Home Events Interview #Interview: Navigating the Intersection of PCI DSS Compliance and Cyber Law: Ensuring...

#Interview: Navigating the Intersection of PCI DSS Compliance and Cyber Law: Ensuring Secure Payment Systems in a Regulated Environment

By
Ouaissou DEMBELE
-
0
29

As cybersecurity threats continue to evolve, protecting payment systems and ensuring compliance with regulatory frameworks have become critical priorities for organizations worldwide. The Payment Card Industry Data Security Standard (PCI DSS) serves as a cornerstone for securing cardholder data, while cyber laws define the legal landscape for data protection and cybercrime prevention. This interview dives deep into the challenges, opportunities, and best practices associated with PCI DSS compliance and its interplay with cyber law. Our expert today will shed light on these critical topics, offering insights into the strategies organizations can adopt to safeguard sensitive data while remaining compliant with global and regional regulations.

Biography: Nitin Bhatnagar

Nitin Bhatnagar is a distinguished leader in the payment security domain, currently serving as the Regional Director for India and South Asia at the PCI Security Standards Council (PCI SSC). In this role, he spearheads initiatives to enhance the security of payment card transactions across the region. Nitin collaborates with a diverse array of stakeholders, including payment brands, assessors, businesses, government bodies, and regulators, to promote awareness and implementation of PCI standards.

With over 14 years of extensive experience in the payment security sector, Nitin is renowned for his innovative thinking, thought leadership, and technical expertise. His efforts to safeguard payment ecosystems against emerging cyber threats have been widely recognized, earning him a spot among the “Top 50 Cyber Security Leaders of India 2021.”

A multifaceted professional, Nitin is also a seasoned speaker, television personality, and technical writer. His research focuses on leveraging cutting-edge technologies, such as artificial intelligence and machine learning, to bolster the resilience of payment infrastructures against sophisticated cyberattacks.

Nitin holds a Master’s degree in Cyber Law and Information Security from the prestigious Indian Institute of Information Technology, Allahabad. He also possesses several professional certifications in payment security and risk management, further cementing his status as a trusted authority in the field.

Under his leadership, Nitin continues to drive impactful initiatives that shape the future of secure digital transactions, ensuring robust protection for organizations and consumers alike.

The Interview

Section 1: Understanding PCI DSS

  1. Introduction to PCI DSS:
    Can you briefly explain what PCI DSS is and its primary objectives in the realm of payment security?

Nitin – PCI DSS is a set of baseline technical and operational requirements designed to protect payment account data. It is intended for all entities that store, process, or transmit cardholder data (CHD) and/or sensitive authentication data (SAD), or could impact the security of CHD and/or SAD. This includes all entities involved in payment account processing.

PCI Security Standards are developed and maintained by the PCI Security Standards Council to protect payment data throughout the payment lifecycle. The different PCI Standards support different stakeholders and functions within the payments industry.

Some of the PCI Standards are intended for use by organizations involved in payments, such as merchants, service providers, and financial institutions, to use within their own environments. These standards support the implementation of secure practices, technologies, and processes within the organization.

Other PCI Standards are intended for developers, technology vendors, and solution providers wishing to demonstrate that their product or service was designed with security in mind and meets a defined set of security requirements. These standards support the validation and listing of products and services that meet the standard and validation program requirements.

All PCI Security Standards are developed in conjunction with a global network of payments industry stakeholders.

  1. Significance of Compliance:
    Why is PCI DSS compliance crucial for businesses handling cardholder data?

Nitin – With a strong data security foundation you can protect your customer payment data and prevent data breaches that can put you out of business. A strong data security foundation starts with people, process and technology. Each of PCI SSC’s founding payment brand members (American Express, Discover, JCB International, MasterCard and Visa) currently have their own PCI compliance programs for the protection of their affiliated payment card account data.  Entities should contact the payment brands directly for information about their compliance programs.

Questions regarding compliance requirements for payment card account data affiliated with other payment networks or brands should be referred to the applicable payment network or brand.

PCI SSC also encourages entities to be aware of potential nuances in local laws and regulations that could affect applicability of the PCI standards.

  1. Key Challenges:
    What are the most common challenges organizations face in achieving and maintaining PCI DSS compliance?

