Associate Regional Director for India, Nitin Bhatnagar, provides an update on PCI SSC efforts in the region ahead of the first ever PCI India Forum, taking place on 13 March in Delhi.
How are things progressing in India since you took on your post in October 2018?
Nitin Bhatnagar: It has been close to five months since I took on this post with PCI SSC, and I’ve been extremely pleased with the traction we are already making in the region. We have growing support from all industry verticals in driving awareness and adoption of the PCI Security Standards and securing payment data within India. A few quick highlights are below:
- Growing involvement in PCI SSC with several new Participating Organizations in India and more in the process of joining.
- Representation for India on the 2019-2020 PCI SSC Board of Advisors with NPCI.
- Great response to the first ever PCI India Forum happening later this month, with more than 400 registered attendees, great support from our sponsors and participation in the vendor showcase. We also have an excellent line-up of industry speakers.
- Educational opportunities with the financial sector and government, including PCI SSC participation in a Reserve Bank Information Technology Private Limited (ReBIT) webinar on PCI Security Standards for Indian banks.
PCI SSC published new Software Security Standards in January and has announced that efforts are underway to develop a standard for contactless payments on commercial off-the-shelf (COTS) devices. How do you see these benefiting the Indian payment card industry?
Nitin Bhatnagar: There have been key discussion points within the industry in the past few months which largely revolve around rapid digital transformation needing security built in, not bolted on; practical DevSecOps challenges; innovations happening around development of new software that supports or facilitates payment transactions, etc. The new PCI Software Security Standards provide software developers with requirements for the secure design and development of modern payment software by embedding security in every part of the development process. The standards provide a dynamic way for developers to demonstrate their software protects payment data and will help in providing a broader range of more secure payment software for merchants.
There is a strong push for digital payments in India, and as part of this, banks are being urged to increase the issuance of near field communication- (NFC-) enabled cards to boost their usage in payments. But data security is a critical factor for driving adoption. Having a PCI Standard in this area will help boost the confidence in the payment ecosystem for increased adoption of contactless payments in India.
PCI SSC also recently published new Special Interest Group (SIG) guidance on maintaining security and PCI DSS compliance, which is a challenge for organizations globally. Is this an issue for organizations in India? How is it being addressed?
Nitin Bhatnagar: Yes, this is an issue faced by many organizations in India. Common challenges faced by Qualified Security Assessors (QSA) when working with merchants and service providers in India are lack of resources to manage compliance projects; delay in renewal of compliance; assuming practice from previous years can simply be repeated for compliance; obtaining timely budget approvals; over-confidence in their own practices, and last but not the least, lack of leadership commitment. The guidance document on maintaining security and PCI DSS compliance will be an eye opener for many organizations in India and an important resource for helping companies incorporate continuous security and compliance practices into their culture and daily operational activities.
PCI SSC is hosting Internal Security Assessor (ISA) Training in advance of the India Forum. How do you see ISA training helping Indian organizations specifically?
Nitin Bhatnagar: We have seen good registration numbers as expected for ISA training. ISA training will help organizations in India gain expertise on assessing adherence to PCI DSS and improve their interactions with QSAs.
What are some of the key issues and topics that will be addressed at the PCI India Forum?
Nitin Bhatnagar: There will be some fantastic discussion around lessons learned from data breaches, as well as PCI DSS implementation case studies and panel sessions on the future of digital payments and the role of data security standards in establishing India as a cashless society. We will be educating attendees on the role of PCI SSC, collecting feedback, and explaining how getting involved with PCI SSC will have an impact on PCI Standards.