SlideShare a Scribd company logo

Requirement of PCI-DSS in India.

Download as DOCX, PDF
CA Priyadarshan Behera
CA Priyadarshan Behera
Technology
1 of 5
Requirement of PCI-DSS in India. CA. PriyadarshanBehera
1. Background In today’s competitive business environment, E-markets are increasing day by day for effecting multiple business transactions of goods &services. During this process the users mostly rely on payment gateways to complete the financial transactions by using various types of debit/credit cards. Consequently the extensive use of these cards forced to follow certain procedures in order to prevent the vulnerabilities towards the security of the customer’sdata. The Payment Card Industry Data Security Standards (PCIDSS) is a widely accepted policies & procedures which are used to protect the debit, credit & cash card transactions. These principles & procedures are mainly used to protect the card holder’s (persons who authorized to use their Credit/Debit cards for making payments towards goods & services) personal data against misuse. The Payment Card Industry Security Standard Council (PCISSC) was launched on September 7, 2006, which is called as “Council”, to focus primarily on the PCI security standards. Enterprises which are handling card data have to comply with the requirements as issued by “council”.In the current business environment it becomes imperative to follow these standards because of the extensive use of E-transactions not only in the form of amount but also by volume too. The fivepayment Card brands i.e. - American Express, Discover Financial Services, JCB International, MasterCard, and Visa have agreed to adopt the standards as issued by PCI-DSS for the purpose of data security compliance program. 2. Intended Audience This standard is meant for those people who stores, processes or transmits card holder data. In addition to this the payment industry stake holders like payment processors, acquiring bank (which connects to a card brand network for payment processing), service providers (who provide all or some of the payment services for the merchant), assessors &the information security professionals who want to understand PCI are the target audience of the PCI DSS. This is meant for all sorts of organization whether it is large, medium or small. 3. 3.1 About PCI DSS Key players in PCI DSS The idea of PCI-DSS was brought in to by the major credit card companies as a guideline to help organizations that process card payments to effect transactions relating to goods or services so that it will obstruct the fraud arising out of hacking and various threats. PCI DSS was created jointly in 2004 by five major credit-card companiesi.e. Visa, MasterCard, Discover, JCB and American Express. 3.2 PCI Compliance Who needs to comply- Any merchant, acquirer, issuer bank & service providers that processes, stores or transmits credit or debit card data & any party involved with them. Complying with the Payment Card Industry's Data Security Standard (PCI DSS) requirements means to ensure that both information systems and payment applications are secured in realtime. Compliance with the PCI-DSS helps to protect cardholder data. It is a very complex and growing subject affecting millions of business – banks, Independent Sales Organizations (ISOs), processors, E-commerce and retail merchants and other merchant services providers. If you are not certified, then there is a high risk of data being hacked. In India many E-commerce websites don’t collect any credit card information of customers. During payment transaction when
customer chooses “Credit card” as a method for payment& proceed to complete the checkout they are redirected to a payment gateways payment page (like CCavenue) where customer himself enter all the card details. In this scenario E-commerce merchant is not bearing any risk of being hacked or any PCI risk. If during the same transaction of the checkout stage customer enter his credit card number following which he is directedwith the payment gateway to process the customer’s transactions, then this transaction will fall under the purview of PCI audit.Merchants who are even holding data in temporary memory also liable to PCI certified. Why to comply with PCI DSS-By complying with PCI DSS helps you to protect the customer data, manage your risk, to avoid penal measures, to stay in your business& to compete in the market. 3.3 Challenges in PCI Compliance Organizations face scrutiny when adhering to PCl-DSS compliance. Huge fines & penalties are imposed & it has increased significantly for systems that are not in compliance. You can refer the link below as provided by “council” regarding the fines imposed for noncompliance with PCI DSS.http://www.pcistandard.com/cardassociation-fines/ As per the Visa most of the large & medium size merchants in US did not reach their respective PCI-DSS compliance. Organizations largely relying on manual assessment methods for PCI-DSS audit. This manual assessment is a very time consuming & error prone process. 1.4 Frauds in India & its involvement in global scam Credit card fraud is rampant not only in India but also across globe affecting millions of consumers & business every day. Indians are actively involved in various frauds relating to Debit/credit card, or in others means of online transactions. They are not only involved themselves for making frauds in India but also extended their routes abroad. Following are some of the examples of recent events:In Delhi a man allegedly involved in credit card theft of more than 30K customers of a private sector bank & making transactions worth crores of rupees landed in police net in the year 2013.In another incident 5 Indianorigin men were among 18 others charged for running a massive 200 million dollar global credit card fraud under which they used thousands of fake identities to target business & financial firms & wired millions of dollars to Pakistan & India. These types of incidents clearly depict how Indians are actively involved in various frauds involving debit/credit cards& it has not limited to one part rather it has been extended across globe. All these cases leads to high alarm in those sectors using online credit cards to get complied with PCI-DSS standards as issued by “council”. 1.5 Steps in PCI Compliance Assess, Remediate and ReportThe first step in the PCI compliance is to assess the process by considering inventory of the IT assets and business processes for payment card processing, and analyzing it for vulnerabilities that could expose cardholder data. The second step is remediate. It is basically the process of fixing those vulnerabilities. The last stage is Reporting. Report involves the accumulation of records required by PCI DSS to validate remediation, and submission of reports to the acquiring bank and card payment brands. All the above three steps are not a one-time process rather it’s an ongoing process for continuous compliancewith the PCI DSS requirements.