Nitin – For many organizations, the question of what it means to be compliant with the DSS is an important one. Compliance is seen as checking a box during a compliance report and then slipping back into bad security habits once the report is completed.  This is a poor approach to addressing the main issue of being secure. Compliance on one given day does not mean 24/7 security.  Shifting the mindset from one of compliance to a continuous, risk-based mentality is a critical component of making payment security business-as-usual. The ongoing security of cardholder data should be the main objective behind all PCI DSS compliance activities.

The result of failing to maintain proper security can be catastrophic to a business. Failing to maintain compliance at all times could leave organizations more susceptible to security control failures, malicious attack, or accidental information leakage.  

To address these compliance challenges, the PCI SSC developed resources to help assist in addressing some main compliance challenges.  The Information Supplement: Best Practices for Maintaining PCI DSS Compliance provides practical recommendations for dealing with some of the key challenges in maintaining compliance and offers solutions to help organizations avoid the pitfalls of compliance fall-off. Using this guidance as a resource, merchants, service providers and other organizations can better understand how to plan for and maintain a state of continuous compliance. 

  1. Recent Updates:
    Can you highlight the latest updates in the PCI DSS standard, such as PCI DSS v4.0, and their implications for businesses?

Nitin – Would like share two important updates on the PCI Standards (a) PCI DSS v4.0 limited revision to the standard  (b) PCI MPoC Standard version 1.1 i.e. designed to support the evolution of mobile payment acceptance solutions.

To address stakeholder feedback and questions received since PCI DSS v4.0 was published in March 2022, the PCI Security Standards Council (PCI SSC) has published a limited revision to the standard, PCI DSS v4.0.1. It includes corrections to formatting and typographical errors and clarifies the focus and intent of some of the requirements and guidance. There are no additional or deleted requirements in this revision.

Some of the changes made in this update include:  

Requirement 3 

  • Clarified Applicability Notes for issuers and companies that support issuing services.
  • Added a Customized Approach Objective and clarified applicability for organizations using keyed cryptographic hashes to render Primary Account Numbers (PAN) unreadable. 

Requirement 6 

  • Reverted to PCI DSS v3.2.1 language that installing patches/updates within 30 days applies only for “critical vulnerabilities.”
  • Added Applicability Notes to clarify how the requirement for managing payment page scripts applies. 

Requirement 8 

  • Added an Applicability Note that multi-factor authentication for all (non-administrative) access into the CDE does not apply to user accounts that are only authenticated with phishing-resistant authentication factors. 

Requirement 12

  • Updated Applicability Notes to clarify several points about relationships between customers and third-party service providers (TPSPs). 

Appendices

  • Removed Customized Approach sample templates from Appendix E and referred to the sample templates that are available on the PCI SSC website.
  • Added definitions for “Legal Exception,” “Phishing Resistant Authentication,” and “Visitor” to Appendix G. 

What Businesses need to be aware of ?

  1. When will PCI DSS v4.0 be retired?

As with all new versions of PCI DSS, there will be a period where both the current and updated version will be active at the same time. PCI DSS v4.0 will be retired on 31 December 2024. After that point, PCI DSS v4.0.1 will be the only active version of the standard supported by PCI SSC.  

When in doubt, reference FAQ 1328 “Where can I find the current version of PCI DSS?” for more detail and links to additional FAQs about transitioning to an updated version of PCI DSS.  

  • Does PCI DSS v4.0.1 change the 31 March 2025 effective date for the new requirements?

No. This limited revision does not impact the effective date of these new requirements. 

  • Are there any new requirements in PCI DSS v4.0.1?

No. As this is a limited revision, there are no new or deleted requirements. Refer to the Summary of Changes from PCI DSS v4.0 to v4.0.1 for the full details.

PCI Mobile Payments on COTS (MPoC) Standard Version 1.1 Now Available

The PCI Security Standards Council (PCI SSC) has published version 1.1 of the PCI Mobile Payments on COTS (MPoC) Standard, designed to support the evolution of mobile payment acceptance solutions. PCI MPoC builds on the existing PCI Software-based PIN entry on COTS (SPoC) and PCI Contactless Payments on COTS (CPoC) Standards, addressing security requirements for solutions that enable merchants to accept cardholder PINs or contactless payments using a smartphone or other commercial off-the-shelf (COTS) mobile devices.  


