What is PCI DSS
PCIDSS (Payment Card Industry Data Security Standard) is a set of standards that helps in protection of payment card data that is being stored, processed or transmitted. The standard helps in safeguarding the cardholder against misuse of their sensitive personal information and thereby reduces card fraud. PCI DSS is designed in such a way that it can be applied to any company which processes and stores customer payment card data. It helps in prevention, detection and reaction to security incidents.
Who is in compliant in the world?
There are many vendors who are certified by PCIDSS council to assess and validate the security of organizations. PCIDSS also conduct various training programs.
There are many PCIDSS approved service providers in the world. The list of companies can be obtained from the official website of PCIDSS https://www.pcisecuritystandards.org. It can also be obtained from the website of visa and MasterCard.
Gartner conducted surveys related to PCI compliance in companies. The survey was conducted in 383 companies and as a result it was found that 18% of the companies were not compliant. Many companies were concerned about the cost involved in being PCI compliant. According to Gartner, a company with 100,000 credit cards on file will have to pay $6 dollars in encryption costs per card.
According to the study conducted by various other organizations it was found that only 33% of the companies are credit card compliant. 67% of the companies are not fully compliant with the standards. In the study it was also found that the data breaches has increased from 79% to 85% along the period from 2009 to 2011. This shows the importance of PCIDSS for organizations dealing with credit card information. PCIDSS helps reduce data breaches to a large extend.
Security scenario in India
Because of the technological advances, the use of computer technology also increased in India. Electronic transactions has increased to a large extend that banks are finding it difficult to manage the security of those transactions because of the increase in cyber criminals with technology. IT Act 2000 was passed in India in order to deal with cyber security. It has various laws related to the crimes and the penalties for each of those associated crimes.
According to the reports published by the government, cyber cell received 1166 complaints in 2013 and 170 in 2012 out of which 351 complaints were associated with credit and debit cards. Many complaints were received against online cheating either through emails or pop windows where people were asked to enter their credit card details. Many of these incidents occurred because of the lack of awareness among people about e banking and the allied services. Email spoofing and phishing are other problems faced by people in the country. Misuse of personal details and credit card details has also increased. This can have a financial and reputational loss to people and the organization.
Fig: percentage of companies that passed; dataset 2013
Why firms must be PCI DSS compliant?
E-commerce websites and bank websites are vulnerable to external threats and are the most common targets of hackers these days. Every organization is responsible for protecting their customer’s data regardless of who is processing the data. Any security breach can lead to significant loss of reputation in business and corruption to information. Being PCI complaint means that you are securing the valuable customer information from fraudulent activities.
PCIDSS helps in
- Managing the risk
- Protecting card holder data from cyber criminals and security breaches
- Reducing the losses due to fraud activities as security breaches can cost a large amount to the company
- Increasing the customer confidence
- Staying competitive in market
- Staying in business
- Increasing the security of payment card systems
PCIDSS is a continuous approach in solving the challenges that is being faced by organizations in protecting the data. Compliance with PCIDSS brings major benefit to the business
PCIDSS is a vital component for all merchants, acquirers, issuer bank, financial institutions and service providers who process, store and transmit credit card or debit card data.
Card holder data include Primary Account Number (PAN), Cardholder Name, Expiration Date and Service Code while Sensitive Authentication Data include Full track data (magnetic stripe data), CAV2/CVC2/CVV2/CID numbers and PINs/PIN blocks.
Different card brands specify different merchant validation levels. PCIDSS must be implemented based on this level.
Levels are defined from 1 to 4 based on the number of Visa, MasterCard and American Express card transactions that each organization is doing.
Level 1 refers to those merchants processing more than 6 million Visa and MasterCard transactions and 2.5 million American Express card transactions annually.
Level2 refers to those merchants processing 1 million – 6 million Visa and MasterCard transactions and 50,000 – 2.5 million American Express Card transactions annually.
Level3 refers to those merchants processing 20,000 – 1 million Visa and MasterCard transactions and less than 50,000 American Express Card transactions annually.
Level4 refers to all other Visa, MasterCard and American Express Card transactions.
PCI compliance involves 3 major steps:
The first step involves checking the readiness of the organization in implementing the PCI compliance. Current policies and procedures are reviewed in this step. Debit/ Credit card transaction environment is analysed to find the vulnerabilities along with hardware and software system components and network devices.
Taking corrective actions on all weaknesses that are found out in the previous step is done in this step. Any recommendations that are specified in the previous step are carried out here which can be adding or removing a network layer device or improving the security policies and procedures that are being followed in the organization. It contributes to the successful implementation of PCI compliance.
Documenting and reporting is necessary for the successful implementation of the PCIDSS compliance.
PCIDSS compliance is becoming the need of the hour. It helps prevent unauthorised access to cardholder data and also helps prevent misuse of this data. By complying with PCIDSS the organization will be able to eliminate their vulnerabilities and reduce the risk of data breaches. Different organizations must validate their requirements according to the level of card transactions. Based on this they must assess their environment to locate vulnerabilities and should take the corrective actions accordingly. Thus any company that accepts credit or debit card must be compliant with PCIDSS.