4. PCI- DSS in India The PCI-DSS is not very popular among Indian companies. India, the second-most populouscountry where E-payments through cards are extensively used for various transactions.E-commerce as a business transacts on the internet wherethere might of chance of customer data that can be hacked. The transaction level of debit/credit card transactions is no longer small as it is used to be 5 years back. India is normally named as the destination of outsourcing.Business Process Outsourcing (BPO) plays a very significant role in the field of outsourcing. Generally BPO’s are deals with various data relating to third parties. There is a high risk of threat to data leakage &fraud. In order to thwart fraud, the Indian BPO industry is adopting some of the most stringent standards for handling of sensitive information and data. One such standard is the payment card industry data security standards (PCI-DSS), as prescribed by “Council”. Indian companies like Infosys BPO; Vodafone India has already under the PCI DSS certification. The size of the payments card market in India is very big and it’s increasing day by day. “Threat report 2013” as published by Symantec internet security countries leading the chart in bank cards threat is USA, China & India. Out of which India isaccounting for 6.5% of the total targeted attack in 2012. Various countries have already taken several steps to prevent the fraud in relation to credit card hence we should protect ourselves against the frauds moving in to India &we can’t ignore the fact that “Fraudsters are a step ahead of Market”. In India due to the rise in fraud arising out of debit/credit card transactions the Reserve Bank of India (RBI) has stipulated some safety measures for Credit/Debit card transactions. In the recent notification dated 28 Feb 2013 named as “Security & Risk Mitigation Measures for Electronic Payment Transactions” RBI has directed banks to put in place some safety measures as follows ( below relating to PCI DSS only) :a. Banks should ensure that the terminals installed at the merchants for capturing card payments(including the double swipe terminals used) should be verified for PCIDSS(Payment Card Industry – Data Security Standards) & PA-DSS (Payment ApplicationData Security Standards)(By June 30, 2013). b. Bank should ensure that all acquiring infrastructure that is currently operational on IP (Internet Protocol) based solutions are mandatorily made to go through PCI-DSS and PA-DSS certification. This should include acquires, processors/aggregators and large merchants.(By June 30, 2013). Considering the rapid growth of the cards payment markets & merchants in India, sooner we have to adopt additional factor of authentication for card present transactions in various terminals dealing with debit/credit cards. The way frauds related to credit/debit cards are spreading across various corner in India, it becomes imperative for organizations to covers them under PCI-DSS. 5. Requirements of PCI DSS PCI DSS classified in to 6 categories defining 12 requirements as mentioned belowa. Building & maintaining a secure network (Includesinstallation & maintenance of firewall & vendor supplied passwords). b. Protecting card holder data (Includes protection & encrypt transmission of card holder data). c. Maintaining a vulnerability management program (Includes antivirus software & development & maintenance of secure system).
d. Implementing strong access control measures(Includes access card holder data by business need-to-know, unique ID & physical access to card holder data). e. Regularly monitoring & testing of networks (Includes tracking & monitoring access & testing of security system). f. Maintaining an information security policy (Maintenance of policy to address information system). 6. Certification &Reporting Normally there are 2 ways by which business houses can check that they have achieved PCI DSS certification. These are:a. Self-Assessment Questionnaire. b. Vulnerability scanning. The questionnaire & the scanning process will help to identify if there is any weakness or vulnerability exist in the network or not. The reason behind SAQ (Self-Assessment Questionnaire) is to enable organizations in self evaluating compliances with the PCI-DSS. The PCI-DSS SAQ consists of 2 components: a set of questions relating to PCI-DSS requirements & an attestation of compliance. The attestation is your certification that you have performed appropriate assessment. PCI-DSS compliance requires that merchants have comprehensive vulnerability scan at least every quarter. PCI-DSS recommends that all outward facing scans should be scanned in order to protect the data from hacking. PCI-DSS SAQ identifies &mitigates risk from the inside (behind the firewall) while the scanning identify & mitigate risk from the outside. Various Credit card companies have defined 4 level of classification. Falling under which merchants are subject to certain reporting requirement. Check this link to get an idea on how VISA has defined the merchant levelshttp://usa.visa.com/merchants/risk_management/ cisp_merchants.html#anchor_2 Reports are the official mechanism by which merchants and other entities verify compliance with PCI-DSS to their respective acquiring financial institutions or payment card brand. Depending on payment card brand requirements, merchants and service providers may need to submit an SAQ or annual attestations of compliance for on-site assessments. Quarterly submission of a report for network scanning may also be required. 7. Conclusion PCI DSS helps all the E-commerce merchants by disclosing various guidelines for customer data security & protection. Customers can ensure security & trust over the merchants getting certified under PCI DSS while doing Etransactions. The PCI Security Standards Council collects various feedbacks on the PCI Security Standards from companies and stakeholders. This valuable input says that the standards as issued by “Council” can continue to provide a strong security framework for protecting the data relating to various card holders.