The PCI MPoC Standard version 1.1 provides increased flexibility in how payments are accepted and how COTS-based payment acceptance solutions can be developed, deployed, and maintained

  1. Role of QSAs:
    How can Qualified Security Assessors (QSAs) assist organizations in meeting PCI DSS requirements?

Qualified Security Assessor (QSA) companies are independent security organizations that have been qualified by the PCI Security Standards Council to validate an entity’s adherence to PCI DSS. QSA Employees are individuals who are employed by a QSA Company. The primary goal of an individual with the QSA credential is to perform an assessment against the high-level control objectives of the PCI Data Security Standard (PCI DSS).

Section 2: Technical and Operational Measures

  1. Data Protection Measures:
    What are the most critical data protection measures outlined in PCI DSS?

Nitin – Let me highlight few critical measures outlined in PCI DSS v4.0.x

Strong passwords/passphrases

Strong passwords/passphrases may be the first line of defence into a network since a malicious individual will often first try to find accounts with weak, static, or non-existent passwords.  If passwords are short or easily guessable, it is relatively easy for a malicious individual to find these weak accounts and compromise a network under the guise of a valid user ID.  

Password/passphrase strength is dependent on password/passphrase complexity, length, and randomness. Passwords/passphrases should be sufficiently complex, so they are impractical for an attacker to guess or otherwise discover its value.  Entities can consider adding increased complexity by requiring the use of special characters and upper- and lower-case characters, in addition to the minimum standards outlined by this requirement.

Additional complexity increases the time required for offline brute force attacks of hashed passwords/passphrases.  Another option for increasing the resistance of passwords to guessing attacks is by comparing proposed password/passphrases to a bad password list and having users provide new passwords for any passwords found on the list

Multi Factor Authentication

Requiring more than one type of authentication factor reduces the probability that an attacker can gain access to a system by masquerading as a legitimate user, because the attacker would need to compromise multiple authentication factors. This is especially true in environments where traditionally the single authentication factor employed was something a user knows such as a password or passphrase. Definitions Using one factor twice (for example, using two separate passwords) is not considered multifactor authentication.

  • Something you know, such as a password or passphrase.
  • Something you have, such as a token device or smart card.
  • Something you are, such as a biometric element.

Scanning – External Vulnerability Scan

Purpose Attackers routinely look for unpatched or vulnerable externally facing servers, which can be leveraged to launch a directed attack. Organizations must ensure these externally facing devices are regularly scanned for weaknesses and that vulnerabilities are patched or remediated to protect the entity. Because external networks are at greater risk of compromise, external vulnerability scanning must be performed at least once every three months by a PCI SSC Approved Scanning Vendor (ASV). Good Practice While scans are required at least once every three months, more frequent scans are recommended depending on the network complexity, frequency of change, and types of devices, software, and operating systems used. Multiple scan reports can be combined to show that all systems were scanned and that all applicable vulnerabilities were resolved as part of the three-month vulnerability scan cycle. However, additional documentation may be required to verify non-remediated vulnerabilities are in the process of being resolved.

  1. Tokenization and Encryption:
    How do technologies like tokenization and encryption support PCI DSS compliance?

Nitin – Technology is only as good as its implementation. To Minimize risk and fraud, data needs to be desensitised & devalued. This is where technologies that devalue data such as– Tokenization, P2PE, EMV & 3DS can play a critical role in helping prevent theft incidents from becoming breaches. The goal of these technologies is to eliminate persistent value in the data you use to conduct a transaction. So, if a criminal attacks and steals data, there is no threat to the system, the consumer and/or the merchant. PCI SSC provides standards and programs to support the secure implementation of these technology solutions”

  1. Monitoring and Incident Response:
    What role do real-time monitoring and incident response play in maintaining PCI DSS compliance?

