Importance of Getting ReCertified from PCIDSS v3.2!!!
In this 21st Century of globalization, world is coming closer and businesses are growing far beyond the geographies. Banking and financial sector is no exception to this. BFSI domain needs special attention as one must take utmost care in terms of customer data handling and data storage requirements. Every country has a governing bank identified as central bank or its equivalent. This body defines the rules of the game by way of dictating norms what is allowed and what is not allowed for banks to share or store data outside its premises, or outside the nation. This is also essential from the end customer perspective as to where and how their data is being handled. As the competition gets fierce banks need to find better ways of executing their projects and seldom have their own IT arm to support it. There comes the need to involve third party vendors. They provide, product, services, data handling and processing of information for banks. This increases the costs significantly. One way to tackle this aspect is to outsource it to a country where cost of execution is lesser. This is precisely the point where PCI DSS standard come in to picture. Banks will be confident to work with vendors who are PCI DSS complaint and know the information will be processed per governing rules.
PCI DSS – Payment Card Industry Data Security Standards is widely accepted standard for organizations that handle cardholder personal information. The Payment Card Industry Security Standards Council (PCI SSC) launched PCI DSS v1.0 in December 2004 to manage payment card industry security standards and to secure cardholder data. It is mandated by all card brands. Any bank, data processor or service provides who handles card holder data should be compliant to PCI DSS. Banks are comfortable working with such institutions who are compliant to the standard. To keep up with the changing pace of the data security standards which are updated on a regular basis, the PCI DSS certification needs to be renewed on an annual basis.
Let’s revise some crucial aspects of PCI DSS certification again: Why is PCI DSS so important? PCI-DSS compliance certification means that our systems secured and appropriate protection measures are in place from cardholder data perspective and to keep cyber-theft away. Cyber-attacks not just result in to potential loss of revenue, but it essentially breaks TRUST! that is built over the years between company and its customers. Also, it impacts company reputation, & its image in the market.
Recently there have been lots of virus attacks like ransomware, black router that can happen unexpectedly to any organization and may cause loss of important data, as we are responsible for client’s data we must adopt and comply with PCI DSS which is currently the best framework to overcome these issues and make a proper standard.
PCI-DSS for Verinite
Verinite Technologies Pvt. Ltd is providing support and services to the banking sector. While providing remote support and technical services Verinite’s employees may need to access cardholder data. Verinite provides a range of services like Project Management, Consulting, Third Party Application Support, Scheme Certification, Migration Reconciliation Expertise and Independent Testing Services for banking environment globally. As a custodian of third party information Verinite has a fundamental responsibility to protect and secure data it accesses. To fulfill the industry needs and client’s requirement Verinite defined their Information Security Management system (ISMS) that ensures the adheres to PCI DSS standards.
Verinite has been re-certified to the PCI DSS v3.2.
As a network administrator this means lot of checks and responsibility. We have to follow certain rules and regulation for PCI-DSS to safeguard the data that we have from any unauthorized attacks. From my daily activities I think following are some of the important points to be taken in to consideration from PCI DSS perspective.
- Firewall: Having a robust firewall is essential to protect data. Firewall is a major part of network system and it plays vital role in communicating with external and internal networks. Most of the times the hackers try to gain access through the vulnerabilities of firewall. It’s a part of my duty to ensure that firewall is secure and monitored on a daily basis.
- Unique Identity: Assign a unique ID to each authorized personnel who wants system access. Doing this helps us to track who is accessing & what is getting accessed at any point in time. So, we can always ensure that only authorized people are accessing systems & in a proper manner. Two-way authentication method is used, incorporating biometric control on entry and exit of the facility to ensure only authorized personnel are allowed inside the facility.
- Password policy: Care must be taken for passwords to be strong enough. Password should not be guessable by an individual or by any program in a reasonable amount of time. Hints for having a strong password – example it must be minimum of 8 characters long, combination of Upper Case, Lower Case and special characters, no repeating patter etc. Validation checks for active directory and password policy are very important.
- Antivirus Software: Make sure antivirus is installed in all the systems and most importantly it is kept up to date. Scheduling full and quick scans through server to scan all machines. The system applications & OS are also kept up to date and patches are applied regularly to make it secure.
- Encrypt transmission: The data transmission must be encrypted through internet, VPN. This allows us to securely communicate with others and keeps the eavesdroppers at bay, thus securing our channels of communication.
- Track and monitor access to the network resources: All logging attempts need to be detected including privileged or failed, change in login credential & history of deleted objects. This logging and monitoring helps minimize the risk to the data breach. These logs are monitored on a regular basis.
- Regular Checks: Run penetration tests to check vulnerabilities in internal and external networks. Checking all the systems including server, firewall, and machines in our network to ensure these are secured as per PCI DSS requirement.
Having implemented all the checks and incorporating best industry practices, we can ensure better conformance to the security standards. We keep updating our systems and policies to align with global standards on a regular basis. We also educate our associates & they too fully support by making security aspects an integral part of their daily activities.
If you would like to know more about Verinite services or about PCI DSS, please write to us at [email protected].