PCI DSS stands for Payment Card Industry Data Security Standard. In very simple terms, it refers to an information standard by which organizations that handle the branded credit cards of prominent card schemes like Visa and Mastercard are measured. Administered by the Payment Card Industry Security Standards Council, it is a mandatory standard applied by all card brands.
But why? PCI DSS is an essential requirement for any eCommerce business that accepts payments from credit and debit cards. The main reason for this of course is that the cards contain sensitive details of the customer. With an ever increasing number of payment card frauds, customers are particularly interested in the levels of security offered by any website that asks for their card details.
Recent years have seen an abundance of truly alarming cases of payment card fraud. In 2012, payment card data accounted for 48% of all reported data breaches. In 2013, Target was afflicted with a data breach that exposed the credit card details of millions of people. According to court documents, at least 42 million people had their credit/debit card information stolen. The breach ultimately cost Target a reported $162 million.
The most frequently targeted industries for such data breaches include retail, food and beverage, hospitality, and financial services. Even non-profit organizations have not been spared, accounting for at least 3% of breaches reported worldwide.
While the reasons for many infamous data breaches have been described as both complicated and sophisticated, most of them are actually the result of inadequate security measures taken to protect payment card information. With an increased frequency of payment card fraud cases and the rising demand to better protect the private information of customers, an incompetent security system can prove to be detrimental to the profitability of a business. One survey conducted in the U.S revealed that two-thirds of adults would not continue to patronize a business upon learning of any security breaches.
Hence, payment card details ought to be handled with the best available security at all times. The main focus of the PCI-DSS is to minimize the risk of credit/debit card data loss. It can identify ways of detecting, preventing, and otherwise responding in the event of a data security breach.
The PCI-DSS contains 6 different control objectives that branch out into 12 compliance requirements. The control objectives are:
- Build and maintain a secure network
- Protect cardholder data
- Maintain vulnerability management program
- Implement strong access control measures
- Regularly monitor and test networks
- Maintain information security policy
PCI DSS is not a standard that just needs to be satisfied once. It is an ongoing process where strict guidelines have to be adhered to every year. Compliance needs to be validated by passing varied security scans and audits which occur quarterly and annually to ensure that the most recent security controls are up to date.
In Sri Lanka, businesses are very much focused on their protection, physically, but not so much in terms of cybersecurity. A cybercriminal after all, could not care less about which part of the world the target is in so long as the funds are ripe for the taking. What’s more, failure to meet the PCI DSS internally will compromise Sri Lanka’s chances of thriving in various international markets. That would mean a huge miss for the economy.
Genie was the first Sri Lankan mobile payment application to be PCI-DSS v3.2 certified, thereby setting the benchmark for security systems of all other local payment networks. ‘Genie’ transforms a conventional wallet to a truly digital wallet that securely holds credit and debit cards, current and savings accounts (CASA) and eZ Cash account on the mobile phone. Fully certified by the globally recognised PCI Data Security Standards body, Genie brings to Sri Lankan consumers and merchants a secure, convenient and rapid transaction platform which is set to revolutionise Sri Lanka’s digital payments landscape.
Adopting PCI DSS is crucial for business entities in Sri Lanka to advance their customer data security systems to an international standard. In doing so, they stand to make significant gains both socially, and financially.