Nitin – Having security logs and actively using them to monitor security-related activities within the environment are two distinctly different concepts. This sounds obvious, but many organizations confuse the former with the latter. Logging system messages and events in security logs may prove helpful—even essential—during post-breach forensic investigations. But having security logs without procedures to actively review and analyze them is of little use in the ongoing management of information security defenses, and is the modern equivalent of fortress walls without watchmen. For security logs to be useful in the defense of information assets, they must be monitored and analyzed—in as close to real-time as possible—so that attacks can be detected quickly and appropriate countermeasures deployed to augment existing defenses when and where necessary. This becomes increasingly important as attacks and attackers become more sophisticated. Without the active monitoring and analysis of security logs, the erosion of information security defenses by capable adversaries will likely go undetected and will eventually result in the compromise of the very assets that require protection.

PCI DSS Requirement 10.4.1  provides the foundation for the proactive monitoring of security logs for the occurrence of security events by requiring “daily” reviews of logs for critical system components.

Without a comprehensive incident response plan that is properly disseminated, read, and understood by the parties responsible, confusion and lack of a unified response could create further downtime for the business, unnecessary public media exposure, as well as risk of financial and/or reputational loss and legal liabilities.

PCI DSS requirement 12.10.1  provides necessary guidance around the Incident response, The incident response plan should be thorough and contain all the key elements for stakeholders (for example, legal, communications) to allow the entity to respond effectively in the event of a breach that could impact account data. It is important to keep the plan up to date with current contact information of all individuals designated as having a role in incident response. Other relevant parties for notifications may include customers, financial institutions (acquirers and issuers), and business partners. Entities should consider how to address all compromises of data within the CDE in their incident response plans, including compromises to account data, wireless encryption keys, encryption keys used for transmission and storage or account data or cardholder data, etc.

  1. Third-Party Risks:
    How should organizations manage third-party vendors to ensure compliance with PCI DSS?

Nitin – A Service Provider should be viewed as a partner in protecting payment data rather than the common assumption that all responsibility has been completely outsourced. The use of a Service Provider for payment security related services does not relieve an organization of the ultimate responsibility for its own security obligations, or for ensuring that its payment data and payment environment are secure. Much of this misunderstanding comes from simply not including payment data security as part of the conversation and how requirements, such as those in PCI DSS, will be met. Some guidance for selecting and working with a Service Provider include:

Third-Party Service Provider Due Diligence: When selecting a Service Provider, organizations should vet vendor through careful due diligence prior to establishing a relationship and explicit understanding of which entity will assume management and oversight of security. This will assist organizations in reviewing and selecting Third-Party Service Provider with the skills and experience appropriate for the engagement.

Monitor Third-Party Service Provider Compliance Status: Organizations should be aware of the Service Provider PCI DSS compliance status as a Service Provider compared to their own obligation to adhere to PCI DSS requirements for their own payment acceptance practices. A Service Provider demonstrating they have met PCI DSS for their own card environment does not necessarily equate to the services they offer have been evaluated against the PCI DSS requirements.

Having this conversation with the service provider will provide an organization assurance and awareness about whether the service provider complies with the applicable requirements for the services provided. If the service provider offers a variety of services, this knowledge will assist the entity in determining which services will be in scope for the entity’s PCI DSS assessment.

Written Agreements and Policies and Procedures: Organizations should consider detailed written agreements such as contracts, services agreements, and responsibility matrices to promote consistency and mutual understanding between the organization and its SP(s) concerning their respective responsibilities and obligations with respect to PCI DSS requirements.

  1. Annual Assessments:
    What are the key steps in preparing for an annual PCI DSS compliance assessment?

Step #1: Understand the Requirements – Summary of Changes from 3.2.1 to 4.0.x Read the Standard! The Standard itself has expanded guidance to help you better understand requirements. 

Step #2: Choose the Right Validation – There are two validation options for PCI DSS v4.0.x the customized and defined approach. We have a blog series on to help you better understand these two different approaches. 

Step #3: Do the Work – Communicate your transition plan across all departments and functions, clearly define roles and responsibilities

Step #4: Use Trusted Partners – Utilize qualified professionals such as Payment Card Industry Professionals (PCIPs), Internal Security Assessors (ISAs) and Qualified Security Assessors (QSAs). These qualified individuals can support the consistent and proper application of PCI DSS controls.

Use technologies and solutions that have been tested and validated against security standards for the protection of payment data. PCI SSC maintains listings of products and solutions validated to PCI SSC standards, including Point-to-Point Encryption (P2PE) Solutions, Validated Payment Software, and Approved PTS Devices.