Recommended

1. PCI Compliance Overview
1. PCI Compliance Overview1. PCI Compliance Overview
1. PCI Compliance Overview
okrantz
 
Pcidss qr gv3_1
Pcidss qr gv3_1Pcidss qr gv3_1
Pcidss qr gv3_1
leon bonilla
 
Overview of Mobile Payment Systems
Overview of Mobile Payment SystemsOverview of Mobile Payment Systems
Overview of Mobile Payment Systems
Amit Naik
 
Biometric authentication ppt by navin 6 feb
Biometric authentication ppt by navin 6 febBiometric authentication ppt by navin 6 feb
Biometric authentication ppt by navin 6 feb
Navin Kumar
 
Verifiable Credentials_Kristina_Identiverse2022_vFIN.pdf
Verifiable Credentials_Kristina_Identiverse2022_vFIN.pdfVerifiable Credentials_Kristina_Identiverse2022_vFIN.pdf
Verifiable Credentials_Kristina_Identiverse2022_vFIN.pdf
Kristina Yasuda
 
Data Privacy
Data PrivacyData Privacy
Data Privacy
Home
 
PCI DSS Compliance
PCI DSS CompliancePCI DSS Compliance
PCI DSS Compliance
Saumya Vishnoi
 
PCI-DSS_Overview
PCI-DSS_OverviewPCI-DSS_Overview
PCI-DSS_Overview
sameh Abulfotooh
 

Recommended

1. PCI Compliance Overview
1. PCI Compliance Overview1. PCI Compliance Overview
1. PCI Compliance Overview
okrantz
 
Pcidss qr gv3_1
Pcidss qr gv3_1Pcidss qr gv3_1
Pcidss qr gv3_1
leon bonilla
 
Overview of Mobile Payment Systems
Overview of Mobile Payment SystemsOverview of Mobile Payment Systems
Overview of Mobile Payment Systems
Amit Naik
 
Biometric authentication ppt by navin 6 feb
Biometric authentication ppt by navin 6 febBiometric authentication ppt by navin 6 feb
Biometric authentication ppt by navin 6 feb
Navin Kumar
 
Verifiable Credentials_Kristina_Identiverse2022_vFIN.pdf
Verifiable Credentials_Kristina_Identiverse2022_vFIN.pdfVerifiable Credentials_Kristina_Identiverse2022_vFIN.pdf
Verifiable Credentials_Kristina_Identiverse2022_vFIN.pdf
Kristina Yasuda
 
Data Privacy
Data PrivacyData Privacy
Data Privacy
Home
 
PCI DSS Compliance
PCI DSS CompliancePCI DSS Compliance
PCI DSS Compliance
Saumya Vishnoi
 
PCI-DSS_Overview
PCI-DSS_OverviewPCI-DSS_Overview
PCI-DSS_Overview
sameh Abulfotooh
 
Introduction to PCI DSS
Introduction to PCI DSSIntroduction to PCI DSS
Introduction to PCI DSS
Saumya Vishnoi
 
EMV Card Migration: How the EMV Transaction Flow Works
EMV Card Migration: How the EMV Transaction Flow WorksEMV Card Migration: How the EMV Transaction Flow Works
EMV Card Migration: How the EMV Transaction Flow Works
AnnMargaret Tutu (AMT)
 
EMV chip cards
EMV chip cardsEMV chip cards
EMV chip cards
Dilip Kumar
 
1 Info Sec+Risk Mgmt
1 Info Sec+Risk Mgmt1 Info Sec+Risk Mgmt
1 Info Sec+Risk Mgmt
Alfred Ouyang
 
OIDC4VP for AB/C WG
OIDC4VP for AB/C WGOIDC4VP for AB/C WG
OIDC4VP for AB/C WG
Torsten Lodderstedt
 
PCI DSS 3.2
PCI DSS 3.2PCI DSS 3.2
PCI DSS 3.2
Kimberly Simon MBA
 
PCI DSS Implementation: A Five Step Guide
PCI DSS Implementation: A Five Step GuidePCI DSS Implementation: A Five Step Guide
PCI DSS Implementation: A Five Step Guide
AlienVault
 
import data from Oracle Database into Python Pandas Dataframe
import data from Oracle Database into Python Pandas Dataframeimport data from Oracle Database into Python Pandas Dataframe
import data from Oracle Database into Python Pandas Dataframe
Johan Louwers
 
PCI DSS
PCI DSSPCI DSS
PCI DSS
Duy Do Phan
 
Decentralized Identifiers (DIDs): The Fundamental Building Block of Self-Sove...
Decentralized Identifiers (DIDs): The Fundamental Building Block of Self-Sove...Decentralized Identifiers (DIDs): The Fundamental Building Block of Self-Sove...
Decentralized Identifiers (DIDs): The Fundamental Building Block of Self-Sove...
SSIMeetup
 
4 (data security in local network using)
4 (data security in local network using)4 (data security in local network using)
4 (data security in local network using)
JIEMS Akkalkuwa
 
PCI DSS v4 - ControlCase Update Webinar Final.pdf
PCI DSS v4 - ControlCase Update Webinar Final.pdfPCI DSS v4 - ControlCase Update Webinar Final.pdf
PCI DSS v4 - ControlCase Update Webinar Final.pdf
ControlCase
 
