Nitin Bhatnagar

Cyber security is one of the significant national security challenges that countries face all over the world. In India, according to the Reserve Bank of India as of March 31, 2019 the number of debit and credit cards issued were 925 million and 47 million, respectively. According to another study conducted, total transaction value in the digital payments segment amounts to US$64,787m in 2019 and is expected to double to $135.2 bn by 2023. While this growth presents new opportunities for businesses in India, it also makes India a desirable target for cybercriminals.

The safety and security of the payment ecosystem is critical to the continued growth and adoption of digital payments in India and globally. The PCI Security Standards Council’s (PCI SSC) focus in India is to foster increased payment security in the region through awareness and adoption of PCI Security Standards, and to grow participation from Indian organizations in PCI SSC’s mission to improve payment security globally.

A strong data security foundation starts with people, process and technology. The PCI Data Security Standard (PCI DSS) provides a foundation of security controls that when implemented and continuously monitored offers the best protection for payment card data before, during and after a purchase is made. Any organizations that stores, processes and/or transmits cardholder data should continuously monitor and enforce the use of controls specified in the PCI DSS.

In addition to the PCI DSS, there are currently 13 other PCI Standards that apply to different entities and different parts of the payment lifecycle to improve security of cardholder data and enable technology solutions that devalue payment data and remove the incentive for criminals to steal it. These include standards for merchants and financial institutions on security practices technologies and processes, and standards for developers and vendors for creating secure payment products and solutions. PCI SSC also maintains programs that support the implementation of these standards by businesses, which include listings of tested and approved technology products and solutions.

As payments and technology evolve, PCI SSC continues to develop new standards and evolve existing standards to meet the needs of the global payments industry and improve security for card-rooted payment channels, while facilitating better payment experiences and adapting to advancements in technology.

For example, with a growing number of merchants now using smartphones and other commercial off-the-shelf (COTS) mobile devices to take payments, PCI SSC is developing new mobile payment acceptance standards that leverage security techniques to provide proactive controls for managing threats and protecting data. These include the PCI Software-based PIN Entry on COTS (SPoC) Standard, as well as the PCI Contactless Payments on COTS (CPoC) Standard currently planned for release in December, which is aimed at standardizing the security of solutions that enable merchant acceptance of contactless payments on their COTS device without the need of any additional hardware.

People are a critical part of keeping payment data safe and secure. To help with understanding, implementing and maintaining the PCI Security Standards as part of business-as-usual activities, PCI SSC provides training for merchants, service providers and banks. This includes PCI Professional (PCIP) and Internal Security Assessor (ISA) Training.

PCI SSC also provides a broad range of certification programs for security professionals that support the implementation and assessment of PCI Security Standards. Each year the PCI SSC trains and qualifies more than 6,500 people globally.

Most recently, the Council introduced new training and certification opportunities for eligible security professionals to assess payment software vendors’ software lifecycle management practices and payment software products to the PCI Secure Lifecycle and Secure Software Standards, which are part of a new PCI Software Security Framework (PCI SSF). Security of payment software is a crucial part of the payment transaction flow and is essential to facilitate reliable and accurate payment transactions.

Collaboration is at the heart of the Council's mission to help secure payment data globally. As a global forum, we bring together payments industry stakeholders to develop and drive implementation of data security standards and resources for safe payments worldwide.

This is why we strongly encourage organizations in India to join the PCI SSC as Participating Organizations. POs can review and provide input on standards as they are being developed via the request for comments (RFC) process. At the end of October PCI SSC will open an RFC for the next version of the PCI DSS (v4.0), which will provide companies the opportunity to participate in the ongoing evolution of this core data security standard by reviewing proposed updates and providing feedback.