually followed the programme’s standards in 2006. In 2006, 79 percent of entrepreneurs surveyed in India, were concerned about protecting their customer data, 54 percent were concerned about payment card fraud, and 61 percent were concerned about identity theft. The data also revealed that 93 percent of merchants were concerned about a loss of reputation, 96 percent were concerned about loss of customers and business revenue, and 74 percent were worried about legal action if a security breach occurred."

Large online retailers and merchants are not the only target segments for hackers; smaller merchants and commercial websites are vulnerable too. These crimes reduce consumers’ confidence in the company and can therefore cause business losses. PCI compliance should be approached as an ongoing process – not as a project with a strict beginning and end – and needs to be incorporated into an overall security program, to achieve the level of buy-in and resources required for it to be successful. The business side of organisations should also work in step with the IT side of the house, in agreeing that PCI compliance is a business imperative.