Skip to content

PCI SSC, Nitin Bhatnagar, CIO News, ET CIO

Recently, the Payment Card Industry Security Standards Council (PCI SSC) released PCI Data Security Standards (DSS version 4.0, the first major update to the security standard since 2018. The current version of PCI DSS will be active for two years until March 31, 2024, to allow organizations to understand and implement the changes required by version 4.0.

Marching towards future goals, Nitin Bhatnagar, Regional Director of the Payment Card Industry Security Standards Council, discusses with ETCIO some upcoming announcements, the rise of tokenization, hurdles, CIO/CISO role, and IoT disruption that will affect fintech in 2023.

After PCI DSS, V-4.0, Can you please elaborate on the upcoming MPoC for contactless payments? How will it affect the fintech sector?

Well, I’m really excited about Mobile Payments on COTS, or MPoC, because it represents where the industry is going. The whole idea is that an organization can use a simple, familiar device – COTS device, a Commercial-Off-The-Shelf device – in a variety of different ways for conducting their business, whether they buy it themselves and download some software, have it configured by a service provider, or receive the device from their service provider. This whole change in how payments are going to be processed and how payments are processed is fundamental to the shift in industry away from hardwired devices to devices that are always available, always turned on and transactions can occur anywhere.

MPoC is an evolution from our prior efforts in that area, SPoC and CPoC, that represents a significant expansion, a deepening, and broadening of what we’re trying to provide to the industry as far as guidance around how to implement these devices and these business models.

The industry agrees, not just in having already adopted these devices and these business models, but in the response from the industry on our standard. We’ve had two Requests for Comments (RFC) on the standard so far. We’re still working on it. We do expect the standard to be released close to the end of this year. As we get closer, there’ll be more information on it. But it is one of those foundational standards for our future representing how payments are changing and how payments are expected to change.

What are the challenges PCI faces? How do managing and evolving the stakeholders play a key role for PCI today?

PCI Standards are global and in order to influence the standards there is a need for regional involvement as PCI SSC Participating Organizations and Affiliate Members. So, not exactly the challenge, but getting them to come together and bridge a gap between the industry stakeholders is the focus.

With significant feedback from payment stakeholders, we recently released the PCI Data Security Standard (DSS) v4.0 which aims to promote security as a continuous process, add flexibility for different security methodologies, and enhance validation methods. So, we have to work shoulder to shoulder. We have to coordinate with the stakeholders to make sure they’re all in sync. We try to bring them on the same page. So, the integration or the implementation of things is seamless, and there are no hazards. This is an ongoing journey.

With the increase in cyberattacks in Indian organizations. What are the key areas that CIOs/CISCOs should emphasize?

Recent breach incidents emphasize the need for payment security to ensure the continued growth and momentum of digital payments in the region. Any organization or anyone in an executive leadership position, such as CISOs or CIOs, must ensure that the processes and mechanisms for installing and maintaining network security controls are well-defined, configured, and properly maintained.

Second, CISOs and CIOs should restrict network access to and from any environment containing cardholder data or any payment data. Any network connection between trusted and untrusted networks must be controlled, as must the risk posed by computing devices that can connect to both trusted and untrusted networks. Finally, getting employees trained on PCI Security Standards and improving on cyber hygiene will help organizations take steps in the right direction in protecting payment data.

The impact of tokenization has risen tremendously. But, how to leverage at full potential? What would you say to fintech?

Technology is only as good as its implementation. To minimize risk and fraud, data needs to be desensitised & devalued. This is where technologies that devalue data such as – Tokenization, P2PE, EMV & 3DS can play a critical role in helping prevent theft incidents from becoming breaches. The goal of these technologies is to eliminate persistent value in the data you use to conduct a transaction. So, if a criminal attacks and steals data, there is no threat to the system, the consumer, and/or the merchant. PCI SSC provides standards and programs to support the secure implementation of these technology solutions.

Payments data security is one of the most critical aspects of security for any Fintech. With the sudden and recent boom of the payment ecosystem in India, it requires and needs intensified protection against any sort of fraud, counterfeit payments, and misuse of accounts and payment details of any form.

By learning to adopt best practices, a FinTech startup can stand the test of time. What are those defined best practices?

Criminals are still being successful with basic attacks and creating new ways to infiltrate systems and steal valuable data that they can then use to commit fraud. The “low-hanging fruit” weak passwords, outdated and unpatched software, and insecure remote access are at the root of most data breaches. These can be addressed by implementing and maintaining a strong data security foundation that addresses people, processes, and technology. Today, its important to look at-

  • Strong Passwords – The use of weak and default passwords is one of the leading causes of payment data breaches for businesses. Watch this quick animated video to learn how businesses can minimize their chances of being breached by changing vendor default passwords to strong ones, and never sharing passwords.
  • Secure Remote Access – Insecure remote access is one of the leading causes of payment data breaches for businesses. Watch this quick animated video to learn how businesses can minimize their chances of being breached by only allowing remote access when necessary and using multi-factor authentication.
  • Patching – Unpatched software is one of the leading causes of payment data breaches for businesses. Watch this quick animated video to learn how businesses can minimize their chances of being breached by installing software patches quickly.

How will IoT security take the lead as IoT deployments accelerate? How could organizations follow it?

IoT security is becoming a buzz word now. PCI Security Standards Council (PCI SSC) and the Consumer Technology Association (CTA) issued a joint bulletin to highlight the importance of Internet of Things security. When discussing IoT security, one of the first steps is to seek a common understanding and definition of an IoT device.

An IoT system involves a physical device that connects to a switched or wireless network, for the purposes of access and control. IoT systems may be connected to open networks, such as the Internet, or closed private networks. An IoT device may have supplementary functions provided through remote execution such as an application running on a phone, tablet, local, or ‘cloud-based computing system.

As IoT devices become more widespread, their use and deployment are increasingly crossing into areas of account-based payments. This may be incidental, with IoT devices deployed within a business environment where payments are also being processed, or more directly with an IoT device being used to accept, perform, or authorize payments on behalf of a user. When considering a deployment of IoT devices, the security of the devices and the payment data needs to be considered throughout the device lifecycle. Some questions organizations should ask include

  1. Are the devices designed with security in mind?
  2. What’s your second question? Are the devices deployed securely?
  3. Are these devices able to be maintained securely until decommissioning?

These are critical questions that should be put across while deploying any IoT device, and that’s where The PCI SSC Data Security Standard (DSS) and the C2 Consensus Control are excellent starting points when thinking about the deployment of an IoT device and the environment in which an IoT system may be deployed.”

.