PCI DSS v4.0: A Perspective from India

Nitin Bhatnagar: Hello, listeners. Welcome to Coffee with the Council, where we discuss what’s happening around the payment industry globally and bring a regional perspective to our audience. I’m your host, Nitin Bhatnagar, Associate Director of India for the PCI Security Standards Council. Today, we will be talking about PCI DSS v4.0, a perspective from India, with our special guests Swati Sharma, Leader, CISO Office, Amazon Pay; Dhananjay Khanna SVP and CISO of SBI Card; and Divya John, AVP, Risk and Compliance, HDFC bank. Let’s get started.

India continues to witness an upsurge in digital payment transactions in recent years in terms of the adoption of digitalized technologies and innovations that process transactions within a matter of seconds. As we transition towards a more digital world, it is evident that the industry will continue to be a gold mine for attackers and the number of attacks will rise exponentially. India’s payment industry will need to stay ahead of attackers by having comprehensive security measures in place to keep their customer data safe with adoption of data security standards. I’m glad to have today with us India’s leading payment industry stakeholders with me to talk about the subject of the moment, PCI DSS v4.0, and especially bring to our global audience perspectives from India.

Divya, I know HDFC Bank has been always on the forefront looking closely at PCI DSS v4.0 and have been working on an implementation plan for adhering to PCI DSS v4.0. Can you tell us a bit about your plan and how our listeners can benefit from your experiences with keeping in mind evolving payment forms in India and emerging technologies and focus?

Divya John: Good evening, all, and thank you, Nitin and PCI SSC. It’s a great honor to be a part of this Coffee with the Council. To begin with, I would like to highlight the fact of how dramatically consumers have moved towards online channels during the last two years. And, for that matter, companies and industries have well responded in turn. We also have witnessed a significant boost to the digitization of banking. HDFC Bank also had to refocus its offerings and have been continuously creating various enhanced digital solutions leading to technology evolvement, cloud transformations, etc.

This digital transformation acceleration has also resulted in new risk. The cyber risk landscape is also evolving. When you look into the new version of PCI DSS v4.0, these new risks have been addressed very much. The standard demands stronger authentication methods, advanced encryption methodologies, and also it has brought out the customized approach concept with the goal to address emerging threats and also allowing organizations the flexibility to come up with unique ways to combat new threats to payment information.

At HDFC Bank, we have a wide scope for PCI DSS: issuing services to acquiring services, settlement, all the communication channels with customers. We also have a payment gateway. We manage ATM and POS terminals to ensure third-party service providers’ compliance, hence, transition to the new standard is definitely going to be an interesting challenge.

The preparation has already begun proactively by the team on all fronts. The transition period until 31 March 2024 to move from PCI DSS v3.2.1 to 4.0, will provide the bank with time to become familiar with the changes, plan for, and phase in the new requirements.

We have tried to have a basic understanding of the standard. We actively participate in most of the PCI Council events and attend webinars by experts. In fact, I would like to thank you, Nitin. You’ve been helping us with regular updates. We’re also looking forward to the PCI DSS v4.0 Global Symposium, and other trainings with the PCI Council, with regards to the new standard.

Although, internally, we are trying to place all the right pieces together, we are waiting for the formal interpretation and implementation guidelines, which we will receive from our QSA. Secondly, we also target to engage with our QSA for a preliminary assessment to be done probably in the next couple of months, to understand the level of compliance of PCI DSS v4.0 in the bank. And most importantly, you must be aware that we report to the CISO, and the CISO reports directly to the MD. Hence, we can understand the seriousness of how the migration project would be closely monitored and the extent to which our efforts would be discussed at board-level meetings.

The immense support and the valuable time all the seniors at the bank invest on security itself, is massive. So, when we have such kind of commitment, involvement and the right direction and oversight from the top, it becomes easy to put up the most effective and sustaining strategy.

Nitin Bhatnagar: Swati, you and I work together in India when the subject is PCI DSS. I mean, I remember you as a former QSA for PCI DSS v2.0 and v3.2.1 and have been supporting Amazon for some time now and the merchants for PCI DSS adherence. And, as well as witnessing the standard evolution. What are your impressions on the new PCI DSS v4.0 and current industry preparedness for adoption?

Swati Sharma: Thank you, Nitin. And yes, we have worked together, and I mean, that has been a wonderful time in the industry. If I talk specifically about PCI DSS v4.0, I think it is addressing the advanced requirements from the payment industry perspective. Payment industry has evolved a lot in last three to five years. And even the cardholder data flow has been the same, but the method of adoption and acceptance of payment – the backend technology – that has evolved a lot.

I have observed that PCI DSS v4.0 is more aligned with these kinds of advancement, and it will help in addressing the security requirements of new technology and new methods, which are coming into the payment industry. I have also observed that there has been more detailed clarification added. Guidelines around scoping has been added and even for control, the justifications have been given in detail. So, there has been enough subjectivity so that all types of businesses can come in the scope, and they can implement the same set of PCI DSS requirements.

But, at the same time, I think it has removed the gray areas and it has added more guidance and prescriptive information so that information around the PCI DSS controls is available and controls can be implemented with the right intent. And one thing that I have observed as well, is that the new version is more aligned with the technological advancements and local regulatory requirements, be it RBI or MAS in Singapore or in the Middle East. There are multiple guidelines for the payment industry. I see more alignment with the local regulatory requirements, as well as the security guidelines, which are there with respect to PCI DSS v4.0. So, I think it’s a good initiative where industry is moving in the same direction to secure the payment data in more advanced ways.

Nitin Bhatnagar: Dhananjay, we have been having conversations for a while on the transition timelines to PCI DSS v4.0 from v3.2.1 along with the entity sync with QSAs to meet the PCI DSS requirements. I would like to borrow your technical expertise around implementation of PCI DSS and talk about one of the goals we had for developing PCI DSS v4.0: enhanced validation methods and procedures. What are your impressions on PCI SSC introducing a customized approach option for version 4.0?

Dhananjay Khanna: Sure, Nitin. Thanks for looping me in and I think this is something which is absolutely revolutionary, which is getting introduced with PCI DSS v4.0. We all know that the current version, which is 3.2.1, the existing one, the PCI DSS has included six security objectives. However, to meet these objectives, there are very specifically worded requirements. It’s very descriptive where PCI DSS, as a standard, talks about. And I think that’s the strong point. That’s the beauty of PCI DSS, that it tells exactly what to do to meet those requirements to the version which we are currently running. In other words, the standard is extremely prescriptive. However, with PCI DSS v4.0, in addition to the existing prescriptive methodology, requirements have been expanded within alternate options, the customized implementation. In the customized implementation approach, it considers the intent of the objective and allows the organization to design their own security controls to meet the desired objectives.

Once an organization like ours determines the security controls for the given objective, it is expected to provide a documentation to the QSA to make the final decision on the effectiveness of the control. While deciding, it’s a collaborative approach between the QSA and the organization. In case the customized implementation approach is selected for a particular requirement, the organization will need to develop a customized testing and validation plan that outlines the details, and how the alternate approach meets the security objective of the set requirements. The test plan has to be repeatable. The QSA will conduct each step, receive the expected output or solution, and then measure the result against the stated security objective of the requirements.

Nitin Bhatnagar: Thanks, Dhananjay. This is insightful. Divya, what are your impressions on the new requirements to protect against phishing attacks, expansion of requirement number 8, to implement multifactor authentication for all access into the cardholder data environment, increased password length, and two new ecommerce requirements to address the ecommerce skimming attacks?