How to determine a proper scope selection based on ISO 27001?
How to determine a proper scope selection based on ISO 27001?How to determine a proper scope selection based on ISO 27001?
How to determine a proper scope selection based on ISO 27001?
PECB
 
Delivering Security Insights with Data Analytics and Visualization
Delivering Security Insights with Data Analytics and VisualizationDelivering Security Insights with Data Analytics and Visualization
Delivering Security Insights with Data Analytics and Visualization
Raffael Marty
 
ISO 27001:2013 Mandatory documents and records
ISO 27001:2013 Mandatory documents and recordsISO 27001:2013 Mandatory documents and records
ISO 27001:2013 Mandatory documents and records
Manoj Vakekattil
 
Abdullin modern payments security. emv, nfc, etc
Abdullin modern payments security. emv, nfc, etcAbdullin modern payments security. emv, nfc, etc
Abdullin modern payments security. emv, nfc, etc
DefconRussia
 
Webinar-Spanish-PCI DSS-4.0.pdf
Webinar-Spanish-PCI DSS-4.0.pdfWebinar-Spanish-PCI DSS-4.0.pdf
Webinar-Spanish-PCI DSS-4.0.pdf
ControlCase
 
Ppt growing need of cyber security
Ppt growing need of cyber securityPpt growing need of cyber security
Ppt growing need of cyber security
yatendrakumar47
 
Verifiable Credentials in Self-Sovereign Identity (SSI)
Verifiable Credentials in Self-Sovereign Identity (SSI)Verifiable Credentials in Self-Sovereign Identity (SSI)
Verifiable Credentials in Self-Sovereign Identity (SSI)
Evernym
 
Cashless Society (Cashless Economy, Online Transactions, is india moving towa...
Cashless Society (Cashless Economy, Online Transactions, is india moving towa...Cashless Society (Cashless Economy, Online Transactions, is india moving towa...
Cashless Society (Cashless Economy, Online Transactions, is india moving towa...
Jeet Amrutiya
 
How to Start Payment Gateway Business in India
How to Start Payment Gateway Business in IndiaHow to Start Payment Gateway Business in India
How to Start Payment Gateway Business in India
MyOnlineCA.in
 
Online Payment Gateway System
Online Payment Gateway SystemOnline Payment Gateway System
Online Payment Gateway System
Mannu Khani
 

More Related Content

What's hot

How to determine a proper scope selection based on ISO 27001?
How to determine a proper scope selection based on ISO 27001?How to determine a proper scope selection based on ISO 27001?
How to determine a proper scope selection based on ISO 27001?
PECB
 
Delivering Security Insights with Data Analytics and Visualization
Delivering Security Insights with Data Analytics and VisualizationDelivering Security Insights with Data Analytics and Visualization
Delivering Security Insights with Data Analytics and Visualization
Raffael Marty
 
Abdullin modern payments security. emv, nfc, etc
Abdullin modern payments security. emv, nfc, etcAbdullin modern payments security. emv, nfc, etc
Abdullin modern payments security. emv, nfc, etc
DefconRussia
 

What's hot (20)

Introduction to PCI DSS
Introduction to PCI DSSIntroduction to PCI DSS
Introduction to PCI DSS
 
EMV Card Migration: How the EMV Transaction Flow Works
EMV Card Migration: How the EMV Transaction Flow WorksEMV Card Migration: How the EMV Transaction Flow Works
EMV Card Migration: How the EMV Transaction Flow Works
 
EMV chip cards
EMV chip cardsEMV chip cards
EMV chip cards
 
1 Info Sec+Risk Mgmt
1 Info Sec+Risk Mgmt1 Info Sec+Risk Mgmt
1 Info Sec+Risk Mgmt
 
OIDC4VP for AB/C WG
OIDC4VP for AB/C WGOIDC4VP for AB/C WG
OIDC4VP for AB/C WG
 
PCI DSS 3.2
PCI DSS 3.2PCI DSS 3.2
PCI DSS 3.2
 
PCI DSS Implementation: A Five Step Guide
PCI DSS Implementation: A Five Step GuidePCI DSS Implementation: A Five Step Guide
PCI DSS Implementation: A Five Step Guide
 
import data from Oracle Database into Python Pandas Dataframe
import data from Oracle Database into Python Pandas Dataframeimport data from Oracle Database into Python Pandas Dataframe
import data from Oracle Database into Python Pandas Dataframe
 
PCI DSS
PCI DSSPCI DSS
PCI DSS
 
Decentralized Identifiers (DIDs): The Fundamental Building Block of Self-Sove...
Decentralized Identifiers (DIDs): The Fundamental Building Block of Self-Sove...Decentralized Identifiers (DIDs): The Fundamental Building Block of Self-Sove...
Decentralized Identifiers (DIDs): The Fundamental Building Block of Self-Sove...
 
4 (data security in local network using)
4 (data security in local network using)4 (data security in local network using)
4 (data security in local network using)
 
PCI DSS v4 - ControlCase Update Webinar Final.pdf
PCI DSS v4 - ControlCase Update Webinar Final.pdfPCI DSS v4 - ControlCase Update Webinar Final.pdf
PCI DSS v4 - ControlCase Update Webinar Final.pdf
 
How to determine a proper scope selection based on ISO 27001?
How to determine a proper scope selection based on ISO 27001?How to determine a proper scope selection based on ISO 27001?
How to determine a proper scope selection based on ISO 27001?
 
Delivering Security Insights with Data Analytics and Visualization
Delivering Security Insights with Data Analytics and VisualizationDelivering Security Insights with Data Analytics and Visualization
Delivering Security Insights with Data Analytics and Visualization
 
ISO 27001:2013 Mandatory documents and records
ISO 27001:2013 Mandatory documents and recordsISO 27001:2013 Mandatory documents and records
ISO 27001:2013 Mandatory documents and records
 
Abdullin modern payments security. emv, nfc, etc
Abdullin modern payments security. emv, nfc, etcAbdullin modern payments security. emv, nfc, etc
Abdullin modern payments security. emv, nfc, etc
 
Webinar-Spanish-PCI DSS-4.0.pdf
Webinar-Spanish-PCI DSS-4.0.pdfWebinar-Spanish-PCI DSS-4.0.pdf
Webinar-Spanish-PCI DSS-4.0.pdf
 
Ppt growing need of cyber security
Ppt growing need of cyber securityPpt growing need of cyber security
Ppt growing need of cyber security
 
Verifiable Credentials in Self-Sovereign Identity (SSI)
Verifiable Credentials in Self-Sovereign Identity (SSI)Verifiable Credentials in Self-Sovereign Identity (SSI)
Verifiable Credentials in Self-Sovereign Identity (SSI)
 
Cashless Society (Cashless Economy, Online Transactions, is india moving towa...
Cashless Society (Cashless Economy, Online Transactions, is india moving towa...Cashless Society (Cashless Economy, Online Transactions, is india moving towa...
Cashless Society (Cashless Economy, Online Transactions, is india moving towa...
 

Viewers also liked

PCI DSS Simplified: What You Need to Know
PCI DSS Simplified: What You Need to KnowPCI DSS Simplified: What You Need to Know
PCI DSS Simplified: What You Need to Know
AlienVault
 
Twitter Bootstrap Presentation
Twitter Bootstrap PresentationTwitter Bootstrap Presentation
Twitter Bootstrap Presentation
Duy Do Phan
 
Presentation CentOS
Presentation CentOS Presentation CentOS
Presentation CentOS
rommel gavia
 
How to create a business with one euro or no money
How to create a business with one euro or no moneyHow to create a business with one euro or no money
How to create a business with one euro or no money
Maxime Deschamps
 
Small business ideas in india (om project)
Small business ideas in india (om project)Small business ideas in india (om project)
Small business ideas in india (om project)
17791
 

Viewers also liked (18)

How to Start Payment Gateway Business in India
How to Start Payment Gateway Business in IndiaHow to Start Payment Gateway Business in India
How to Start Payment Gateway Business in India
 
Online Payment Gateway System
Online Payment Gateway SystemOnline Payment Gateway System
Online Payment Gateway System
 
PCI DSS Simplified: What You Need to Know
PCI DSS Simplified: What You Need to KnowPCI DSS Simplified: What You Need to Know
PCI DSS Simplified: What You Need to Know
 
OSPL Mobile recharge API vs White label solution: Which is better for Making ...
OSPL Mobile recharge API vs White label solution: Which is better for Making ...OSPL Mobile recharge API vs White label solution: Which is better for Making ...
OSPL Mobile recharge API vs White label solution: Which is better for Making ...
 
New ads
New adsNew ads
New ads
 
WCF
WCFWCF
WCF
 
Twitter Bootstrap Presentation
Twitter Bootstrap PresentationTwitter Bootstrap Presentation
Twitter Bootstrap Presentation
 
Presentation CentOS
Presentation CentOS Presentation CentOS
Presentation CentOS
 
Small Business Opportunities in a Down Market
Small Business Opportunities in a Down MarketSmall Business Opportunities in a Down Market
Small Business Opportunities in a Down Market
 
How to create a business vision that motivates you to take action
How to create a business vision that motivates you to take actionHow to create a business vision that motivates you to take action
How to create a business vision that motivates you to take action
 
The new patterns of innovation
The new patterns of innovationThe new patterns of innovation
The new patterns of innovation
 
Ten steps to create a Business Miracle
Ten steps to create a Business Miracle Ten steps to create a Business Miracle
Ten steps to create a Business Miracle
 
Biotrace_Prez_20161208
Biotrace_Prez_20161208Biotrace_Prez_20161208
Biotrace_Prez_20161208
 
How to create a business with one euro or no money
How to create a business with one euro or no moneyHow to create a business with one euro or no money
How to create a business with one euro or no money
 
Resultados Encuesta En Twitter
Resultados Encuesta En TwitterResultados Encuesta En Twitter
Resultados Encuesta En Twitter
 
Small business ideas in india (om project)
Small business ideas in india (om project)Small business ideas in india (om project)
Small business ideas in india (om project)
 
supply chain management
supply chain managementsupply chain management
supply chain management
 
Big Ideas from Big (or Small) Data
Big Ideas from Big (or Small) DataBig Ideas from Big (or Small) Data
Big Ideas from Big (or Small) Data
 

Similar to Requirement of PCI-DSS in India.

PCI DSS Slidecast
PCI DSS SlidecastPCI DSS Slidecast
PCI DSS Slidecast
RobertXia
 
Payment card industry data security standard
Payment card industry data security standardPayment card industry data security standard
Payment card industry data security standard
sallychiu
 
Payment card industry data security standard 1
Payment card industry data security standard 1Payment card industry data security standard 1
Payment card industry data security standard 1
wardell henley
 
Online_Transactions_PCI
Online_Transactions_PCIOnline_Transactions_PCI
Online_Transactions_PCI
Kelly Lam
 
Reduce PCI Scope - Maximise Conversion - Whitepaper
Reduce PCI Scope - Maximise Conversion - WhitepaperReduce PCI Scope - Maximise Conversion - Whitepaper
Reduce PCI Scope - Maximise Conversion - Whitepaper
Shaun O'keeffe
 

Similar to Requirement of PCI-DSS in India. (20)

MTBiz May-June 2019
MTBiz May-June 2019 MTBiz May-June 2019
MTBiz May-June 2019
 
Pci ssc quick reference guide
Pci ssc quick reference guidePci ssc quick reference guide
Pci ssc quick reference guide
 
Quick Reference Guide to the PCI Data Security Standard
Quick Reference Guide to the PCI Data Security StandardQuick Reference Guide to the PCI Data Security Standard
Quick Reference Guide to the PCI Data Security Standard
 
PCI DSS Slidecast
PCI DSS SlidecastPCI DSS Slidecast
PCI DSS Slidecast
 
PCI Compliance for Payment Security
PCI Compliance for Payment SecurityPCI Compliance for Payment Security
PCI Compliance for Payment Security
 
Payment card industry data security standard
Payment card industry data security standardPayment card industry data security standard
Payment card industry data security standard
 
Requirement of PCI DSS in India.
Requirement of PCI DSS in India.Requirement of PCI DSS in India.
Requirement of PCI DSS in India.
 
Payment card industry data security standard 1
Payment card industry data security standard 1Payment card industry data security standard 1
Payment card industry data security standard 1
 
Online_Transactions_PCI
Online_Transactions_PCIOnline_Transactions_PCI
Online_Transactions_PCI
 
ECMTA 2009 PCI Compliance and the Ecommerce Merchant
ECMTA 2009 PCI Compliance and the Ecommerce MerchantECMTA 2009 PCI Compliance and the Ecommerce Merchant
ECMTA 2009 PCI Compliance and the Ecommerce Merchant
 
eCommerce Summit Atlanta Mountain Media
eCommerce Summit Atlanta Mountain MediaeCommerce Summit Atlanta Mountain Media
eCommerce Summit Atlanta Mountain Media
 
PCI FAQs and Myths
PCI FAQs and MythsPCI FAQs and Myths
PCI FAQs and Myths
 
PCI DSS introduction by khaled mosharraf,
PCI DSS introduction by khaled mosharraf,PCI DSS introduction by khaled mosharraf,
PCI DSS introduction by khaled mosharraf,
 
Merchant Responsibilities According to the Payment Card Industry
Merchant Responsibilities According to the Payment Card IndustryMerchant Responsibilities According to the Payment Card Industry
Merchant Responsibilities According to the Payment Card Industry
 
How to Comply with the PCI Data Security Standard
How to Comply with the PCI Data Security Standard How to Comply with the PCI Data Security Standard
How to Comply with the PCI Data Security Standard
 
Payment Card Industry Introduction CMTA APR 2010
Payment Card Industry Introduction CMTA APR 2010Payment Card Industry Introduction CMTA APR 2010
Payment Card Industry Introduction CMTA APR 2010
 
PCI Compliance Report
PCI Compliance ReportPCI Compliance Report
PCI Compliance Report
 
PCI Compliance - How To Keep Your Business Safe From Credit Card Criminals
PCI Compliance - How To Keep Your Business Safe From Credit Card CriminalsPCI Compliance - How To Keep Your Business Safe From Credit Card Criminals
PCI Compliance - How To Keep Your Business Safe From Credit Card Criminals
 
Demystifying PCI DSS: Expert Tips and Explanations to Help You Gain PCI DSS C...
Demystifying PCI DSS: Expert Tips and Explanations to Help You Gain PCI DSS C...Demystifying PCI DSS: Expert Tips and Explanations to Help You Gain PCI DSS C...
Demystifying PCI DSS: Expert Tips and Explanations to Help You Gain PCI DSS C...
 
Reduce PCI Scope - Maximise Conversion - Whitepaper
Reduce PCI Scope - Maximise Conversion - WhitepaperReduce PCI Scope - Maximise Conversion - Whitepaper
Reduce PCI Scope - Maximise Conversion - Whitepaper
 

Recently uploaded

EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
Earley Information Science
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
Enterprise Knowledge
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
Enterprise Knowledge
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
UK Journal
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Igalia
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
Principled Technologies
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
vu2urc
 

Recently uploaded (20)

[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 

Requirement of PCI-DSS in India.