Step #5: Do Your Own Assessments

The best way to prepare for a PCI DSS assessment is to do your own assessments. Preparing for an assessment should begin as soon as possible; the more time invested in preparation, the more efficient and successful your assessment will be.

Performing gap assessments early and often will help you identify the areas you need to work on

Step #6: Prioritize Security as a Continuous Process

PCI DSS v4.0 is designed to support long-term, continuous processes to protect payment data. Organizations focused on maintaining PCI DSS security controls year-round can more readily avoid recurring cycles of short-term compliance followed by security lapses and short-term remediation each time they have an assessment

Section 3: Cyber Law and Its Interplay with PCI DSS

  1. Global Cyber Law Frameworks:
    How do global cyber law frameworks like GDPR and CCPA intersect with PCI DSS requirements?
  2. Legal Implications of Non-Compliance:
    What are the legal consequences for organizations that fail to comply with PCI DSS or breach cyber laws?
  3. Cross-Border Transactions:
    How can businesses ensure compliance with both PCI DSS and regional cyber laws when handling cross-border transactions?
  4. Incident Reporting Obligations:
    What are the legal obligations for reporting payment-related breaches under cyber laws?
  1. Role of Cyber Law in PCI DSS Evolution:
    How have changes in cyber laws influenced the evolution of PCI DSS standards?

Nitin –

The PCI Security Standards Council (PCI SSC) is a global forum for the ongoing development, enhancement, storage, dissemination and implementation of security standards for account data protection. Our role is to enhance global payment account data security by developing standards and supporting services that drive education, awareness, and effective implementation by stakeholders. We achieve this with a strategic framework to guide our decision-making process and ensure that every initiative is aligned with our mission and supports the needs of the global payments industry.

Does the PCI Security Standards Council enforce compliance?

No. The Council’s role is to develop and maintain standards. We do not monitor the implementation of standards. Whether an entity is required to comply with or validate compliance to a PCI SSC standard is at the discretion of organizations that manage compliance programs, such as a payment brand, acquirer, or other entity

Section 4: Strategic Insights and Best Practices

  1. Achieving Balance:
    How can organizations balance operational efficiency with the stringent requirements of PCI DSS?

Nitn –

  • Organization implementing PCI DSS need to ensure they trained their staff on security and PCI DSS.
    • Identify skill gaps and make sure they are trained in any new technologies you plan to implement.PCI training can help – take advantage of PCIP and ISA training.Partner with a trusted team –Use qualified professionals – QSAs can help understand PCI DSS requirements.Also consider PCI validated technologies and solutions – tested and validated against PCI standards to protect payment data.
    • PCI maintains listings of QSAs, products and solutions validated to our standards. P2PE, validated payment software, approved PTS devices, etc.
  1. Industry-Specific Challenges:
    Are there specific PCI DSS compliance challenges unique to industries like e-commerce, healthcare, or retail?

Nitin – The PCI Security Standards Council (PCI SSC) is developing guidance to help stakeholders understand and implement the new e-commerce security requirements included in PCI Data Security Standard (PCI DSS) v4.x. Stakeholders have indicated that these requirements are complex for many entities to implement (including merchants validating to Self-Assessment Questionnaire (SAQ) A). To that end, the Council has engaged with industry experts to establish an E-commerce Guidance Task Force with the sole objective of developing guidance focusing on PCI DSS v4.x Requirements 6.4.3 and 11.6.1.

Merchants and service providers should continue familiarizing themselves with Requirements 6.4.3 and 11.6.1 while awaiting this additional guidance, as these controls are fundamental to addressing recent e-commerce breaches and securing e-commerce environments. Requirements 6.4.3 and 11.6.1 are part of the 64 future-dated requirements of PCI DSS v4.x, which are effective as of 31 March 2025. The new guidance document for stakeholders on how to meet these PCI DSS v4.x e-commerce requirements is expected in early 2025. 

  1. Cyber Insurance:
    What role does cyber insurance play in protecting businesses from liabilities related to PCI DSS non-compliance?
  1. Training and Awareness:
    How can organizations foster a culture of compliance and security among their employees?

