PCI: Why Indian Banks Say Compliance Remains PriorityBut Will Push for Cardless Payments Make PCI-DSS Obsolete 10 Years from Now?
As the Payment Card Industry Security Standards Council turns 10 this year, an assessment of its ongoing impact indicates that a majority of Indian banks and the payments industry continue to deem compliance with the PCI Data Security Standard a priority. But security leaders question whether the DSS will remain viable 10 years from now, as the Indian market pushes for more contactless payments.
PCI compliance is an accepted expectation for U.S.-based retailers; in India, both banks and merchants have subscribed to the need for compliance, experts say.
"In the last seven years, the industry's witnessed PCI-DSS evolving dynamically from version 1.0 to version 3.2; those who absorbed the 12 elements of the standard have successfully protected critical information and data," says Nitin Bhatnagar, head of business development for SISA Information.
"Indian organizations have embraced [PCI-DSS] in a big way, establishing service provider compliance, merchant compliance, frameworks for risk assessment, and security testing for both network and application layer perspectives," he says.
Security leaders believe the new Unified Payment Interface service, launched by National Payment Corp. of India in April, will challenge PCI-DSS. The UPI service enables bank account holders to send and receive payments using mobile devices by relying on a single virtual identifier, such as a 12-digit PIN, mobile-phone number or virtual payment address.
Similarly, RBI's Bharat Bill Payment System, which was rolled out last summer, also will impact PCI compliance, they say. Bharat is an integrated bill-payment system offering interoperable and accessible online bill payment, which will help facilitate cross-border payments.
As the industry moves toward more online- and mobile-based payment systems, banks are under pressure to ensure data privacy and adopt more cardless transactions.
Security leaders believe that over the past two years, the Indian financial sector has witnessed a new age of payments, with many changes in the mobile realm.
Contactless payments, such as those based on near-field communication and radio-frequency identification, are feeding an explosion of mobile payments in India. Mobile payments, facilitated by emerging platforms like Apple Pay, Google Wallet and Samsung's LoopPay, and even payments through social media sites, are rapidly changing the payments landscape in India.
For security practitioners, however, payments innovation has only increased challenges; people and enterprises have embraced these, resulting in disruptive innovation, says Ashok Agarwal, Head of Division IT Audit, DCB Bank.
"In the next two to three years, Indian consumers will use virtual cards instead of physical cards, requiring a new compliance mechanism beyond PCI-DSS," Agarwal says.
Dr. A Rajendran, CTO at the National Payments Corp. of India, an umbrella organization for all retail payments systems in India, agrees the new payment architecture cuts across the cash-on-delivery model Indians traditionally embrace, and virtual cards gain momentum .
"In future, under the UPI framework, a customer's mobile number will be the key identity token for several applications," he says. This will help banks expand their delivery channels beyond their own infrastructure, Rajendran adds.
Bhatnagar says the rise of smartphones, payment bank licenses to private players, the payment transfer service UPI and other innovations will lead to disruption.
Compliance with regulatory requirements like RBI audits, which ensure timely detection of irregularities and security lapses, IT security audits and standards such as the PCI-DSS will be challenged by future payment methods, Bhatnagar says.
DCB Bank's Agarwal believes revision of prepaid payments instrument guidelines, designed to streamline retail payments, by banking regulators in India also will drive new forms of transactions, such as those paid through mobile wallets and even chip cards.
Beginning in January, RBI has issued mandates for Indian banks to issue PIN-enabled EMV debit and credit cards for new customers. RBI has extended its recommended EMV issuance deadline from Sept. 1, 2015, to Sept. 30, 2016. Indian banks have until Dec. 31, 2018, to convert ATMs for EMV acceptance.
According to Rajendran, all RBI circulars are mandates. However, he says, "Some banks take extension beyond the timelines and RBI also extends timelines based on progress."
Rajendran says Pradhan Mantri Jan-Dhan Yojana cards [a scheme introduced by the Prime Minister to ensure access to financial services for more citizens] may be excluded from the EMV migration mandate. Ultimately, the decision will be up to RBI, he adds.
Tom Wills, director of Ontrack Advisory, a consulting firm focused on payments innovation, says it's hard at this point to say which way RBI will go on the exclusion of these cards.
"RBI may exact progressively severe penalties for non-compliance, such as fines, imprisonment of executives, and revocation of a company's authorization to operate a payment system," Wills says.
The specific fines are imposed on the banks in case of non-compliance based on RBI's circular related to the Payment and Settlement Systems Act of 2007.
But Wills says enforcement of those penalties is at the discretion of RBI, and the regulator might choose to be lenient.
"By extending the deadline, RBI displays a positive gesture in aligning with the industry, signaling that it's willing to work with the industry in implementing the conversion over to EMV," he adds.
Ultimately, all of this means magnetic-stripe data will be around for the foreseeable future, similar to the U.S., reiterating the need for PCI compliance.
National Payments Corp.'s Rajendran says the trend toward EMV is impacting the PCI-DSS framework.
"As banks replace ATMs with new EMV capabilities - a big investment - PCI standards must provide innovative authentication technology for the point-of-sale part of the transaction," he says.
Agarwal believes introducing blockchain technology also will disrupt the card-based compliance mechanism. "There is huge scope in understanding the potential of blockchain technology as the demand for contactless mobile payments mechanisms increases; it's only a matter of time: RBI has asked IDRBT to study the benefits of the blockchain technology and submit a report soon."
Against this backdrop, Agarwal says, "With consumers adopting quickly, the relevance of PCI-DSS to the payments innovation will come under scrutiny."