If you are a bank, service provider or a merchant dealing in Visa and Master's credit/debit card then you definitely come under the ambit of PCI-DSS's compliance requirements. Both payment
Requires Free Membership to View
brands Visa and Master card have set up specific
deadlines for banks, merchants as well as service providers toget
compliant with PCI-DSS. In this article we discuss Visa's global deadlines for PCI-DSS
compliance. The attempt is to find out whether Indian banks and merchants are well aware of these
deadlines and have initiated steps in the direction to meet them.From a budget perspective, getting management buying for PCI-DSS compliance is a major task for merchants.
Requirement related to merchants: Visa requires acquirers to provide an Attestation of
Compliance (AOC) Form by September 30, 2010 for each of their Level 1 merchants, demonstrating that
each merchant is PCI DSS compliant.
An acquirer could be the bank or entity that the merchant uses to process the payment-card
transactions. Volume-wise, a Level 1 merchant has been defined by Visa as a merchant processing
over 60,00,000 transactions per year. Dharshan Shanthamurthy, Chief Consultant at SISA believes
that this deadline had been well communicated by payment brands by way of mandate letters, apart
from the many awareness sessions for member banks and other verticals. But Indian banks which are
dealing in Visa cards, although being aware of this PCI-DSS
compliance deadline, may not necessarily be able to meet them.
Sameer Ratolikar, CISO of Bank of India says: "I feel that this PCI-DSS
compliance deadline is a tough call, given the scale and size of merchants involved." His
reading is that it is difficult to hit the target unless the bank has started the exercise much in
advance, as it takes at least six months to do the gap assessment and undertake remediation
measures. Bank of India has already started discussion with its leading merchants and is
sensitising them about the PCI-DSS compliance deadline.
Vishal Salvi, CISO HDFC says: "We are well
aware of the PCI-DSS compliance deadline and we started to work on it nearly two-and-a-half
years ago. But this deadline will be applicable to fewer Indian banks as the country itself has
very few entities that qualify as Level 1 merchants. As far as HDFC bank is concerned we are
trekking our Level 1 merchants and their compliance and expect to meet this deadline."
HDFC started the awareness and engagement a few years ago. The bank has also been ensuring that
merchants build the necessary controls as prescribed by PCI-DSS.
Meeting this deadline will basically mean that the merchants will have fill up the attestation
(AOC) form and submit it to banks, which in turn will be submitted to Visa by banks. AOC can be
filled by merchants either after self assessment or after a full-fledged audit by a third party
auditor (QSA).
Shanthamurthy feels that with regard to large merchants the compliance is in the process of taking
off in India, while in Europe and US it is in a fairly good state. What are the issues that
merchants are grappling with? Salvi feels that the challenge lies in making merchantsrealise
the benefits of the PCI-DSS compliance deadline and motivating them to achieve the same.
Ratolikar agrees with him and points out that it is very important to sensitise them about the card
data security as their primary concern remains business. "From a budget perspective also getting
management buying is a major task for merchants," he says.
Requirement related to service provider: Third party Visa net processors (VNP) and client
VNP acting as service provider will have to be certified as PCI-DSS complaint via an onsite review
by QSA by September 30, 2010.
VNP is basically an entity that is directly connected with Visa via a VisaNet Extended Access
Server (VEAS). The requirement essentially involves the banks to ensure that their VNP or
service providers are PCI-DSS
compliant. Both HDFC and Bank of India say their service providers are already compliant and
will be meeting the deadline.
Suresh Dadlani, CEO at ControlCase says, "Service providers have been quite aggressive in getting
certified
for PCI-DSS compliance and hence most of them in India are already on the right track. And
Shantamurthy adds: "The compliance deadline has been strictly enforced for service providers who
are either BPO (because it's a client mandate) or Third Party Processors, because of the mandate by
many acquiring banks."
Requirement related to Banks: They have to complete a PCI-DSS onsite review by September 30,
2011
This essentially means that the banks will have to complete their PCI-DSS
audit through a QSA before the stipulated deadline. Dadlani believes that very few banks have
actually taken any steps in the direction of certification. But he also adds: "Most banks' risk and
compliance departments must have already started the exercise of gap analysis."
Many top private and public sector banks have taken up this initiative already, believes
Shanthamurthy.
HDFC Bank and Bank of India have already initiated the process for achieving the
PCI-DSS compliance deadline. To begin with, being client acquiring VNP, HDFC bank will send
confirmation to Visa whether prohibited data is stored post authorization. HDFC has not set itself
a particular date for achieving the compliance; however, it is confident about its
commitment.
Bank of India on the other hand is almost on the verge of achieving
the PCI-DSS compliance deadline. "We have finished the PCI-DSS related implementation and are
waiting for the final certification. We went through a rigorous exercise to meet stringent
requirements for protection of cardholder data," says Ratolikar. The bank had started the exercise
in November 2009.
Shanthamurthy believes that the deadlines for banks are achievable provided they start early as
they would require time for remediation. SISA global survey of 25 top banks that are undergoing PCI
Compliance revealed that banks take average 12 months to complete the PCI Compliance. "It is
imperative that Indian banks take up this initiative early," he concluded.