  • 1. Requirement of PCI-DSS in India. CA. PriyadarshanBehera
  • 2. 1. Background In today’s competitive business environment, E-markets are increasing day by day for effecting multiple business transactions of goods &services. During this process the users mostly rely on payment gateways to complete the financial transactions by using various types of debit/credit cards. Consequently the extensive use of these cards forced to follow certain procedures in order to prevent the vulnerabilities towards the security of the customer’sdata. The Payment Card Industry Data Security Standards (PCIDSS) is a widely accepted policies & procedures which are used to protect the debit, credit & cash card transactions. These principles & procedures are mainly used to protect the card holder’s (persons who authorized to use their Credit/Debit cards for making payments towards goods & services) personal data against misuse. The Payment Card Industry Security Standard Council (PCISSC) was launched on September 7, 2006, which is called as “Council”, to focus primarily on the PCI security standards. Enterprises which are handling card data have to comply with the requirements as issued by “council”.In the current business environment it becomes imperative to follow these standards because of the extensive use of E-transactions not only in the form of amount but also by volume too. The fivepayment Card brands i.e. - American Express, Discover Financial Services, JCB International, MasterCard, and Visa have agreed to adopt the standards as issued by PCI-DSS for the purpose of data security compliance program. 2. Intended Audience This standard is meant for those people who stores, processes or transmits card holder data. In addition to this the payment industry stake holders like payment processors, acquiring bank (which connects to a card brand network for payment processing), service providers (who provide all or some of the payment services for the merchant), assessors &the information security professionals who want to understand PCI are the target audience of the PCI DSS. This is meant for all sorts of organization whether it is large, medium or small. 3. 3.1 About PCI DSS Key players in PCI DSS The idea of PCI-DSS was brought in to by the major credit card companies as a guideline to help organizations that process card payments to effect transactions relating to goods or services so that it will obstruct the fraud arising out of hacking and various threats. PCI DSS was created jointly in 2004 by five major credit-card companiesi.e. Visa, MasterCard, Discover, JCB and American Express. 3.2 PCI Compliance Who needs to comply- Any merchant, acquirer, issuer bank & service providers that processes, stores or transmits credit or debit card data & any party involved with them. Complying with the Payment Card Industry's Data Security Standard (PCI DSS) requirements means to ensure that both information systems and payment applications are secured in realtime. Compliance with the PCI-DSS helps to protect cardholder data. It is a very complex and growing subject affecting millions of business – banks, Independent Sales Organizations (ISOs), processors, E-commerce and retail merchants and other merchant services providers. If you are not certified, then there is a high risk of data being hacked. In India many E-commerce websites don’t collect any credit card information of customers. During payment transaction when
  • 3. customer chooses “Credit card” as a method for payment& proceed to complete the checkout they are redirected to a payment gateways payment page (like CCavenue) where customer himself enter all the card details. In this scenario E-commerce merchant is not bearing any risk of being hacked or any PCI risk. If during the same transaction of the checkout stage customer enter his credit card number following which he is directedwith the payment gateway to process the customer’s transactions, then this transaction will fall under the purview of PCI audit.Merchants who are even holding data in temporary memory also liable to PCI certified. Why to comply with PCI DSS-By complying with PCI DSS helps you to protect the customer data, manage your risk, to avoid penal measures, to stay in your business& to compete in the market. 3.3 Challenges in PCI Compliance Organizations face scrutiny when adhering to PCl-DSS compliance. Huge fines & penalties are imposed & it has increased significantly for systems that are not in compliance. You can refer the link below as provided by “council” regarding the fines imposed for noncompliance with PCI DSS.http://www.pcistandard.com/cardassociation-fines/ As per the Visa most of the large & medium size merchants in US did not reach their respective PCI-DSS compliance. Organizations largely relying on manual assessment methods for PCI-DSS audit. This manual assessment is a very time consuming & error prone process. 1.4 Frauds in India & its involvement in global scam Credit card fraud is rampant not only in India but also across globe affecting millions of consumers & business every day. Indians are actively involved in various frauds relating to Debit/credit card, or in others means of online transactions. They are not only involved themselves for making frauds in India but also extended their routes abroad. Following are some of the examples of recent events:In Delhi a man allegedly involved in credit card theft of more than 30K customers of a private sector bank & making transactions worth crores of rupees landed in police net in the year 2013.In another incident 5 Indianorigin men were among 18 others charged for running a massive 200 million dollar global credit card fraud under which they used thousands of fake identities to target business & financial firms & wired millions of dollars to Pakistan & India. These types of incidents clearly depict how Indians are actively involved in various frauds involving debit/credit cards& it has not limited to one part rather it has been extended across globe. All these cases leads to high alarm in those sectors using online credit cards to get complied with PCI-DSS standards as issued by “council”. 1.5 Steps in PCI Compliance Assess, Remediate and ReportThe first step in the PCI compliance is to assess the process by considering inventory of the IT assets and business processes for payment card processing, and analyzing it for vulnerabilities that could expose cardholder data. The second step is remediate. It is basically the process of fixing those vulnerabilities. The last stage is Reporting. Report involves the accumulation of records required by PCI DSS to validate remediation, and submission of reports to the acquiring bank and card payment brands. All the above three steps are not a one-time process rather it’s an ongoing process for continuous compliancewith the PCI DSS requirements.
