14 Jan 2015, 12:26 — 5 min read
For what has been predominately a cash-based economy since decades, India is warming up quite well to alternate modes of payment. According to a recent Frost & Sullivan report, credit, debit, and other electronic payments grew at a rate of 35 per cent from the previous year in terms of payment transactions, making India the 13th largest non-cash payment market globally.
However, the increase in non-cash transactions has come with a flip side: rise in instance of fraud. Realizing the increasing dangers, last year, the Reserve Bank of India set certain measures in place. It mandated banks that they replace all card swiping machines with ones that are chip-based and can process a transaction only after a PIN is entered by the customer.
And it also required all parties handling card payments/information to be PCI-DSS and PA-DSS certified. Though most retailers (big and small) have successfully migrated to using PIN-based swipe terminals, there is still a lag on the PCI – DSS front, perhaps because of lack of awareness of the standards and the procedure to get certified. While large retailers have the wherewithal to dedicate resources in at least gathering the basic know-how, the same cannot be said about small retailers. “From my discussions with various people from other retail companies, I gathered that at least one of them is considering going for PCI – DSS. Perhaps the reason for brick-and-mortar retailers not opting for it so far is lack of clarity on things like how long it takes; or perhaps they are waiting for someone to take the lead and see how it goes for them,” said VikramIdnani, Head – IT, Trent Ltd that recently got certified for PCI – DSS across all its formats.
What is PCI – DSS?
PCI DSS is the global data security standard adopted by the payment card brands for all entities that process, store or transmit cardholder data. According to CA Priyadarshan Behera, a PCI – DSS expert, the idea of PCI-DSS was conceived by major credit card companies themselves.
The idea was to help organizations that process card payments in way that will obstruct the fraud arising out of hacking and various threats. With that objective, the five major credit-card companies i.e. Visa, Master Card, Discover, JCB and American Express, jointly created the PCI DSS in 2004.
What does it entail?
The PCI DSS follows common-sense steps that mirror security best practices. There are three steps for adhering to the PCI DSS – which is not a single event, but a continuous, ongoing process. First, Assess -- identify cardholder data, take an inventory of your IT assets and business processes for payment card processing, and analyze them for vulnerabilities that could expose cardholder data. Second, Remediate -- fix vulnerabilities and do not store cardholder data unless you need it. Third, Report -- compile and submit required remediation validation records (if applicable), and submit compliance reports to the acquiring bank and card brands you do business with. It consists of common sense steps that mirror security best practices:
Requirement 1: Install and maintain a firewall configuration to protect cardholder data
Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters
Requirement 3: Protect stored cardholder data
Requirement 4: Encrypt transmission of cardholder data across open, public networks
Requirement 5:Protect all systems against malware and regularly update anti-virus software or programs
Requirement 6: Develop and maintain secure systems and applications
Requirement 7: Restrict access to cardholder data by business need to know
Requirement 8: Identify and authenticate access to system components
Requirement 9: Restrict physical access to cardholder data
Requirement 10: Track and monitor all access to network resources and cardholder data
Requirement 11: Regularly test security systems and processes
Requirement 12: Maintain a policy that addresses information security for all personnel.
Who is it for?
“Any merchant that accepts payment cards (big or small i.e. Single store or multi store chain) is required to be compliant with the PCI Data Security Standard (PCI DSS), even if you outsource your credit card processing,” said a representative from the PCI Security Standards Council. “The PCI Security Standards Council develops the standard but we are not involved in the compliance process. You can find out your exact compliance requirements only from your payment brand or acquirer,” the spokesperson said.
PCI DSS is hygiene among international retailers, irrespective of their size as they want to protect their customers from misuse and fraud.
Recommended articles for you
By Rahul Ingle