Nitin – The PCI Security Standards Council operates programs to train, test, and qualify organizations and individuals who assess and validate compliance, to help merchants successfully implement PCI standards and solutions.

  • People are a critical part of keeping payment data safe and secure. ​
  • To help with understanding, implementing and maintaining PCI Standards, PCI Council provides training for merchants, service providers, banks and their partners.​
  • Offered in e-learning and instructor-led formats​

The Payment Card Industry (PCIP) Program provides training and qualification on implementing and maintaining PCI DSS to support ongoing security and compliance efforts. ​This individual, entry-level qualification in payment security information is a renewable career qualification that is not affected by changes in employment assignments and stays in effect if the individual continues to meet requirements. ​ It also provides a great foundation for other PCI qualifications. PCIPs are listed in a searchable directory on the PCI SSC website.​

The Internal Security Assessor program teaches you how to perform internal assessments for your company and recommend solutions to remediate issues related to PCI DSS compliance. Assessors are sponsored by their companies, so when you receive this qualification you will be able to act as a liaison with external PCI auditors and manage interactions with a Qualified Security Assessor (QSA).

The instructor led training schedule for 2025 has been published and can be assessed here – https://www.pcisecuritystandards.org/program_training_and_qualification/pci-ssc-training-schedule/

  1. Future of Payment Security:
    What emerging trends or technologies do you foresee shaping the future of PCI DSS compliance and payment security?

Nitin – Emerging technologies and innovation such as artificial intelligence (AI), biometrics, and cryptocurrencies are reshaping our industry, along with the rise in popularity of mobile payments and contactless transactions.

Threats such as malware, ransomware, and phishing attempts continue to increase the risk of security breaches.

As the payments industry changes at a lightening pace, it is more important than ever that payment security standards and supporting programs keep up with that change. As an industry, it is important that all sectors of the payment industry come together to address these challenges.

Collaboration is at the heart of the PCI SSC’s mission to secure payment data and that will continue to be the focus as we move into the future. By working together, we learn about threat trends and can adapt our standards while creating new ones to stay a step ahead of the criminals. Collaboration has remained a priority for PCI SSC as the payments industry itself has undergone transformative changes. 

Interview Closing Note

Thank you for sharing your valuable insights on PCI DSS compliance and cyber law. This discussion highlights the critical importance of integrating robust security measures with a strong understanding of legal requirements to protect sensitive payment data effectively. As organizations navigate the complexities of compliance and evolving threats, your expertise provides actionable guidance for achieving resilience in this dynamic landscape.

Want to stay on top of cybersecurity news? Follow us on FacebookX (Twitter)Instagram, and LinkedIn for the latest threats, insights, and updates!

Previous articleCritical Vulnerability in WordPress Hunk Companion Plugin Exploited to Install Malicious Plugins
Next articleESET Threat Report H2 2024: A Deep Dive into the Latest Cybersecurity Trends
Ouaissou DEMBELE
Ouaissou DEMBELE
http://cybercory.com
Ouaissou DEMBELE is an accomplished cybersecurity professional and the Editor-In-Chief of cybercory.com. He has over 10 years of experience in the field, with a particular focus on Ethical Hacking, Data Security & GRC. Currently, Ouaissou serves as the Co-founder & Chief Information Security Officer (CISO) at Saintynet, a leading provider of IT solutions and services. In this role, he is responsible for managing the company's cybersecurity strategy, ensuring compliance with relevant regulations, and identifying and mitigating potential threats, as well as helping the company customers for better & long term cybersecurity strategy. Prior to his work at Saintynet, Ouaissou held various positions in the IT industry, including as a consultant. He has also served as a speaker and trainer at industry conferences and events, sharing his expertise and insights with fellow professionals. Ouaissou holds a number of certifications in cybersecurity, including the Cisco Certified Network Professional - Security (CCNP Security) and the Certified Ethical Hacker (CEH), ITIL. With his wealth of experience and knowledge, Ouaissou is a valuable member of the cybercory team and a trusted advisor to clients seeking to enhance their cybersecurity posture.

RELATED ARTICLES

NO COMMENTS

LEAVE A REPLY

Please enter your comment!
Please enter your name here

© © 2023 cybercory.com, Sainttly Group. All Rights Reserved. Designed by digitalliums.com.