Tuesday, February 21, 2017

Selecting a qualified security assessor for banks, financial institutions

 

The recent ATM security data breach in the SAARC Region is an alarming situation where banks and financial institutions need to start thinking and focusing on safeguarding their systems to avoid similar breaches in future.

It has been said in media reports that the breach would have possibly affected 3.2 million debit cardholders.

A data breach has been linked with a serious compromise of a leading payment card processor company in India which in turn has raised a serious alarm for the entire payment card industry and leave us with a thought that we have to re-think on security and not just compliance - card processor company was said to be following the Payment Card Industry Data Security Standard (Version 3.2), Also known as PCI-DSS, intended to safeguard cardholder data.

However, still the majority of the companies are not in full compliance with the PCI-DSS standard. PCI standard is very effective in reducing breaches if we understand the intent behind each requirement and implement them smoothly with the support of good standing Qualified Security Assessor would help organisations to prevent themselves from such occurrence of similar breach.

“Security and not just compliance” - As an industry we should admit that we have missed behind the importance of information security and have started focusing on just compliance by compromising on security with the cost, technical expertise and lack of adaption with new technologies.

Payment card processors/ Merchants/ Banks/ Payment Gateways are usually expected to comply with the Payment Card Industry Data Security Standard (PCI-DSS), a code of security best practice designed to guard from external and internal attacks and thwart hackers to penetrate into the network, database, and application servers from obtaining card holder details. Payment Card Industry Data Security Standard (PCI DSS) is an information security standard aimed at creating an additional level of protection for card issuers and acquirer's by ensuring that merchants and Third Party Payment Processors and Payment gateways meet a minimum level of security while they are storing, processing and or transmitting cardholder data.

The PCI-DSS audit should be always seen as a security consulting assessment, rather than just an audit to achieve a certificate or a piece of paper. Successful engagement starts with choosing the right Qualified Security Assessor, Organisation should select someone who influences you with their competence and have bandwidth to work well with your team. We should never hide any facts or past history from our Qualified Security Assessor. We need to keep a tab on few things that need to be considered while we are hiring a Qualified Security Assessor to conduct the PCI-DSS audit and certification exercise.

Industry Best Practices for Implementing PCI DSS

1. Implement Payment Best Security Practices (such as PCI DSS, PA DSS and PCI PIN Standards) effectively.

2. Payment Security Training like CPISI should be made mandatory for all individuals inside a payments organisation including CISO's/Security Managers of the organisation.

3. Don't let your procurement teams choose your security auditor. Focus on deep payment security expertise rather than only on cost.

4. Technology is as good as its implementation. Focus on effective implementation and do not get complacent by just installing a black box in your environment.

5. Senior Management should play a large role in chalking the payment security strategy for the organisation as it impacts their brand reputation. Five finest steps to select a Qualified Security Assessor (QSA)

Firstly and foremost, it is vital to research on identifying a Qualified Security Assessor organization that has a good standing in the market. Verification can be done from PCI-SSC website. Avoid going with the lower cost Vendor.

A Qualified Security Assessor with a higher proposition might actually end up saving you money in the long run.

Secondly, Reference check on a Qualified Security Assessor Organization from companies that have experience in your industry with working with them will help you a lot in taking a concrete decision.

Thirdly, if your existing vendor guarantee you that you will be compliant within 6 to 8 months’ time and put a certain date, you need to be cautious about that person or company immediately. If you select them and if a breach happens, you are the one who will be held responsible for the breach and damage will be to your company's reputation and market share.

Fourthly, Engagement should be such where Qualified Security Assessor or Consultant has to be onsite dedicated for conducting the assessment and providing the remediation support to the organization in order to achieve the success rate of getting the organization compliant on other side some of the work like drafting and reviewing the documentation can be done remotely. Lastly, you should interview a Qualified Security Assessor face to face and identify the above security specialist qualities that he or she should possess. (The writer is Business Development Head, SISA (Sri Lanka and SAARC Region). 

Author:

0 comments: