The PCI Security Standards Council (PCI SSC) Security Summit of India, an online event took place this week with more than 1,000 payment security practitioners from India discussing the latest in payment security and standards. Here we talk with Nitin Bhatnagar, Associate Director, India, PCI SSC, Rajesh Hariharan, Director, Information Security, Global Payments; Viswanath Krishnamurthy, Chief Risk Officer, National Payments Corporation of India and Swati Sharma, FSI Compliance Specialist, Amazon Internet Service Provider Limited about payment security trends, highlights from the Security Summit of India, and industry involvement opportunities for the region.
Why did the PCI SSC hold this Security Summit of India?
Nitin Bhatnagar: India is a very important market when it comes to payments and cybersecurity. The COVID-19 crisis has led to a rapid growth in the use of technology, e-commerce and mobile payment acceptance. This growth has not gone unnoticed by cyber criminals who continue to make India a top target of their criminal activities. The PCI SSC held a major in-person event for payment stakeholders in Mumbai in 2019 and did an online event in 2020. This year we hosted a security summit that was once again virtual and included discussions on a range of important payment security topics with key Indian payment stakeholders including Global Payments, the National Payments Corporation of India, and Amazon Internet Service Provider Limited.
At the summit you provided an update on PCI Standards and Programs. What do you see as some of the most relevant initiatives for India right now?
Nitin Bhatnagar: The global pandemic has profoundly changed the way we live, work and pay for products and services. For our industry in India and around the region, issues such as new and emerging threats, working remotely, remote assessments, and terminal cleanliness have presented challenging issues for payment stakeholders. The PCI SSC took the lead early in the pandemic to address the many requests for guidance and direction by getting information on many of those topics out to our industry. Much of the discussion at our summit was around where we have been, where we currently are, and where we are headed when dealing with payment security.
The state of payment security during the COVID-19 pandemic was a key theme in discussions at the Security Summit of India. How has the COVID pandemic impacted the payment security industry in India?
Swati Sharma: To call 2020 a challenging year would be a considerable understatement. The prolonged period of the pandemic has made a significant impact on our daily lives, creating a “new normal.” Access to Mobile and better Internet connectivity has increased digital payments including contactless payments. With payment organizations looking to bring new products and services to market quickly during this time, enable more personalized customer experiences, unlock better use of data, combat fraud and cybercrime, while continuing to meet stringent security requirements, cloud computing provides a powerful platform for innovation. Cloud computing provides flexible services and tools to help businesses across the payment industry test new capabilities quickly, then scale them into production.
Viswanath Krishnamurthy: Pre-COVID seems like a long time ago as the pandemic has dragged on longer than most people initially thought it would. Prior to COVID cash was still a major player in payments and ATM withdrawals were very high. The industry volume distribution was almost at 50:50 ratio between POS and E-commerce. Much of that has changed as e-commerce and mobile payments have accelerated in use due to the pandemic. That rapid change has created a host of security challenges for merchants in the online space.
Rajesh Hariharan: Security was already a big priority prior to COVID as attacks were on the rise in India even in 2019. With the introduction of payments on mobile devices, payment security has become even more challenging.
What are some common attacks you have seen during the pandemic?
Swati Sharma: Customer misconfiguration and implementational gaps for ‘Security In the cloud’ controls have been the areas exploited. Entities may presume that when they move to the cloud they no longer have responsibility for security. That is not the case. Here one thing which is very important to understand when it comes to cloud that Security and Compliance is a shared responsibility between CSP and Hosted entity and Customer must understand clearly what they are responsible for. Customers must manage their own PCI DSS compliance certification, and additional testing will be required to verify that your environment satisfies all PCS DSS requirements. For the portion of the PCI cardholder data environment (CDE) that is deployed in AWS, your Qualified Security Assessor (QSA) can rely on AWS Attestation of Compliance (AOC) without further testing for ‘security of the cloud’ controls for AWS’s PCI DSS scoped services.
Viswanath Krishnamurthy: We have seen a spike in social engineering attacks with an increase in phishing attempts. It is very important to be careful about what you click on and also critical to train all your staff (and not just the risk team) to be on the look-out for potential phishing emails. We have also seen cybersecurity breaches increase significantly during this challenging time. Data breaches by cyber criminals as well as ramsomware attacks are becoming increasingly popular with criminals as well.
Rajesh Hariharan: As times have changed there are ever increasing attacks on the web applications and the payment applications that support all these transactions. Magecart or online skimming attacks are not new but they continue to plague the payment card industry. Phishing and Ransomeware attacks are of concern as well. Stolen credit cards are something we monitor as well. We have seen, and I myself have been a victim of low value transactions that are cleverly designed to go unnoticed.
You were a part of a panel of payment professionals sharing experiences and insights on the current state of payment security and the future of payment security. What were some of the key takeaways about the future of payment security in India?
Swati Sharma: We have seen people get more comfortable with digital channels including e-commerce and digital payments. We may see more innovations in this payment space. Scalability on the digital payment side will likely continue to be a priority. We will continue to add capabilities that provide our customers with additional ways to architect and run secure workloads on AWS, while maintaining their desired customizations and security postures. A key takeaway for me from our discussion is to use standards when implementing security.
Viswanath Krishnamurthy: There has been a dramatic increase in digital transactions that has significantly changed the way many people do business. We see more and more people working from home which has created a new set of security challenges for many. Small transactions will continue to grow as we will see fraudsters using themes around COVID such as Covid-relief, Covid-donations, Covid- oxygen / concentrators etc., to perpetrate frauds & scams.
Rajesh Hariharan: I think a key takeaway is that security can no longer be an afterthought. The minute you launch a product or service security has to be a priority. Embrace security from the very beginning.
In your role, a key focus is working to increase industry participation from Indian stakeholders in the PCI Security Standards Council. What are some of the key opportunities for involvement?
Nitin Bhatnagar: Our Participating Organizations (PO) program is a terrific starting point for organizations who want to be a part of the payment security community. Being a PO allows an organization to collaborate with others in the payment industry and have a voice in the development of our standards and programs. The heart of the PCI SSC mission is bringing together payment industry stakeholders to develop and drive implementation of data security standards and resources. For more information about becoming a PO please visit:
The PCI SSC also recently launched a new Corporate Group Training opportunity that offers a great way to train your entire team at once on any of PCI SSC’s 15 existing standards and programs. Corporate Group Training offers organizations the ability to learn directly from PCI SSC trainers, exclusively with the peers in their company. Our trainers offer instruction with hands-on experience assessing merchants and/or service providers. We offer most of our courses (for qualification or informational) in Corporate Group Training format. Currently, these are eLearning courses organized as remote, instructor-led sessions tailored to fit your organization. When it is permissible, our trainers will come to you and deliver the classes at your facility. We have found that Corporate Group Training offers all the benefits from a typical class, and we can cater the course to be convenient for your organization in whatever format works best for your needs. For more information on this exciting new program please visit: