Last updated: 11 July 2019
In the last few years, India has witnessed a significant uptick in credit and debit card payments. As per India’s banking regulator Reserve Bank of India’s (RBI’s) data, both debit card and credit card transactions at Point of Sale (PoS) terminals have risen over 27% in March 2019 compared to the corresponding period a year ago.
While debit card transactions at PoS terminals stood at 407 million in March 2019 against 318 million in March 2018, credit card clocked 162 million PoS transactions in March 2019 against 127 million transactions in March 2018.
The increased usage of card payments has come with its own set of cybersecurity challenges and to protect cardholders from fraudulent card transactions, RBI periodically notifies banks on the various cybersecurity measures it needs to carry out. Failure to adhere to RBI’s cybersecurity mandates results in hefty penalties as found out by Indian Bank last year when RBI imposed a penalty of 10 million rupees ($139,000) on it for failing to adhere to the mandated cybersecurity guidelines.
Amongst other cybersecurity measures, data encryption features as one of the most prominent measures propagated by RBI to protect customers’ sensitive data. In its advisory titled ‘Report of the Working Group on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds’, RBI mandates that:
“Banks should encrypt customer account and transaction data which is transmitted, transported, delivered or couriered to external parties or other locations, taking into account all intermediate junctures and transit points from source to destination.”
What this mandate essentially means is that encryption should be implemented not only for data-at-rest, but also for data-in-motion, and at all instances of data storages. In the context of cardholders’ data, this guideline mandates that no card data should flow in clear text anywhere – even within the banks’ internal systems like databases, applications, storage or VM files/folders.
Below are 3 best practices that banks should adopt to comply with RBI’s mandate:
1. Encrypt The Transmission Of Cardholders’ Data Across Networks
Apart from encrypting cardholders’ data that resides within its internal systems, banks should ensure that they encrypt the data when it is in motion i.e. when it is transmitted from internal systems to external systems over public networks.
To ensure that cybercriminals do not intercept and tamper their cardholders’ sensitive data, banks should adopt secure file transfer protocols like SSH File Transfer Protocol (SFTP) or File Transfer Protocol With SSL Security (FTPS).
Additionally, banks should ensure that they have robust systems in place that accurately verify the encryption keys and digital certificates used during data transmissions, and that these keys and certificates are securely stored in Hardware Security Module (HSM) devices and centrally managed through a Key Management Platform to prevent them from falling into the wrong hands.
2. Implement Role-based Access Controls
Access to cardholders’ sensitive data should be strictly on a ‘need-to-know’ basis. While front line defense mechanisms like firewalls and anti-virus deter cyber attacks, data thefts through unauthorized access are very much possible.
To ensure that only key people are authorized to access cardholders’ data, banks should implement strict access control policies that grant access rights to only those people who need it to perform their duties.
3. Identify and Authenticate Access
In addition to role-based access, banks should put in place systems and policies that accurately identify and authenticate access to the sensitive cardholders’ data.
Every user that has access to cardholders’ data should be assigned a unique User ID that can be centrally tracked for determining the exact time it was used to access the data. This would allow banks to cohesively view the audit trail and accurately identify the perpetrator in the event of data theft.
While User IDs and passwords are a bare minimum, banks should also use additional security mechanisms like SSH keys and multi-factor authentications when accessing sensitive data from external networks.
To Sum It Up
Encrypting cardholders’ data is not only a good practice to prevent data breaches, but also a regulatory mandate that card-issuing banks have to comply to. Failure to comply with RBI’s data encryption mandate will not only result in hefty financial penalties but also significantly erode customers’ trust in the event of a cyber attack.
As the global leader in digital security, Thales Cloud Protection & Licensing has been working very closely with leading banks across the globe to breach-proof their customers’ sensitive data.
Learn more about Vormetric Data Security Platform which offers comprehensive data security solutions that can be quickly deployed to deliver advanced encryption to strengthen data security and meet regulatory compliances.