Businesses thrive on ideas that bring about convenience. We live in a world today that breaks out towards businesses being scalable and adaptable to change. Especially in the Fintech industry, there are numerous changes and risks that you have to be vary about at all times. When we talk about Fintech, it need not necessarily be a just payment transactions, but could be a game, a video streaming app or even a payment gateway – Fintech on mobile comes with its shared set points to look at. The one that is at the apex of them all – PCI DSS compliance.
Regardless of your app background and service you provide, you could land in quite a soup if you fail to adhere to the PCI security standards that could lead to a breach in data. The consequence? Fees and fines that can bring you business to its knees. The easier way past this would be to be aware of PCI compliance basics, how do you do that? Here’s the lowdown.
- What is PCI DSS and do you need it?
- How do you implement it and what is the scope?
- How do you maintain it?
So, what is PCI DSS? It’s a perfectly scripted technical standard that is created to protect credit and debit card details; also known as the card holder’s details. The reason it is so important in today’s world is that it helps prevent fraud inside the organization that transact online. So, as a compliance manager in any Fintech organization; it is of utmost importance that you achieve the compliance to ensure that you are blocking out the possibility of a fraud happening.
How do you implement this? Well, in criticality, it takes 3 basic approach points to understand. The most important of them is to protect the stored card holder’s information. This data represents data that is printed or stored on the card and the applications that are using it have to prevent unauthorized transaction or usages – this is regardless if the data is stored on the card or not.
The more important question that rises here is – why should data be stored? Well, PCI DSS lines out that no data should be stored unless it is absolutely mandatory for the business needs. For example, the critical information that is mentioned on the the card should never be stored. What are the steps to follow this?
As per PCI DSS compliance India point 3; these are the main highlights:
- The data that is transferred or stored should be completely time bound, for transnational and business purposes too. So, any information that is used for the transaction should be discarded every three months.
- It also indicates that sensitive authentication data should not be stored, even if it is encrypted. Having said that, is can be stored if there is a justification behind the storage of this data.
- The PAN should always be masked when displayed – citing the first 6 or the last four digits are the ones that can be displayed.
- The PAN should be unreadable when stored. This is in every format, in digital media, in logs, backup media and any sort of data that is received from wireless networks. You require strong technology support to implement this and that is exactly what we do at QRC solutions.
- Finally, the company must document and implement the right key management procedure and the process that is being used for cryptographic keys that are used for any form of encryption.
The PCI Development requirement 4 informs you to encrypt the data across any open network. Why is this so important? Well for starters, it is relatively easy for hackers to jam through the transmission and get the card holder’s data, unless the application protects the private data that passes through. The best way to do this is via encryption of data.
- The application should use strong protocols and cryptography like TLS/SSL or IPSec/SSH to ensure that the sensitive material is safeguard during transmission. especially over a public network.
- Any PAN that is unprotected should never be sent by the users’ messaging technologies.
The 6th requirement from the PCI DSS compliance is to ensure that the applications are developed and maintained in a secure fashion. This is mandatory for both external and internal applications and stands for organizations that should be assessed by PA-QSA
- The compliance states that you have a properly documented software asset register of libraries and tools that are used in the software development cycle. This must include the version number, usage of the software and a clear explanation of the function provided. This has to be maintained and updated on a regular basis.
- There is also a need for risk ranking that should be assigned each time there is a vulnerability identified within the asset register. This should be marked basis of criticality too.
- There is also a need of security patches to be addressed and applied within one month of the vendor’s release date or upgrade of the application. These patches that are rated on the lower levels have to be applied within 90 days of the release.
- It’s also mandatory that a software development life cycle is used based on the best practices of the industry. This way the entire development is documented with security and PCI requirements are addressed at every stage of development; right from design, research and testing.
This ensures that any third party developer would always be aware of nitty gritty elements that are present on the application. Each stage should be well documented and the audits of the development process should be updated on a regular basis
- The developers of the Fintech app should also be trained in securing the right coding methods that are aligned with the app’s language. This has to always be on the best practices so that their is a always a level of quality that is maintained.
- These applications should also be protected with a web application firewall and with the right web app vulnerability scanning process.
Without a doubt, there is a dire need of PCI compliance to be adhered to in the Fintech industry. With the right approach and stringent quality measures, you would always be able to achieve a robust application that keeps your data secure