PCI Compliance in INDIA
Globally PCI seems to be driving many consumer centric enterprises into increasing the focus on enterprises wide security. Much publicized cases like TJ Max and Hanford have been the driving forces by proving the reality of the threat. However India seems to be somewhat aloof towards this wave. This blog is brief look at the enterprises which need to be PCI compliant and their status.
Three classes of enterprises fall under PCI, viz merchants (retails, hotels etc), service providers (payment gateways, BPOs) and software Vendors(payment applications, CRM, BI applications). Service Providers seem to be much ahead in this game in India due to the fact that they largely cater to US customers and awareness is high. The other two lag behind in the race although there is a critical need for them to comply.
There is an unprecedented retail boom underway and many big names have jumped into the fray. However many haven't considered either PCI or in some cases even basic security related measures. Lack of awareness seems to be the underlying factor for this. One of the retail biggies we were speaking to didn't understand how PCI is applicable to them. Their excuse was since the card reading machines are provided by Banks they should be the ones responsible for the PCI compliance. While the PIN devices and POS of sales are indeed taken care by the providers, the fact that all the retail companies also swipe the cards into their computers as a reference makes every retail company responsible for handling and managing that data. Many large retail chains also have sophisticated business intelligence and information processing centers which needs to be well protected from credit and debit card frauds.
While Service providers are ahead in this game from network security and process aspect they seem to be lagging in the compliances of the software security game. Good thing is, they are aware of the gap and taking necessary steps in covering the holes.
That leaves us with software vendors. Again customer push seems to be the factor for some software vendors going for PCI compliance. Howver there are large sections of the software industry who are unaware of this compliance. PCI seems to be the only compliance which puts so much importance on software and rightfully so. Protection of data at source along with the perimeter security is the right approach for security when it comes to critical data like credit card and debit card.
Three classes of enterprises fall under PCI, viz merchants (retails, hotels etc), service providers (payment gateways, BPOs) and software Vendors(payment applications, CRM, BI applications). Service Providers seem to be much ahead in this game in India due to the fact that they largely cater to US customers and awareness is high. The other two lag behind in the race although there is a critical need for them to comply.
There is an unprecedented retail boom underway and many big names have jumped into the fray. However many haven't considered either PCI or in some cases even basic security related measures. Lack of awareness seems to be the underlying factor for this. One of the retail biggies we were speaking to didn't understand how PCI is applicable to them. Their excuse was since the card reading machines are provided by Banks they should be the ones responsible for the PCI compliance. While the PIN devices and POS of sales are indeed taken care by the providers, the fact that all the retail companies also swipe the cards into their computers as a reference makes every retail company responsible for handling and managing that data. Many large retail chains also have sophisticated business intelligence and information processing centers which needs to be well protected from credit and debit card frauds.
While Service providers are ahead in this game from network security and process aspect they seem to be lagging in the compliances of the software security game. Good thing is, they are aware of the gap and taking necessary steps in covering the holes.
That leaves us with software vendors. Again customer push seems to be the factor for some software vendors going for PCI compliance. Howver there are large sections of the software industry who are unaware of this compliance. PCI seems to be the only compliance which puts so much importance on software and rightfully so. Protection of data at source along with the perimeter security is the right approach for security when it comes to critical data like credit card and debit card.
Pl.subscribe the blog
Reply to this
@Suresh. Thanks. We will add you to the subscription list.
Reply to this
There is no denying the fact that security is paramount when credit card information is processed. But I am concerned by the way it’s adopted. Why did it take the credit card industry so many years to come up with this and why did they not think about security from the very beginning. Security being an after-thought is one common reason we hear in general, but certainly these groups should not be put in the category.
One reason I see is this- if they had mandated such stringent requirements from start then this would have impacted the adoption of credit cards itself badly which they didn’t want. Now they have put users and retailers in a situation where they don’t have a choice but adhere to new regulations and in this case it’s the retailers and others who are feeling the brunt.
Reply to this
This information is very helpful. It really helps me understand more about PCI. Keep posting. Will certainly try doing that myself. Your post/article really helped. Thanks a lot.
Reply to this
Looking forward to it.
Reply to this
That is really very good article. I am glad to know. Thanks!
Reply to this