Abhay Bhargav (India) - PCI Compliance - an Indian Perspective

PCI Standards are vital for storing processing and transmiting cardholder data. Abhay Bhargav, Founder of we45, discusses why India needs to adopt payment standards to protect online merchants.

Compliance Requirements have evolved due to myriad security incidents. Especially in enterprises that have urged industry bodies and regulatory bodies, which create standards that define the information security baseline for entities operating in a particular industry. For instance, after several high-profile hacks of TJ-Maxx (2007) and CardSystems (2005), the five payment brands Visa, MasterCard, Amex, JCB and Discover, came together to create the PCI-DSS (Payment Card Industry Data Security Standard), a prescriptive standard providing twelve stringent security requirements that enterprises handling card data have to comply with. I will focus on the PCI standards and their application in the Indian enterprise scenario, along with some of the challenges faced in PCI Compliance.

The PCI Standard applies to entities that store, process or transmit cardholder data. Typical entities that handle cardholder information are merchants, whose cardholders shop on a daily basis, either online or through stores, kiosks, agents etc. Other entities handling cardholder data are payment processors. Payment processors are entities that route and forward payment transactions on behalf of the banks or the payment brands. There are another category of entities that fall under the purview of the PCI Standards and is of the ‘Third Party Service Provider - these are entities that handle cardholder information on behalf of their clients. Typically, BPOs handling voice and data also handle credit card information for some clients and software development companies, creating customized applications that are deployed in a PCI environment at their client location.

PCI Compliance has been adopted partially by Indian entities. The trend has typically been that American/European companies - having outsourced their key business processes to Indian BPOs/KPOs - have mandated the need for these service providers to get compliant. Several BPOs have had their client processes linked to the payment card industry (certified under the PCI Standard).  Several Software Development companies have ODCs (Offshore Development Centers), handling application development, and production support in a client PCI environment, also become compliant under the PCI Standards. Payment brands have mandated that payment processors get certified with the PCI standards to stay in business. Payment processors handle a gigantic volume of cardholder data and compliance is essential to the security of cardholder information.

Payment processors across the country are largely compliant with the PCI Standard. However, PCI Compliance has not been adopted by merchant establishments in India, and this is still a trend that causes concern. Large merchants handle a large quantity of credit card/debit card information on a daily basis, and compromising cardholder information at a merchant establishment would result in a large setback to the payment card industry in general, purely because of the volumes involved.

The key challenge that most entities have with PCI Compliance is with the expectations of the standard. Several Indian companies are compliant with ISO-27001 and consider PCI to be a simple extension of the ISO standard. This is a misnomer, as the PCI Standard is a prescriptive control standard and the ISO-27001 is a security framework derived from the organization's Risk Assessment practices. Organizations especially find it difficult to grapple with some of the technically rigorous requirements (e.g. Web Application Security).

PCI also mandates an annual Penetration Test for organizations to be conducted externally and internally. A Penetration Test requires the organization to not only identify vulnerabilities, but to also attempt penetration against vulnerable devices and identify how an attacker can get access to data. This requirement is not met by most companies as they conduct a cursory vulnerability assessment, largely lacking in depth with no attempt at penetration. One of the key elements of PCI Compliance is to maintain compliance post-certification. This is a major challenge for many companies as they find that security procedures they define are not consistently followed throughout the year and several non-conformances are found throughout the course of the year.

PCI Compliance is an important compliance requirement that is adopted the world-over. However, the adoption of the standard in India is closely linked to the rise of awareness for Information Security in India, and mandates by the Payment Brands to increase the level of compliance in India.

By Abhay Bhargavm, Founder and CTO at the we45 Group. Please visit the we45 website for further information.