Blog

PCI Standards for India’s Emerging Digital Payment Modes

Card Data Input PCI Compliance mobile pageview

The “Digital India” initiative launched in 2015 and “Demonetization campaign” in November 2016 by the Government of India has provided the major boost to the country’s digital ecosystem. Along with initiatives such as “DigiShala”, the government has aimed at building an ecosystem for entailing ‘cashless economy’ in the country. Other initiatives such as the National Optical Fibre Network (NFON) and introduction of Unified Payments Interface (UPI), Bharat Interface for Money (BHIM – internet based mobile application) can help support in faster adoption and transition to digital payments.

In fact, India’s digital payment industry, currently worth around USD 200 Billion, is expected to grow five-fold to reach USD 1 Trillion by 2023, as per a report by Swiss financial services holding company, Credit Suisse. The global digital payment market is expected to reach USD 21 Trillion by 2020. With the increase in the digital payments ratio, cybersecurity is one of the most critical challenges faced by stakeholders of the digital payment ecosystem.

This has ultimately opened up more opportunities for cyber pickpockets to try and steal card details, PINs, mobile wallets and siphon off money. Cybersecurity is one of the most critical challenges faced by stakeholders of the digital payment ecosystem. With more and more users preferring digital payments, the chances of being exposed to cybersecurity risks such as online fraud, information theft, and malware attacks are also increasing.

Emerging Digital Payment Modes in India

One of the biggest changes that the payments industry has seen recently is in terms of the various modes of payments. Hand held devices have outgrown all other channels due to ease of making transactions and the accessibility that they provide in terms of convenience. The government and the banks have undertaken multiple initiatives to promote the usage of digital payments in urban locations and to accelerate penetration into the hinterlands of the country and develop trust the among first-time users. The push from the government also spurred interest from fintech companies who had the technology but were missing the momentum. With the collective efforts of the RBI, NPCI and the government, a robust backbone for digital payments in India has been created by systems such as Unified Payments Interface (UPI), Bharat Interface for Money (BHIM), BHIM Aadhaar, Bharat Bill Payment System (BBPS), etc.

The following are the major digital payment modes that are in trend for today in India:

1. Card Payments – The major payment brands like MasterCard, VISA, AMEX, JCB, Discover, etc.
2. UPI (United Payment Interface) applications like BHIM
3. Wallet applications like Paytm, FreeCharge, PhonePe
4. AEPS (Aadhar Enabled Payment System)
5. Mobile Banking

Cybersecurity for Digital Payments

To ensure that sensitive data is not compromised in any way while people use different digital payment modes, robust security across devices is absolutely necessary.

With context to the card data, we have PCI DSS (Payment Card Industry Data Security Standards) which are a set of stringent guidelines to ensure a secure environment for storing, processing or transmitting card holder data.

Wallet applications adhere to PPI (Prepaid Payment-Instruments) guidelines provided by RBI (Reserve bank of India) in the article RBI/DPSS/2017-18/58, Master Direction DPSS.CO.PD.No.1164/02.14.006/2017-18.

UPI enabled payment services follow the guidelines formulated by NPCI in the circular NPCI /UPI/OC No. 15B/2017-18.

 

Below is a screenshot of the Payment page showcasing the different payment options:

PCI-DSS-Standards-for-India-Digital-Payment-Modes-image

If we take a close view to the above screenshot, we will realize that there are different sets of guidelines being followed for the different payment modes. Although the ultimate motive to ensure payment data remains secure is the same. In this scenario, single organization is undergoing multiple audits for the same set of servers and set-up. This result in Audit fatigue that makes organizations lose focus on security and just check the box.

Although RBI, as the regulator has taken great initiatives in securing digital payments and issued the set of guidelines on some payment modes like UPI and PPI, the challenge underlying lies if they are a set of guidelines that can be used as auditable controls.

For an instance, as per RBI guidelines “Testing of vulnerabilities” is required at “reasonable” amount of time.
Here the word “reasonable” is generic and is differently interpreted by different set of people. On the other hand, we have same requirement for performing vulnerability assessment explained in PCI DSS as:

  • One has to perform Internal and External vulnerability scan on all critical systems on quarterly basis
  • Internal and External vulnerability scans are to be conducted if there are any major changes in the network.
  • Scans are to be repeated until all the vulnerabilities are mitigated.

Tailoring of PCI DSS standards to other Digital Payment Forms

The PCI DSS standard contains 12 detailed requirements across six security areas. But among all the requirements, only requirement 3 and 4 talks about card data, rest of the standard focuses on protection of the payment environment where card data is dealt with. It ranges from secure firewall configuration to, log monitoring and anti-virus to hardening of systems.

PCI Requirements 3 and 4 are designed to secure identification and authentication data for card payments during storage and transmission, while the same set of controls can be used to secure the Identification and authentication data for other modes of digital payments.

PCI-DSS-Type-of-Assesment-PI-Data-Authentication-Data-Table-Image

The organizations that are already PCI compliant can extend the scope of assessment to all other payment modes and not limit the PCI assessment scope to only card payments. This idea justifies being a solution for organizations that are suffering from audit fatigue. In terms of business, its more economic as it saves time, money, resources and valuable efforts put in multiple audits for a single organization.

From a technical aspect, it ensures better payment data security because you have got one set of prescriptive controls that leads to standardization.

SISA that has pioneered in payment security over the last decade has been actively engaging with the community to recognize the requirement and demand for adoption of a single framework of PCI DSS standards across all digital payment channels. The need of a uniform security standard has been experienced from a series of its numerous client encounters that SISA has come across. And with this SISA anticipates lesser ambiguity and better security with all the emerging digital payment forms in India.

 

Resources followed for the article:

  • https://economictimes.indiatimes.com/tech/internet/as-india-braces-for-digital-payments-future-how-secure-are-banks-from-cyberattacks/articleshow/56073576.cms
  • https://www.dsci.in/content/securing-india%E2%80%99s-digital-payment-frontiers
Author
Dharshan Shanthamurthy
Dharshan is the Founder & CEO of SISA (www.sisainfosec.com), a global cyber security company that specializes in payment data security. He was the first PCI QSA recognized by the PCI Council in India. He is a leading payment forensic investigator for PCI Council and has led many payment forensic investigations of strategic importance. Dharshan was assisted by Ms. Ankita Patel from SISA for authoring this document.