Ensuring security of payment card industries

It is unthinkable now to live without the convenience of paying online which has revitalized all types of e-commerce.  Hence, the online payment gateways have become a great and compulsory means for any business to provide and ease the way its customers can buy and pay for their products and services. 

These gateways have revolutionised the way businesses can target and attract customers and have become an essential asset that many businesses struggle to survive without. 

While these gateways require the customers’ credit card information and other confidential data, and with substantial amounts being transacted and transferred every second, the need to protect and secure the data transferred became of vital importance, especially since these channels are considered as gold mines by fraudsters. 

Any leakage of customers’ data can lead to significant financial losses and can affect any business’s continuity and reputation. 

For this purpose, several of major online payment gateway providers have worked together to build the Payment Card Industry Data Security Standard (PCI-DSS) which companies can implement and maintain to secure their online financial transactions and their customers’ information as well as avoid potential cases of fraud. 

It is an integrated and systematic framework that was established based on globally adopted payment standards and good practices, and ensures the implementation of guidelines and mandates for companies to manage their electronic payment mechanisms delivered by major providers such as Visa, MasterCard, American Express, Discover and JCB. 

These guidelines were first released back in December 2004 and have been recently updated in April 2016. 

This standard has become a mandate for companies that provide or use online payment services, and where customers’ credit card information is being transmitted, which must be verified for compliance at least once annually. It is currently administered by the Payment Card Industry Security Standard Council which encompasses all of the major providers mentioned above. 

The employment of such a standard requires systematic implementation of six main pillars to ensure the proper establishment and continual improvement. 

Initially (the first pillar), the implementation involves building and maintaining a secure network which is essential as all of components that drive the online payment gateway are connected together through a network and any breach to that network can lead the theft of numerous financial records. 

Hence, security controls will have to be established on all network components to prevent fraudsters from virtually accessing the payment gateway channel and stealing information. 

The second pillar focuses on protecting cardholders’ data which includes any information processed or stored on a payment card including the cardholder’s name, expiration date and PIN code, which are entered into the online payment gateway to complete a transaction. 

As businesses store this information for recording and accounting purposes, controls will have to be established to secure the printing, storage and transmission of any parts of it throughout the businesses’ processes and network.  

While the network and information are protected, companies will have to maintain a vulnerability management programme, which is the third pillar of the standard. 

This involves systematic and continuous review of the effectiveness of the implemented information security controls to identify weaknesses and areas of improvement. It includes the review and assessment of established information security procedures, systems, controls and more to validate if they could be exploited. 

After that, the standard concentrates on implementing strong access control measures which are essential to permit or deny dealers (i.e. businesses) to access the needed credit card information and which piece of it, which will be granted on a need-to-know basis. This fourth pillar involves physical controls which entail the use of locks or access measures to paper-based transaction and credit card records, as well as logical controls which entail the use of systems to restrict access to digital files that contain cardholder information. 

The fifth pillar focuses on regular monitoring and testing of networks which are the endpoints in the online payment gateway. Vulnerabilities in network components are present and fraudsters are always on the lookout. Hence, businesses must regularly assess their network setup and components to identify and fix gaps. 

The sixth and pillar emphasises on maintaining an information security policy within any organisation which will be necessary to set the guidelines to be followed by all staff, indicating the impact of any potential leakage, and informing staff of their roles and responsibilities in the entire endeavour. 

These pillars mostly require controls that are methodical and involve configuration of infrastructure components which must be improved and sustained over time. Thus, information security processes and audits will have to be established by organisations to regularly assess their current state as per the standard, which may be performed by authorised auditors referred to as payment card industry qualified security assessors. 

The implementation and maintenance of PCI-DSS in any organisation is critical in their long-term success and continuation. 

It can lead to several benefits including increased customer confidence and protection, reduction in fines, penalties, fraud losses and legal costs and settlements, as well as the impact on the organisation’s reputation.