How Card Data Storage can be made more Secure By Janifha Evangeline

How Card Data Storage can be made more Secure

Janifha Evangeline | Saturday, 28 August 2021, 01:58 IST

  •  No Image

The RBI along with the payments industry and the PCI is working on a possible solution, which could help in making sure that the customers/consumers need not have to type in their sixteen-digit credit card/debit card number, whenever they make payments using their cards.

In a statement, the PCI said, “The Industry and PCI are working in alignment with RBI on the possible secure card on file solutions which will ensure a near similar customer experience for online purchases whilst enhancing the security of the storage of card credentials of customers.”

Website security is the most significant or critical topic for the e-commerce industry as e-commerce websites face all the same dangers that are faced by any other website. However, the stakes for E-commerce websites are always higher. This is because online customers must have access in order to transmit payment details that include credit card/debit card details to complete a transaction. And, this not only becomes a target for hackers, by drawing the scrutiny of e-commerce sites but also offers additional potential vulnerability types within e-commerce websites.

Some of the Attack Vectors

Owing to repeated exploits, the Payment Card Industry is now worried regarding the security of online e-commerce and therefore they have fixed a set of standards governing how e-commerce websites should be secured, which are collectively known as collectively as their Digital Security Standard (DSS). The PCI DSS is designed in such a way that one can apply to any organization that processes as well as stores consumer payment card data, by obligating the organization intending to follow twelve criteria across six security areas, while the key security measures such as vulnerability scanning being mandated and assessed every year.

Some of the possible target areas an attacker could attempt to attack either a payment transaction or stored sensitive and credit card data include the hacker’s methods that he implements to gain access to the credit card details of the customers/shoppers. Also, the other areas include the shopper’s personal computer, the network connection between the shopper and website’s server, the website’s server, third-party software vendors.

Some of the best practices that would help businesses to handle credit card information are:

Understanding the obligation: As an entrepreneur, holding a merchant account used to process credit card transactions, you are obligated to safeguard the client’s credit card information. Therefore, when using 3rd party software to process payment transactions, you should ensure that the product will safeguard all of the consumer’s credit card information.

Using only approved equipment and software: either you use a terminal for POS or a swiper that has been attached to your computer/mobile phone which runs payment processing software, the business owner must be aware and sure that all the hardware, as well as software being implemented, is PCI Compliant.

Use only approved service providers: If businesses do not want to install and use credit card processing software on their own, they can approach service providers who can manage credit card processing as well as credit card account storage on the business's behalf. Some of these service providers include web-based SaaS providers, and also organizations to which all the payment processing functions that you outsource to. However, it is highly recommended that these solutions rendered by these service providers must undergo extensive testing in order to ensure that they deserve the trust you place in them. The testing is carried out by an external QSA.

DDoS (Distributed Denial of Service) Mitigation

Larger e-commerce providers would require to consider options for DDoS (Distributed Denial of Service) mitigation that includes the implementation of a screening/scrubbing service from a cloud provider, based on proxy/content delivery network (CDN) structure in order to mitigate Distributed Denial of Service attacks at the network edge.

RBI working with the payments industry and the PCI on secured card data storage

The Reserve Bank of India was not willing to swift away from its stance, insisting that payment facilitators should not and cannot store card details of customers, which evolved into an inconvenience to most of the stakeholders, especially the online shopaholics who have to so far type only the CVV number of their cards saved (that is masked with the last 4 digits visible) on the e-commerce websites and proceed with a transaction.

“We are working closely with the RBI on charting a roadmap of the possible solutions that could be adopted by the industry for securing the storage of raw card data. Solutions being worked upon, would not require the customers to enter their card number manually every time they make an online purchase” the PCI said.

It stated that the solutions will adhere to the security checks & controls & frameworks that are prescribed by the Reserve Bank of India.

The new rules of the Reserve Bank of India would have made it compulsory for customers to type in the complete card details every time a transaction was made and these details may reach the merchant servers either in a tokenized format or as random numbers. As the tokenized numbers that are being generated would be 1-time in nature, there won’t be any reasons for the merchant site and payments facilitator to save the details. Experts stated that while the Central Bank’s concern is genuine, it would lead to creating friction, however, in an otherwise seamless transaction process. Furthermore, they also stated that both the important factors such as efficiency as well as ease of making payments in the monthly subscription-based models will be disrupted.

The Payments Council of India also stated that it has shared with the Reserve Bank of India the principles, which could be adopted by the industry for building secure card on file solutions.

CIO Viewpoint

Machine Learning In Cybersecurity: The Risks &...

By Neelesh Kripalani, Chief Technology Officer, Clover Infotech

5 Major Saas Trends To Check-Out In 2021

By Vikas Bhonsle, CEO, Crayon Software Experts India

Artificial Intelligence & The Disruptive Chatbot

By Vishal Sinha, President & CIO, Tranzlease Holdings

CXO Insights

Incorporating Blockchain Capabilities into...

By Tamal Chowdhury, SVP, Artificial Intelligence, Course5i

Cybersecurity In BFSI

By Sumed Marwaha, Regional Services VP & MD and Seshadri PS, Senior Director Governance, Risk and Compliance, Office of the CISO, Unisys India

Facebook