Credit card cos set deadline, to fine issuers for security lapses

Credit card cos set deadline, to fine issuers for security lapses
Comment E-mail Print Share
First Published: Tue, Aug 21 2007. 01 22 AM IST
Updated: Tue, Aug 21 2007. 01 22 AM IST
Credit card companies will crack down on issuers and retailers who fail to implement safer processing norms by January by imposing a one-time fine of between $5,000 and $500,000 (Rs2 lakh and Rs2 crore) depending on the size of the company, and in some cases, threatening to cancel the licence of the companies.
The process requires conformity by card issuing banks, service providers and merchant establishments with more than six million transactions a year.
Card transactions, both online and offline, could become safer if norms prescribed by the Payment Card Industry Security Standards Council (PCI-SSC) are implemented, say the top issuers.
The council comprises American Express, Discover Financial Services, JCB International Credit Card Co., MasterCard Worldwide and Visa International—the top card issuers in the world.
These measures could avoid data theft incidents similar to the case involving an Mphasis Ltd outsourcing unit around two years ago.
Four employees of Mphasis managed to get the personal identification number (PIN) from four CitiGroup customers during December 2004 and opened new accounts at Indian banks using false identities. Two months after opening the bank accounts, the employees transferred money from CitiGroup customers to these new accounts. Nearly $426,000 was stolen, though investigators managed to recover $230,000.
After complying with the proposed norms, a merchant establishment will have to swipe a customer’s card only once, instead of repeated swipes. Neither will the entire number of the card show up, with some of it being encrypted, making it tougher to misuse the card.
Some firms have seriously taken up the implementation. A unit in the banking division of Satyam Computer Services Ltd is the first information technology major in India to get PCI’s Data Security Standard (DSS) certification.
“PCI compliance is mandatory for all the stakeholders in the credit card industry. We have two US-based banks as our customers. We will be getting more,” says Madhavrao Mavidi, project manager at Satyam, who looked into the implementation of PCI norms for the company.
“By 31 December, merchants and service providers involved in credit card processing should be compliant,” said Rohit Tripathy, director and founder-promoter of ControlCase, the first Indian IT security firm authorized by PCI to certify stakeholders in the credit card industry.
An email sent to Visa Asia Pacific’s office in Singapore and MasterCard’s office in Singapore, the regional headquarters, on new technologies and the impact of the new process, did not elicit a response.
ControlCase has already certified three firms in India and is in the process of certifying 15 additional firms for being PCI compliant. The 12 parameters include firewall security, platform security, safe storage of credit card data, secured transmission of data, encryption on networks, anti-virus, secured application development, login protection, user management and access controls, physical security, auditing and logging accesses, periodic maintenance functions, information security policies and human resources systems.
The duration of conformity could range anywhere between one week and six months,and the cost could run into a few lakh rupees in the case of a big bank.
“Getting PCI DSS (data security standard) certification involves putting in place encryption safeguards, reworking of network architecture and processes, and people-related checks,” says Tripathy. “In the next 18-24 months, more merchants will fall in the bracket of six million transactions a year,” said Srikiran Raghavan, regional head of RSA, the security division of EMC Corp., the security solutions providing company.
“We are a small company... (It) was a big challenge for us,” says Nishanth R., chief technological officer of E-Billing Solutions Pvt. Ltd (EBS), which is implementing the changes.
“PCI includes physical audit of establishment. With this kind of audit, the data cannot be saved or hacked into. It’s a confidence-building mechanism,” says Vishwas Patel, chief executive officer of, which says it handles 85% of Internet merchant transactions in India.
Comment E-mail Print Share
First Published: Tue, Aug 21 2007. 01 22 AM IST