Nitin Bhatnagar talks about the next two decades of payment card data ecosystem presenting an opportunity for security in India
We're celebrating our 20th birthday this month, and we've invited industry experts, researchers and scientists to write in and paint a vision of the future, 20 years from now. Here's what Nitin Bhatnagar, Associate Director for PCI SSC had to share about his vision of the future.
Incidents of data breaches and cyber-attacks are rising in India and around the world. With the increase in Covid-19 cases in India, the nation’s digital way of life has been changing, especially when considering contactless and digital payments. This digitalization is also turning India into an increasingly attractive target for cybercriminals, which requires constant vigilance from business leaders to safeguard their customers payment card data and better protect their organizations from financial damage.
The current cybersecurity challenges in India
As India battles with yet another wave of Covid-19, cybercriminals are doing their best to take advantage of this situation. The pandemic has provided cybercriminals another avenue to conduct phishing, malware, ransomware, and social engineering attacks by exploiting businesses’ COVID-19 response messaging to target remote workers which is now a common tactic.
In fact, according to 2021 Norton Cyber Safety Insights Report, nearly 120 million Indians experienced cybercrime between February 2020 – 2021. Moreover, approximately 1.3 billion working hours have been wasted in resolving issues caused by these attacks.
Not only are these attacks widespread, they can also be costly. Recent reports published by Cybersecurity Ventures, cybercrime is expected to reach 6 trillion USD in damages in 2021, which makes it one of the greatest threats to economic success for businesses in almost every country in the world.
As such, there is a clear need for businesses to put the necessary procedures in place to help combat cybercrime and better protect their company from financial damage.
Where does the responsibility of security rest?
In the payment card data ecosystem, it is vital that the security of cardholder data remains a top priority for businesses and every possible step is taken to combat cybercrime. However, data security is often neglected as other issues are perceived to be more urgent, or more critical to the business.
In fact, an IBM report published last year indicates that data breaches cost organizations Rs 14 crore on an average and that these breaches have increased by 9.4% since 2019. It is therefore clear that this is a growing problem that needs to be addressed.
It takes 280 days to identify and contain a data breach – which is more than 9 months where cybercriminals have unfettered access to compromised systems which can have significant financial consequences for a business. To better combat cybercrime, businesses require the appropriate training to ensure that their staff are aware of the risks associated with cyber-attacks and the steps to take to better protect their business from security breaches.
The road ahead for payment card data security in the country
The future of the digital payments ecosystem looks bright, but the growth of digital payments must always correspond with an increased focus on security and ensuring these payments remain secure. Additionally, as technology evolves so to must the security solutions that protect cardholder data that is used to make payments over an increasingly diverse range of channels. To help support this need, PCI develops security standards and guidance to help businesses make the most of these new technologies such as their PCI Contactless Payments on COTS (CPoC) Solutions, which helps enable contactless payment acceptance using NFC technology, or their Point-to-Point Encryption (P2PE) Solutions. The ability to securely use the latest payments technology will be a key aspect in the road ahead for payment card data security in India.
As well as catering for the uptake of newer technologies, another one of the most anticipated developments in payment card data security is the introduction of PCI Data Security Standards (DSS) version 4.0 which aims to:
- Ensure that the security standards continue to meet the security needs of the payments industry,
- Add flexibility and support for additional methodologies to achieve security,
- Promote security as a continuous process and enhances validation methods and procedures.
The PCI DSS v4.0 is evolving to introduce greater flexibility to support organizations using a broad range of controls and methods to meet security objectives. The updated version addresses changes in technology, risk mitigation techniques, and the threat landscape. Furthermore, since the methods of making and taking payments are becoming more advanced, such as with contactless payments, security standards will be more focused on securing the software enabled mobile payments infrastructure. PCI SSC continues to work on creating new and robust standards for the security of mobile and software-based payments. As these technologies evolve along with the developments in the areas of 5G and IoT, the industry will witness the council introducing new security standards and guidance resources to support secured payment acceptance in new and emerging card-routed payments channels.
For such monumental developments in the payments data security infrastructure, industry feedback is essential. For the past three years, PCI SSC has regularly spoken with the Reserve Bank of India (RBI) and other regulatory bodies, to work together in creating more awareness and education about security for payment card data. Furthermore, the feedback received from business and relevant stakeholders in India and around the world will continue to help the council evolve these security standards to better meet the needs of the industry.
With the rising cost and prevalence of cybercrime and the increasingly diverse array of techniques cybercriminals are exploiting, it is clear that cybersecurity is a business imperative and critical for ensuring resilience, not just in times of crisis, but in day-to-day operations. Businesses need to do their part and ensure their organization is taking every necessary set to help combat cybercrime.
-By Mr. Nitin Bhatnagar, Associate Director for PCI SSC, India
To read what other industry leaders and experts have to say about the future in their respective fields, visit our 20th Anniversary Microsite.
Industry leader
Contributions from industry leaders and visionaries on trends, disruptions and advancements that they predict for the future View Full Profile