"Data Encryption Is Still A Challenge For DSS Compliance"

Dave Howell, senior manager, PCI Solutions, RSA talks to Biztech2 about the latest version of Payment Card Industry’s (PCI) Data Security Standard (DSS) and shares his insights on the benefits and compliance challenges associated with the standard.

What are some of the incentives for complying with PCI DSS?

PCI DSS assesses organisation’s security mechanisms of all the systems in which customer data is stored or processed. Hence, the biggest and most obvious incentive for complying with PCI DSS is the higher level of security that is brought in to protect customers’ personal data. However, it’s not the only reason for merchants, banks and financial institutions to implement DSS. By achieving compliance, they can bolster customer confidence and maintain customer trust and safeguard their reputation. It also provides them with increased protection against financial losses and remediation costs that can arise from security breaches.

Besides this, payment card companies such as Visa have started offering monetary rewards to banks and merchants in order to drive adoption. By demonstrating compliance, banks and financial organisations become eligible for financial rewards, lower interchange rates and lower transaction processing fees that they are required to pay for every transaction. These benefits can result in significant savings for banks and merchants.

More from Biztech

Future Group - Reliance Retail Deal approved by CCI RBI ban on cryptocurrencies takes effect; prohibition could force investors to tap the black market

On the DSS implementation front, what according to you are the areas of challenge?

There are some issues that are common across a majority of companies. In terms of technology the biggest challenge that we see today is around data encryption. Many merchants and banks still find data encryption slightly tricky because not only is it difficult and expensive, but it can also cause problems for applications.

The other issue that a lot of companies are also grappling with is data monitoring and access. The standard requires constant monitoring of who is getting access to the system that has all the card data and asks companies to maintain a log of who accessed what data and at what time. This is a fairly tough ask.

Data storage is another challenge that worries a lot of them. Organisations are required to store all the information online for a certain amount of time and then offline for at least a year or so.

Section 6.6 of the standard calls for added protection for web facing applications; does this mean that such applications are more at risk than perhaps a POS terminal?

Yes, I do think that is a clear indicative of the fact that web applications are more at risk than other channels of transaction. The thing I would keep in mind though is which web application you’re talking about. The term might refer to an internal application that’s web based or could even be a system on the web.

In my opinion, one of the greatest threat areas is hackers being able to access application data by means of SQL injection. By using this tool they can gain access to cardholders’ confidential credit card data and abuse it. So it makes all the more sense to fortify these applications.

The new 6.6 requirement states that all custom application code must be reviewed for common vulnerabilities by an organisation that specialises in application security or there must be a Web application firewall installed in front of Web-facing applications.

Where do you think the greater onus lies when it comes to protecting customer data?

Though traditionally banks and credit card companies have been responsible for safeguarding cardholders’ data, it can’t just be left to them. Whoever chooses to take that information is responsible for protecting it. If you are a merchant and you choose to accept cards, you have a responsibility to protect cardholder’s transaction data. Similarly, if you are bank and you issue credit cards to your customers then you have a responsibility to protect that information. I think you really have to look at where the data lies.

Customers are a part of the entire process as well and they too have a responsibility in this. The consumers need to ensure that they are careful with their transactions, when they are conducting their business be it online or over the counter. Simple things like, doing business from a trusted website or tearing up the receipts when they complete a transaction in person, can go a long way in protecting crucial data.