As the world moves towards digital means of payments and transactions, there has also been concerns over the security and protection of cardholder information. According to the PCI Security Standards Council, more than 500 million card holder records with confidential information have been breached since 2005.
Merchants, who accept digital forms of payments, are at the centre of digital payments, and can become a victim of financial fraud at multiple points, including:
• The point-of-sale device or machine
• Wireless hotspots
• Connected computer or any other device
• Transmission of the cardholder data to the service provider.
According to a business survey conducted by Forrester Consulting, a majority of businesses conduct activities increase the risk of card fraud, including storage of card number, expiration date, any verification code, and customer date.
Introduction to Data Security Standard (DSS)
The Payment Card Industry’s Data Security Standard (PCI-DSS) is a security standard mandatory for organizations that handle payments using cards, issued from major card types including MasterCard, Visa, and American Express.
This PCI standard is mandatory for all card brands and is administered by the PCI Security Standards Council. The sole aim of the PCI standards is to protect cardholder data and to reduce card frauds.
The objective of PCI-DSS course is the protection of cardholder data during storage, processing, and transmission. Cardholder account information includes the unique primary account number (PAN) printed in the front of every card.
Merchants or any service provider, who process card payments, must never store sensitive information about the transaction after the authorization. This includes confidential data that is stored in the magnetic stripe of the card, along with any personal identification information entered by the cardholder.
The PCI Data Security Standards specifies a list of 12 mandatory requirements, which are grouped under 6 control objectives, as listed below:
1) Build and maintenance of a high-security network, which includes:
* Installation of a secure firewall to protect cardholder data.
This restricts (or blocks) all traffic from untrusted networks, and prohibit direct public access between the Internet and the cardholder data environment.
* Changing of the vendor-provided default password and other security measures.
This is important as most card fraudsters are able to break into the cardholder’s internal network using the default passwords.
2) Protection of cardholder information, which includes:
* Encryption of cardholder information that is transmitted over public networks.
Encryption technology renders the transmitted data unreadable by any unauthorized person. Use of cryptography and security protocols such as SSL/TLS or IPSec can be used to safeguard customer data.
* Protection of the stored cardholder data.
Sensitive data on the magnetic chip of the card must not be stored. In case the PAN needs to be stored, it must be stored in an unreadable format. Limit the duration of storage of cardholder data.
3) Maintenance of a vulnerability management program, which includes:
* Use and regular updates of anti-virus software programs on all systems.
Harmful viruses can enter the user network through email and other online activities. Anti-virus software is an effective tool to protect computer systems from external attacks.
* Development and maintenance of secure systems and applications.
Security vulnerabilities in the system and applications can enable cyber criminals to access PAN and other secure data. Ensure that all the systems and application are updated with the latest security patch from the vendor.
4) Secure access control measures, which includes:
* Restricting business access to cardholder information.
Limit access to confidential cardholder data to only those users whose work requires this information. Additionally, restrict the access to the least amount of data required for business purpose.
* Assigning of a unique ID to every person with computer access.
This is important to be able to trace if the access to critical data has been executed by only authorized persons.
5). Restricting of the physical access to cardholder data.
Physical access to cardholder data must be restricted to all onsite personnel, visitors, and all paper and electronic media.
6) Regular monitoring and testing of networks, which includes:
* Tracking and monitoring of all access points to network resources and cardholder data.
Use of logging mechanisms and tracking of user activities are included.
* Regular testing of security procedures and processes.
Periodic testing of security controls is important, along with internal and external network scans.
7) Maintaining of an information security policy, which includes:
* Maintenance of a company policy that addresses information security.
This includes establishing a security policy that addresses all the PCI-DSS requirements, along with an annual process to detect any vulnerability.
These set of requirements is mandatory for companies that manufacture devices that accept and process PIN-based transactions or any other type of digital payments.
Financial institutions, merchants, and service providers must ensure that they only use devices, approved for PTS (PIN transaction security).