Welcome to our Podcast series, Coffee with the Council. I am Nitin Bhatnagar, Regional Director of India and South Asia for the PCI Security Standards Council. India's digital payment market is expected to grow by $10 trillion by 2026. In a span of just six years, India, primarily a cash-based economy, now leads the world in real time digital payments, accounting for almost 40% of all such transactions. The mass adoption of UPI and cardless payments during the COVID-19 pandemic has extended far beyond the urban, to even rural India, an effect that left the experts in amazement.
This rapid expansion of the digital payments systems is happening at a time when cybersecurity threats to payment systems are increasing globally. With organized criminal syndicates committing cybercrimes, India is not immune from these threats. The threat landscape in cybersecurity is constantly evolving and, with the rise of new technologies, it becomes even more challenging for organizations to secure their assets.
We are already witnessing greater involvement from India and South Asia with having stakeholders coming forward and joining us as an Associate Participating Organization (APO). And, more importantly, on our 2023-2025 Board of Advisors, we have three leading organizations from this region, which is NPCI, HDFC Bank and NEPS, which is Nepal Electronic Payment Systems, joining the global Board of Advisors that shows the commitment from the region to improve the payment security, just not regionally, but globally.
Today I would like to welcome two prominent leaders from the payment industry. And they are none other than Ms. Anuprita Daga, CISO, YES BANK and Mr. A V S Prabhakar, Chief Risk and Compliance Officer from Zeta.
Both YES BANK and Zeta are Associate Participating Organizations of PCI SSC. We'll be talking about their experience as Associate Participating Organizations as well. Now, without any further delay, let's welcome both of our speakers to our podcast series, Coffee with the Council.
A V S Prabhakar: Thank you, Nitin.
Nitin Bhatnagar: Anuprita and Mr. Prabhakar, based on your experience, working with a large private sector bank and a leading Fintech in the country, what are the latest trends, the threat landscape, and challenges that you're currently witnessing within the payment industry?
Anuprita Daga: Thanks, Nitin, for inviting us for this podcast, and I'm sure we'll be able to share our views and take away some lessons from this podcast. So, as you mentioned, in the last three years, the payment ecosystem has evolved so much. For the international payments we used to have, in particular a paper-based process, or even for an account opening, we used to have a paper-based process.
The pandemic has given us a lot of downsides, but it has also helped us to come out with a lot of innovative payment channels, I mean new payment channels. Five years back, UPI was a very rarely used payment interface. But today, you see, even non-literate people are using the payment ecosystem and UPI QR code-based payments.
Earlier digital banking was the affair of the literate people, or white-collar people. Today, payment ecosystems have become even the basic necessity of blue-collar people. If you must travel somewhere, you don't have to carry cash. And if you see the young generation, their adoption of these new innovative payment channels has become so easy, you don't need to have internet banking. You don't need to have a password.
There are flip sides to it also, but every coin has its own two sides: the benefits and the risk. So, we can't avoid the risk and we need to leverage the benefits of it. As you see, the start of our Fintech ecosystem, the market, has evolved so much that now there is quite a bit of partner banking which has started in the ecosystem, for example. Ecommerce sites are providing that payment ecosystem.
So, I think these are the trends which have evolved and the whole ecosystem evolution is very, very important. And, in those cases, you need to have a very agile way of handling the risk. And obviously, global standards like PCI standards and the expansion of PCI standards to other ecosystems, also helps us to take the global guidelines and adopt that into this, so that everybody is not reinventing the wheel. But we are taking those lessons, which are globally learned from someone, and then that is what we are standardizing.
Nitin Bhatnagar: Thank you, Anuprita. I think that makes lot of sense. Mr. Prabhakar, what would be your take on this particular aspect?
A V S Prabhakar: Thank you, Nitin. At Zeta, we're actually a technology service provider. We are not a Fintech by ourselves. As a technology service provider, we offer our platform to the banks, and we enable Fintechs. And, we have a strong issuing platform on which the banks and Fintechs leverage, and they can issue their cards and services. That's what Zeta is. We're not a direct Fintech company. We're a third-party payment processor and a new technology service provider.