  • 4. 4. PCI- DSS in India The PCI-DSS is not very popular among Indian companies. India, the second-most populouscountry where E-payments through cards are extensively used for various transactions.E-commerce as a business transacts on the internet wherethere might of chance of customer data that can be hacked. The transaction level of debit/credit card transactions is no longer small as it is used to be 5 years back. India is normally named as the destination of outsourcing.Business Process Outsourcing (BPO) plays a very significant role in the field of outsourcing. Generally BPO’s are deals with various data relating to third parties. There is a high risk of threat to data leakage &fraud. In order to thwart fraud, the Indian BPO industry is adopting some of the most stringent standards for handling of sensitive information and data. One such standard is the payment card industry data security standards (PCI-DSS), as prescribed by “Council”. Indian companies like Infosys BPO; Vodafone India has already under the PCI DSS certification. The size of the payments card market in India is very big and it’s increasing day by day. “Threat report 2013” as published by Symantec internet security countries leading the chart in bank cards threat is USA, China & India. Out of which India isaccounting for 6.5% of the total targeted attack in 2012. Various countries have already taken several steps to prevent the fraud in relation to credit card hence we should protect ourselves against the frauds moving in to India &we can’t ignore the fact that “Fraudsters are a step ahead of Market”. In India due to the rise in fraud arising out of debit/credit card transactions the Reserve Bank of India (RBI) has stipulated some safety measures for Credit/Debit card transactions. In the recent notification dated 28 Feb 2013 named as “Security & Risk Mitigation Measures for Electronic Payment Transactions” RBI has directed banks to put in place some safety measures as follows ( below relating to PCI DSS only) :a. Banks should ensure that the terminals installed at the merchants for capturing card payments(including the double swipe terminals used) should be verified for PCIDSS(Payment Card Industry – Data Security Standards) & PA-DSS (Payment ApplicationData Security Standards)(By June 30, 2013). b. Bank should ensure that all acquiring infrastructure that is currently operational on IP (Internet Protocol) based solutions are mandatorily made to go through PCI-DSS and PA-DSS certification. This should include acquires, processors/aggregators and large merchants.(By June 30, 2013). Considering the rapid growth of the cards payment markets & merchants in India, sooner we have to adopt additional factor of authentication for card present transactions in various terminals dealing with debit/credit cards. The way frauds related to credit/debit cards are spreading across various corner in India, it becomes imperative for organizations to covers them under PCI-DSS. 5. Requirements of PCI DSS PCI DSS classified in to 6 categories defining 12 requirements as mentioned belowa. Building & maintaining a secure network (Includesinstallation & maintenance of firewall & vendor supplied passwords). b. Protecting card holder data (Includes protection & encrypt transmission of card holder data). c. Maintaining a vulnerability management program (Includes antivirus software & development & maintenance of secure system).
  • 5. d. Implementing strong access control measures(Includes access card holder data by business need-to-know, unique ID & physical access to card holder data). e. Regularly monitoring & testing of networks (Includes tracking & monitoring access & testing of security system). f. Maintaining an information security policy (Maintenance of policy to address information system). 6. Certification &Reporting Normally there are 2 ways by which business houses can check that they have achieved PCI DSS certification. These are:a. Self-Assessment Questionnaire. b. Vulnerability scanning. The questionnaire & the scanning process will help to identify if there is any weakness or vulnerability exist in the network or not. The reason behind SAQ (Self-Assessment Questionnaire) is to enable organizations in self evaluating compliances with the PCI-DSS. The PCI-DSS SAQ consists of 2 components: a set of questions relating to PCI-DSS requirements & an attestation of compliance. The attestation is your certification that you have performed appropriate assessment. PCI-DSS compliance requires that merchants have comprehensive vulnerability scan at least every quarter. PCI-DSS recommends that all outward facing scans should be scanned in order to protect the data from hacking. PCI-DSS SAQ identifies &mitigates risk from the inside (behind the firewall) while the scanning identify & mitigate risk from the outside. Various Credit card companies have defined 4 level of classification. Falling under which merchants are subject to certain reporting requirement. Check this link to get an idea on how VISA has defined the merchant levelshttp://usa.visa.com/merchants/risk_management/ cisp_merchants.html#anchor_2 Reports are the official mechanism by which merchants and other entities verify compliance with PCI-DSS to their respective acquiring financial institutions or payment card brand. Depending on payment card brand requirements, merchants and service providers may need to submit an SAQ or annual attestations of compliance for on-site assessments. Quarterly submission of a report for network scanning may also be required. 7. Conclusion PCI DSS helps all the E-commerce merchants by disclosing various guidelines for customer data security & protection. Customers can ensure security & trust over the merchants getting certified under PCI DSS while doing Etransactions. The PCI Security Standards Council collects various feedbacks on the PCI Security Standards from companies and stakeholders. This valuable input says that the standards as issued by “Council” can continue to provide a strong security framework for protecting the data relating to various card holders.