Divya John: HDFC Bank is already compliant to ISO 27001/ ISO 22301. And the bank, being a regulated entity, we need to adhere to cybersecurity circular issued by RBI, and also the other guidelines, which keep coming from time to time, including DPSC being the most recent one. The concepts and the intent of all these frameworks generally remain the same, whether it is protecting against phishing attacks, having MFA. These basic fundamentals are already there as part of these frameworks. And also, it is there in PCI v3.2.1 in some restricted form, and the bank has already implemented them, maybe even a little more than what the standard v3.2.1 requires to be future proof to a limited extent. So, the job is to recalibrate the existing controls against what the new PCI requirement states. Change in the length of the password has been there, the minimum being eight. The maximum varies from system to system, depending on the appetite of the organization, and also on customer convenience. Since it has become a new requirement now in v4.0, we will have to do the necessary changes by involving key stakeholders from business, technology, product, and so on. And for the new two ecommerce requirements against skimming, the standard has a very clear objective to protect payment applications against code injection and web skimming attacks. With the evolving payments heavily relying on digital means, the standard is trying to strengthen the security of each layer of the OSI model, wherever it feels may be vulnerable.

Look, what I understand is PCI DSS v4.0 has become more granular when compared to the previous version. It is trying to build a common baseline for all the participating organizations in the payment ecosystem to adhere to. The approach, how to tackle, can be different, but the goal will remain the same.

Nitin Bhatnagar: Swati and Dhananjay, as our time is almost up, I would like to have your impression on a new tool introduced in PCI DSS v4.0, the targeted risk analysis. Swati, Dhananjay, how do you see companies working with the target risk analysis to support the adherence of PCI DSS v4.0?

Swati Sharma: Nitin, I think one thing that I would like to add is that for the new requirements, which have been added in the new v4.0, entities are still evaluating, understanding, digesting that information, and they are in the process of doing gap assessment. So, just by the reading of it, I think it provides a great opportunity for the entities to identify unique risks, which are associated in their business, the type of data, environment type, and what kind of additional security objectives they can have.

The targeted risk analysis can also help in addressing the risk, which is a kind of evolving risk. For example, if I talk about the evolving malwares, which are covered in requirement 5, as well as the access related risk, which are covered as per PCI DSS requirement seven, what will be the actual benefit? I think it will take some time to realize that benefit and how the risk assessment has been part of the earlier version of PCI DSS as well. There has been a dedicated requirement of risk assessment in requirement 12, but I think adding that in specific requirements outside requirement 12 as well, I think it will help in covering the requirement, which are related with those specific domain or objective areas. So, it’ll definitely add a lot of opportunity for the organization to customize the control as per their need and requirement.

Dhananjay Khanna: Nitin, for me, this is again, something related to the customized approach, which we talked about before. As I understand, as per the PCI DSS v4.0, the risk analysis is a must to be completed for any requirement where an entity like us uses customized approach. And the targeted risk analysis will be required to determine how often certain things must occur for the customer. So, if somebody’s taking a customized approach, how often that activity has to be performed during a particular cycle, I think that’s something which will be important from a risk analysis perspective. I think that’s what the targeted risk analysis is all about.

Swati Sharma: I just want to add one more point that the risk analysis, which is added, it is not to downgrade the security control or to eliminate the security control requirements. I mean, if you compare it with other standards, there are ways that you can do risk analysis and if you feel that certain security control is not required, you’ll not implement it. But in PCI DSS, I think that is not the objective of targeted risk analysis. The objective is that if there is an additional risk beyond the security control, which is written in the requirement, additional risk should be addressed, and those controls should be customized to cover that additional risk. So, I think that is an important point that we all need to note and understand when we are talking about this targeted risk analysis and PCI DSS v4.0.

Nitin Bhatnagar: Time really passed fast. This has been one of the most engaging conversations I’ve had in the past few months. To end, a reminder to all our listeners, that today’s guests are all active stakeholders from India, working with PCI DSS. Divya, Swati, and Dhananjay, if you all can summarize in a sentence, what this means for you and your company, what you can say?

Divya John: So, in continuation to meet the security needs of the payment industry, like I said earlier, PCI DSS v4.0 has introduced flexibility in implementing controls. It has become more outcome based, having additional methodologies to achieve security. There is a lot of excitement in the release, and we are all geared up for timely achievement of compliance.

Swati Sharma: I think, Nitin, PCI SSC has created a common forum, which is helping in connecting with other payment industry players and sharing the PCI compliance knowledge and experience. Amazon has been a part of the global organizations within PCI SSC, for example as a Board of Advisor. We have been listed there as a Participating Organization as well. But if I specifically talk about the India Forums, I think it is creating a lot of awareness and it is giving a lot of opportunity for the local players to come and connect with global PCI issues. And it is creating a sync between regional and global PCI requirements. I think one important role that PCI SSC is playing here is that it is creating a kind of knowledge base and experience within PCI. And it is helping individuals in gaining their relevant skills, for example, ISAs and PCIPs. Recently I have completed my PCI ISA and I have seen a lot of value in these trainings, and this gives a lot of credibility for the individuals who are working in the payment industry.

Dhananjay Khanna: Data security has been always an utmost priority for SBI Card. We have always looked up to the global community and contribute to global data security standards development with having our feedback contributed from a regional perspective. Besides the opportunity of contributing to the improvement of the standards, getting advanced resources and awareness on recent risks in the payment world, I would say periodic advisories, Nitin, thank you very much. Really appreciate the inputs you give from time to time, the advisories, which you share I really appreciate. It is a marvelous opportunity to be part of a global community full of industry leaders and interacting with peers like Swati and others, I think that’s absolutely a pleasure being part of this initiative. Thank you very much.

Nitin Bhatnagar: So, before we wrap up, since you are on Coffee with the Council, we like to ask our guests how they take their coffee, or if you’re not a coffee drinker, what do you prefer instead? Divya, we can start with you.

Divya John: Oh, I love coffee, but I rarely have it at home. Coffee is one good reason for me to take breaks at work and do a little bit of extra networking. Yeah, it really works.

Swati Sharma: I think I’m a Desi person within, and you know me for a long time, I prefer chai over everything else. But if I have to go for a coffee option, I go with black coffee and not just because of taste. I like it because of health reasons. But if I’m not thinking about health, I’ll go with chai all the time – the Desi chai with a lot of ginger and masala added.

Dhananjay Khanna: Yeah, I’m a die-hard coffee drinker, Nitin. I think I only drink coffee. That’s the only drink I have had in my entire life. And I always have one coffee a day. That’s the resolution I have. So, I only take one coffee a day. But a coffee a day is absolutely a must for me to start my day.

Nitin Bhatnagar: Absolutely, Divya, Swati, Dhananjay. So, I think it also helps me. Adding too, my preference, so I love coffee. So, I’m a core coffee lover of Cappuccino. So, if I’m going out, working, sitting in a Café Coffee Day or probably Starbucks, I think Cappuccino is what I prefer and sometimes black coffee – so that’s being health conscious. Thank you for joining me on Coffee with the Council. It has been a pleasure having you all.

Divya John: Thank you once again, Nitin and PCI SSC. It has been a very interesting and informative session. I had a great time interacting with you, Swati and Dhananjay. Thank you all.

Swati Sharma: Thank you so much, Nitin, for bringing us on this common platform. Thanks, Divya and thanks, Dhananjay, for sharing the great insight about the different protocols within the payment industry. And thanks PCI SSC for creating these kinds of engagements and common forums where we can share our views and share the common thoughts.

Dhananjay Khanna: Thanks, Nitin. Thanks, PCI SSC for bringing us together. It’s indeed a very engaging conversation. I thoroughly enjoyed being part of the same and thanks Swati and Divya for sharing some insight and sharing the platform with me and so really appreciate it. Thank you very much.

Nitin Bhatnagar: Thank you. Thank you, all.

Like what you’ve heard? Subscribe to PCI SSC’s “Coffee with the Council” podcast by visiting any of the following platforms: Spotify, Anchor, Pocket Casts, or Google Podcasts. Coming soon, the podcast will also be available on Apple Podcasts and RadioPublic.