Payment Security in India: A Discussion with Stakeholders
What are some common attacks you have seen during the pandemic?
Swati Sharma: Customer misconfiguration and implementational gaps for ‘Security In the cloud’ controls have been the areas exploited. Entities may presume that when they move to the cloud they no longer have responsibility for security. That is not the case. Here one thing which is very important to understand when it comes to cloud that Security and Compliance is a shared responsibility between CSP and Hosted entity and Customer must understand clearly what they are responsible for. Customers must manage their own PCI DSS compliance certification, and additional testing will be required to verify that your environment satisfies all PCS DSS requirements. For the portion of the PCI cardholder data environment (CDE) that is deployed in AWS, your Qualified Security Assessor (QSA) can rely on AWS Attestation of Compliance (AOC) without further testing for ‘security of the cloud’ controls for AWS’s PCI DSS scoped services.
Viswanath Krishnamurthy: We have seen a spike in social engineering attacks with an increase in phishing attempts. It is very important to be careful about what you click on and also critical to train all your staff (and not just the risk team) to be on the look-out for potential phishing emails. We have also seen cybersecurity breaches increase significantly during this challenging time. Data breaches by cyber criminals as well as ramsomware attacks are becoming increasingly popular with criminals as well.
Rajesh Hariharan: As times have changed there are ever increasing attacks on the web applications and the payment applications that support all these transactions. Magecart or online skimming attacks are not new but they continue to plague the payment card industry. Phishing and Ransomeware attacks are of concern as well. Stolen credit cards are something we monitor as well. We have seen, and I myself have been a victim of low value transactions that are cleverly designed to go unnoticed.
You were a part of a panel of payment professionals sharing experiences and insights on the current state of payment security and the future of payment security. What were some of the key takeaways about the future of payment security in India?
Swati Sharma: We have seen people get more comfortable with digital channels including e-commerce and digital payments. We may see more innovations in this payment space. Scalability on the digital payment side will likely continue to be a priority. We will continue to add capabilities that provide our customers with additional ways to architect and run secure workloads on AWS, while maintaining their desired customizations and security postures. A key takeaway for me from our discussion is to use standards when implementing security.
Viswanath Krishnamurthy: There has been a dramatic increase in digital transactions that has significantly changed the way many people do business. We see more and more people working from home which has created a new set of security challenges for many. Small transactions will continue to grow as we will see fraudsters using themes around COVID such as Covid-relief, Covid-donations, Covid- oxygen / concentrators etc., to perpetrate frauds & scams.
Rajesh Hariharan: I think a key takeaway is that security can no longer be an afterthought. The minute you launch a product or service security has to be a priority. Embrace security from the very beginning.
In your role, a key focus is working to increase industry participation from Indian stakeholders in the PCI Security Standards Council. What are some of the key opportunities for involvement?
Nitin Bhatnagar: Our Participating Organizations (PO) program is a terrific starting point for organizations who want to be a part of the payment security community. Being a PO allows an organization to collaborate with others in the payment industry and have a voice in the development of our standards and programs. The heart of the PCI SSC mission is bringing together payment industry stakeholders to develop and drive implementation of data security standards and resources. For more information about becoming a PO please visit:
The PCI SSC also recently launched a new Corporate Group Training opportunity that offers a great way to train your entire team at once on any of PCI SSC’s 15 existing standards and programs. Corporate Group Training offers organizations the ability to learn directly from PCI SSC trainers, exclusively with the peers in their company. Our trainers offer instruction with hands-on experience assessing merchants and/or service providers. We offer most of our courses (for qualification or informational) in Corporate Group Training format. Currently, these are eLearning courses organized as remote, instructor-led sessions tailored to fit your organization. When it is permissible, our trainers will come to you and deliver the classes at your facility. We have found that Corporate Group Training offers all the benefits from a typical class, and we can cater the course to be convenient for your organization in whatever format works best for your needs. For more information on this exciting new program please visit: