PCI Standards for India’s Emerging
Digital Payment Modes
The “Digital India” initiative launched in 2015 and “Demonetization campaign” in November
2016 by the Government of India has provided the major boost to the country’s digital
ecosystem. Along with initiatives such as “DigiShala”, the government has aimed at building
an ecosystem for entailing ‘cashless economy’ in the country. Other initiatives such as the
National Optical Fibre Network (NFON) and Introduction of Unified Payments Interface
(UPI), Bharat Interface for Money (BHIM – internet based mobile application) can help
support in faster adoption and transition to digital payments.
In fact, India’s digital payment industry, currently worth around USD 200 Billion, is expected
to grow five-fold to reach USD 1 Trillion by 2023, as per a report by Swiss financial services
holding company, Credit Suisse. The global digital payment market is expected to reach
USD 21 Trillion by 2020. With the increase in the digital payments ratio, cybersecurity is one
of the most critical challenges faced by stakeholders of the digital payment ecosystem. This
has ultimately opened up more opportunities for cyber pickpockets to try and steal card
details, PINs, mobile wallets and siphon off money. Cybersecurity is one of the most critical
challenges faced by stakeholders of the digital payment ecosystem. With more and more
users preferring digital payments, the chances of being exposed to cybersecurity risks such
as online fraud, information theft, and malware attacks are also increasing.
Emerging Mode of Digital Payments in India
One of the biggest changes that the payments industry has seen recently is in terms of the
various modes of payments. Hand held devices have outgrown all other channels due to
ease of making transactions and the accessibility that they provide in terms of convenience.
The government and the banks have undertaken multiple initiatives to promote the usage of
digital payments in urban locations and to accelerate penetration into the hinterlands of the
country and develop trust the among first-time users. The push from the government also
spurred interest from fintech companies who had the technology but were missing the
momentum. With the collective efforts of the RBI, NPCI and the government, a robust
backbone for digital payments in India has been created by systems such as Unified
Payments Interface (UPI), Bharat Interface for Money (BHIM), BHIM Aadhaar, Bharat Bill
Payment System (BBPS), etc.
The following are the major digital payment modes that are in trend for today in India:
1. Card Payments – The major payment brands like Mastercard, VISA, AMEX, JCB,
Discover, etc.
2. UPI (United Payment Interface) applications like BHIM.
3. Wallet applications like Paytm, Freecharge, Phonepe.
4. AEPS (Aadhar Enabled Payment System).
5. Mobile Banking.
Cybersecurity for Digital Payments
To ensure that sensitive data is not compromised in any way while people use different
digital payment modes, robust security across devices is absolutely necessary.
With context to the card data, we have PCI DSS (Payment Card Industry Data Security
Standards) which are a set of stringent guidelines to ensure a secure environment for
storing, processing or transmitting card holder data.
Wallet applications adhere to PPI (Prepaid Payment- Instruments) guidelines provided by
RBI (Reserve bank of India) in the article RBI/DPSS/2017-18/58, Master Direction
DPSS.CO.PD.No.1164/02.14.006/2017-18.
UPI enabled payment services follow the guidelines formulated by NPCI in the circular
NPCI /UPI/OC No. 15B/2017-18.
Below is a screenshot of the Payment page showcasing the different payment options:
If we take a close view to the above screenshot, we will realize that there are different sets
of guidelines being followed for the different payment modes. Although the ultimate motive
to ensure payment data remains secure is the same.
In this scenario, single organization is undergoing multiple audits for the same set of servers
and set-up. This result in Audit fatigue that makes organizations lose focus on security and
just check the box.
Although RBI, as the regulator has taken great initiatives in securing digital payments and
issued the set of guidelines on some payment modes like UPI and PPI, the challenge
underlying lies if they are a set of guidelines that can be used as auditable controls
For an instance, as per RBI guidelines “Testing of vulnerabilities” is required at “reasonable”
amount of time.
Here the word “reasonable” is generic and is differently interpreted by different set of
people. On the other hand, we have same requirement for performing vulnerability
assessment explained in PCI DSS as:
• One has to perform Internal and External vulnerability scan on all critical systems on
quarterly basis
• Internal and External vulnerability scans are to be conducted if there are any major
changes in the network.
• Scans are to be repeated until all the vulnerabilities are mitigated.
Tailoring of PCI DSS standards to other Payment Forms
The PCI DSS standard contains 12 detailed requirements across six security areas. But
among all the requirements, only requirement 3 and 4 talks about card data, rest of the
standard focuses on protection of the payment environment where card data is dealt with. It
ranges from secure firewall configuration to, log monitoring and anti–virus to hardening of
systems.
Requirements 3 and 4 are designed to secure Identification and authentication data for card
payments during storage and transmission, while the same set of controls can be used to
secure the Identification and authentication data for other modes of digital payments.
The organizations that are already PCI compliant can extend the scope of assessment to all
other payment modes and not limit the PCI assessment scope to only card payments.
This idea justifies being a solution for organizations that are suffering from audit fatigue. In
terms of business, its more economic as it saves time, money, resources and valuable
efforts put in multiple audits for a single organization.
From a technical aspect, it ensures better payment data security because you have got one
set of prescriptive controls that leads to standardization.
SISA that has pioneered in payment security over the last decade has been actively
engaging with the community to recognize the requirement and demand for adoption of a
single framework of PCI DSS standards across all digital payment channels. The need of a
uniform security standard has been experienced from a series of its numerous client
encounters that SISA has come across.
And with this SISA anticipates lesser ambiguity and better security with all the emerging
digital payment forms in India.
Resources followed for the article:
https://economictimes.indiatimes.com/tech/internet/as-india-braces-for-digital-paymentsfuture-how-secure-are-banks-from-cyberattacks/articleshow/56073576.cms
https://www.dsci.in/content/securing-india%E2%80%99s-digital-payment-frontiers
About the Author:
Dharshan Shanthamurthy is the Founder & CEO of SISA (www.sisainfosec.com), a global
cyber security company that specializes in payment data security. Dharshan was the first
PCI QSA recognized by the PCI Council in India. He is a leading payment forensic
investigator for PCI Council and has led many payment forensic investigations of strategic
importance. Dharshan was assisted by Ms. Ankita Patel from SISA for authoring this
document.
Source: https://www.sisainfosec.com/blogs/pci-standards-for-india-emerging-digitalpayment-modes/