And coming back to the trends that you see in India; UPI revolutionised the entire payment ecosystem. And, as Anuprita said, there are a lot of partner ecosystems and the partner ecosystem is also involved in large scale, payment activities. And slowly, the form factors are changing. And mobile is also coming in a big way. So mobile payments are really picking up and a physical card, per se, probably slowly may go away. I don't know. It is my prediction. But mobile is taking over the physical card because of the UPI, with the scan of the QR code payments. And, with a lot of these changes that are happening, a lot of Fintechs are also enabled to be technology service providers and they're also partnering with the banks for various delivery channels of the payment.
And it also brings its own set of challenges and threats from a data security standpoint, fraud perspective, supply chain risks or card data or account information perspective. Mobile applications security also plays a very, very important role. And controls on the Runtime Application Self-Protection (RASP) side and all are very, very important.
Nitin Bhatnagar: Thanks, Mr. Prabhakar. I think being a technology solution provider, Zeta's playing a great role in the payment ecosystem. I think the next question, is also for Mr. Prabhakar. I think in a new world that is redressing an exponential rise in digital transactions, it is necessary to protect the payment information in a secure, cost-effective manner which you touched upon, in fact. So, how do you look at organization technology in the current scenario as a new norm?
A V S Prabhakar: Yeah, tokenization is again, another step in the protection direction so that what happens with the token, the card data is pseudonymized or equivalent, and random strings of characters are generated. And they will be in transit and the proliferation of data everywhere is completely reduced.
Now, de-tokenization is happening at very few places, like at the interchange level or at the issuer bank level, and the remaining ecosystem has only the tokens, and they're not of much use from an account information and card data perspective, even though they're leaked. That is one.
And certainly, it is also reducing the friction, and faster checkouts is a huge advantage because of the tokenization. And another important thing is the agility, the logic, so that you can have multiple cards and multiple tokens with the multiple merchants, even for recurring payments also. The tokens can be called frequently, and you have standing instructions on recurring payments. So, user-friendliness and usable security, if you are looking at it that way, definitely has increased. The tokenization has increased the safety, security, and the usability and to be more customer friendly.
Nitin Bhatnagar: Fantastic. I think that makes a lot of sense, Mr. Prabhakar. Moving onto my next question, the proliferation of connected devices on the Internet of Things, further amplifies the cybersecurity challenges. There will be an estimate of around 14.4 billion IoT devices in use in India by the end of 2023. So, the attack surface for the cyber criminals also expands significantly. While on the other side, India is expected to face a shortness of around three million cybersecurity professionals by the end of 2023. So, Anuprita, how do you see overcoming this challenge - one is the overcoming of the shortage of skilled professionals and two, industry adopting data security standards to protect payment data with the increase in cyber-attacks that are growing in complexity, and thee, the proliferation of the IoT devices?
Anuprita Daga: I think there are multiple questions in one question, right? So, let me handle these one by one. So, skilled resources, honestly, the pull is going to be equal, right? While there's going to be a demand on the technology side, there's going to be a demand on the cybersecurity side. And cybersecurity and technology, these must go together, right?
Now, if you think of data protection or a data security standard, you need to look at this problem in two ways: one, is it only technology? We're sure it is a business issue, as well as technology.
If we understand the data security standard from a business context perspective and then apply a technology standard, then you'll definitely need to have a very hybrid team of understanding the business and understanding the technology. Can you find both the skills in one person? It's very, very rare to find that and we can't go on a quest or solution basis.
The second thing is on the technology side also, there's so much automation happening, that we need to have a lot of teams who are moving from the technology or some other verticals to the cybersecurity verticals because they also complement their hands-on experience on the cybersecurity side.
The third thing is that there is a need to have a very strong cybersecurity program at an academic level. In many organizations it has become a theoretical subject. How do we make it a practical subject? And how do we get the output of the academic who is competent enough to take up the role in cybersecurity? So, these are very, very innovative ways of increasing skilled professions.
Today, I think IoT devices are not nearly even touched upon. What I see is maybe - this is again a prediction - that with IoT devices, the security is at a very, very base level. The adoption is starting now. So, we need to start working on the standard from the IoT device perspective. We need to try and improve this and build the IoT ecosystem with a strong configuration.
Another thing that can help is to renew security by design. If you start the approach in the strategy of security by design from the base itself, we will have strong products or a strong process, strong technology solutions. So, the post factor work that we do today builds a strong ecosystem and reduces our work effort from a day-to-day operations perspective.
Nitin Bhatnagar: Thanks, Anuprita, you well-articulated the entire portion. My next question is going to be on the same topic. Artificial intelligence is also becoming increasingly important in the world of cybersecurity. And companies now can utilize AI to improve threat detection and safeguard their systems and data. However, cyber criminals can also employ the technology to carry out more advanced attacks. What are your thoughts around the same and the areas that the PCI Security Standards Council should focus on to improve payment security? Anuprita, I will start with you and then we can have Mr. Prabhakar answer.
Anuprita Daga: So today what you see in the payment ecosystem is that there are clear attacks on the organization, right? Now, attackers know that the organization has become very strong. The security perimeters, antivirus, ransomware, these are very, very old techniques. And as you see, the attack victim has changed to the consumer side.
Now, coming back to the artificial intelligence side, the consumer is moving from white-collar to blue-collar. And for this blue-collar consumer, you cannot shift the responsibility onto the consumer saying, "Okay, you have not followed the rules." Because they do not understand the rules.
When the customer is accessing the data, in the background, we need to use interactive shared intelligent based systems to understand if there is any potential fraud which is happening. Is there a customer credential compromise? And these are very easy things to find out. Let's say if I use one of my devices to do the transaction and if somebody else is using it, there is authentication information available. But can people do an artificial rule in that case to find out a behavior pattern? And find out if this is the potential fraud that may be happening and catch onto that.
At the same time, on the cybersecurity side, if I go in the background and monitor it, artificial intelligence is going to be very, very important because there is an ocean of information that we have, and again, in my answer to your professional skills requirement, we can't increase the professional deployment to handle the same problem. So, we need to find out the smarter way.
Nitin Bhatnagar: Makes sense, Anuprita. Let's see now what Mr. Prabhakar has to align on this topic?
A V S Prabhakar: Well, machine learning, Artificial intelligence, large language models, and how they're coming into play and already there are a lot of technology vendors using these latest algorithms and LLMs. The benefits of what it will do is that from the threat intelligence perspective, it will give you very curated and specific context, specific to your organization. It can be specific to your environment.
So that is the sophistication we will get if we train the models well, if we use the technology well. Also there will be a faster attack response. There is another benefit we can derive from any of these new age technologies with a deluge of data and these models are trained using that data. So all these transformer models and LLMs will help you to pinpoint the problem quicker and to contain the problem much quicker than what we are doing manually.
Similarly, now you would have seen the way the antivirus has progressed. Now, we are talking about XDR. The kind of information the organization is producing makes it really humongous. So now correlating and finding out is very, very difficult with the earlier solutions and the technology, whatever they have.
With the advent of AI and machine-learning and neural networks, machines are capable of finding out and doing correlations quickly and give you the insight from a detection perspective. And based on that experience, we can move to proactive measures and preventive measures, also. Most of these are new SOC platforms, and they're also using these technologies for threat protection, security orchestration automation and response purposes and all.
And similarly, even for transaction monitoring we can use a lot of these technologies, so that any anomaly, any behavioral pattern change, will tell us immediately there is a possible event of fraud, and the fraud detection can be aligned for stages of the fraud happening and the system doing fraud. There is a thin line of difference between these two. But these things can be caught at a very early stage of that cycle itself, so that you can mitigate a lot of your losses. Similarly, you have biometric authentication, making a lot of these KYCs and image processing. A lot of technologies are helpful in reducing your KYC frauds, reducing your payment frauds, and circumventing your business logic.
So, there are a lot of advantages to using these technologies, but again, protecting these technologies and these solutions is very, very, very critical. Because these technologies want the deluge of the data, protecting the data and restricting the access to that particular data and curating and trialing these solutions and effectively implementing these solutions, that is the key to derive the full benefit from that security, especially payment security or fraud detection or transaction monitoring.
For all these things it's very, very, very critical to implement these technologies to a context event, if that's the word I can use. So, we will implement them with the context in the background and ensure that this context aware technology deployment and the solution deployment is very, very, very critical.
Nitin Bhatnagar: Mr. Prabhakar, I think you rightly said this is evolving, and I think we'll see a lot more things coming. I think this feedback, Anuprita and Mr. Prabhakar, that you have given to us, I think is going to let us decide on what should be done to make the payments more secure.
So, as we move towards the end of this podcast, I have two final questions. I would love to hear about your experience since you have joined as an Associate Participating Organization. How has your journey been and what kind of experience have you had that you want to share with the stakeholders who are still deciding to join us?
Anuprita Daga: Earlier, we used to think that connecting with PCI SSC and your organizations took time. But our organization is very, very difficult, honestly. And we always thought this is like a mask, we can't risk it, so let's not try it. But after we met and we approached you and then we joined, I feel that we are a part of that ecosystem. Connecting with people is very beneficial. Until now, we were using the standard like a book which has been typed and then we just use it.
But today, we feel like we have become part of an ecosystem. I think a lot of information I'm getting here is the thought behind understanding the standard and the objective of the standard and implementing that standard. My whole way of looking at PCI standards has completely changed.
So, thank you so, so much for connecting with us and approaching us to become a part of PCI SSC culture and we are really happy. That is one of the best decisions that we have made to be a Participating Organization.
A V S Prabhakar: My association with the PCI standards is quite old, I think more than two decades. And I've been working with PCI DSS since probably version 1.0 or even I don't know whether 0.1 was there, but, such an old interaction, probably we're the first to get certified to PCI DSS during those days. I think it was during 2007 I went to PCI DSS certification for my earlier organization where I was working.
So, my interest in the PCI DSS has been fascinating and really fantastic. And I even work with standards like PABP. We used to call it the payment application best practices, which were given by Visa or MasterCard at that time.
I worked with those standards. Afterwards PA DSS and PCI DSS came with multiple versions and the PCI DSS seemed right from 1.0 to today, where we are on 4.0. And also when I was with PCI3DS previously, I worked with PCI PIN, ATM and POS. And there are many PCI standards that we’ve been working with, and so we became a Participating Organization.
So, as a Participating Organization, with the PCI SSC, my association is more than four or five years long. And I've been participating in SIG. I'm part of that SIG on the segmentation and I’ve been part of it a couple of times. I’ve also given some suggestions on the standards and on auditing whenever it was sought.
That is one encouraging thing, and another important thing is the PCI DSS, the standards, they're really helping the implementing organizations and the auditing organizations so that we get a lot of benefit. They're giving less subjectivity. So, there's not much scope for wrong interpretations. In that way, PCI standards are also payment industry and payment card data protection specific, either from an application security perspective too, on some technology service provider or processor perspective or from a merchant perspective, too. And on top of it, now with the advent of PCI Secure Software Standard, which is of course, part of Software Security Framework. PCI SSF has two parts: one is the Secure SLC Standard, and one is the Secure Software Standard.
I think the SSF may be a little open, beyond payment solution providers, if my understanding is right, so that you can be an associate player and you can be certified or you can be SLC. What it means is that you are, or your products are going through, Secure SLC processes and security or privacy by design processes. So that still you can be the SLC vendor, but PCI SSC is still for the payment card industry.
My association is really very enriching. I learn quite a lot. I very closely follow PCI SSC, and because my association is more than two decades long, I have seen the evolution of PCI SSC as an organization, where it was in 2006 to '07, to where it is today. And very dynamically, they're releasing a lot of standards to help the industry as a whole either a PCI system standards, and the PIN standards, or PCI Security Standards, or the Card Production vendor standards.
But they have a lot of standards and best practices, so we can pick up and implement them as an authority. So that I have this former reference to tell you how you improved. How did you think that this is a best practice? To have a strong, solid, accepted reference, and I can go back and tell it is referred in PCI DSS, and the standard is available as part of a PCI assessment.
So that's a benefit I'm truly really enjoying, and I ensure that my team also goes through all these standards. And we're also getting benefits out of the PCI Participating Organization program, Global Content Library access, or reduced prices for training like the internal QSA program.
And where I was before, we used to list our applications also, and let's say this job validated applications. So, there is also a lot of visibility to our customer community. PCI SSC is very, very enriching, and truly we are relishing that relationship.
Nitin Bhatnagar: Thanks, Mr. Prabhakar. I think you just made one point about that SIG. I think SIGs are community-driven initiatives that play a very pivotal role in the development of the resources of the payment industry. And I think that's what you're talking about - you joined the SIG on Scoping and Segmentation for Modern Networking Architecture. This is just one of the many benefits, and this gives you access to a lot of things within the Council. PCI Security Standards Council today has 15 data security standards. You have seen, in the past decades when we started with PCI DSS version 1.0, and then we have gone to 15 data security standards altogether.
So, it's been quite a journey and I think the stakeholders' support, your support, and everyone from the industry who has been contributing to the development of the standards, is actually playing a very crucial role. And I think joining us as an APO gives you access to all those repositories, all those benefits, that both of our panelists just highlighted. Finally, since we are on Coffee with the Council, I would just like to ask our guests how they take their coffee. Or, if you're not a coffee drinker, what do you prefer instead?
A V S Prabhakar: Now, Nitin, are you asking me?
Nitin Bhatnagar: Mr. Prabhakar, you can go. That should not be a problem.
A V S Prabhakar: No, no. I am asking because it is the wrong question to ask a person from the southern part of India, because we start our day with coffee!
Nitin Bhatnagar: That's a good answer to my question.
A V S Prabhakar: Yes, and also the kind of coffee we take is like a thermos of filtered coffee though, am I right? A South Indian filtered coffee is always everyone even the smell makes a lot of difference, even need not drink.
Nitin Bhatnagar: How about Anuprita?
Anuprita Daga: So, honestly it depends, Nitin, what kind of coffee are you going to offer me? If you offer me Starbucks, definitely I'll be happy to go ahead with it. But I'm definitely a tea person, and Masala tea which is the perfect, you know, tasting of India and Mumbai. I would really like to go with Masala Tea but depends on what you offer.
Nitin Bhatnagar: Definitely. I'm also a coffee lover, and I love cappuccino. And, you know, probably if we're going to Starbucks, I'm going to offer you a cappuccino, for sure. And yes, by the way, I'm also a fan of filtered coffee. Whenever I'm in Bangalore or in Chennai, in India, I used to go for filtered coffee. I really don't want to go to Starbucks or something like that. But I have heard that the coffee chains have also started offering different coffees in the southern part of India. So, definitely my coffee preference has always been cappuccino. So, we'll have cappuccino whenever we meet next.
Thank you very much. I just want to have a brief crux to what we discussed, and I think what we analyzed is that cashless societies seem to be fast approaching in the country and that's good news for India and South Asia. And the road to stronger payment security involves global collaboration. Organizations should start prioritizing data security as an important element in their day-to-day business activities. Investing in cybersecurity and prioritizing their investment is equally important. Getting employees trained and improving cyber-hygiene will help organizations take steps in the right direction. Becoming a PCI Associate Participating Organization can help better protect your organization from cybercrime by being part of the community of payment professionals. This makes it a cost-effective way to invest in cybersecurity. Thank you for joining me on Coffee with Council, today.
Anuprita Daga: Thank you so much, Nitin. And thank you so much, Mr. Prabhakar. I think I really learned a lot from you.
A V S Prabhakar: Well, thank you. Thank you, Anuprita, for your time. Thank you, Nitin, and I want to tell the PCI SSC team thanks for coordinating this podcast and for inviting me. Thank you, thank you, everybody.
Anuprita Daga: Yes, thank you PCI SSC team. Thank you.
Like what you’ve heard? Subscribe to PCI SSC’s “Coffee with the Council” podcast by visiting any of the following platforms: Apple Podcasts, Spotify, Amazon Music, Anchor, Castbox, Google Podcasts, iHeartRadio, Pocket Casts, RadioPublic, or Stitcher.