BFSI: PCI and other Regulatory Requirements

The banking industry is undergoing a digital transformation, with more and more financial transactions taking place online and an increasing volume of sensitive financial data being handled by banks. This shift towards digital banking has brought about many benefits, such as increased convenience and accessibility for customers, but it has also introduced new challenges, particularly in terms of cyber security.

To address these challenges, the Reserve Bank of India (RBI) has recently released new guidelines for cyber security for banks operating in India. These guidelines aim to strengthen the security infrastructure of banks and protect sensitive financial information from cyber threats. Compliance with these guidelines is mandatory for all banks and failure to do so may result in penalties and fines. Some of these circulars referred below for the reference. Please note that, these circulars might be got revised later years, without intact the original requirements.

Regulator		Subject	Circular Number
RBI	Storage of Payment System Data		DPSS.CO.OD.No 2785/06.08.005/2017-18 dated April 06, 2018,
RBI	Guidelines on Regulation of Payment Aggregators and Payment Gateways		DPSS.CO.PD.No.1810/02.14.008/2019-20 March 17, 2020 (Annexure 2)
RBI	Cyber Security Framework in Banks		DBS.CO/CSITE/BC.11/33.01.001/2015-16 June 2, 2016
RBI	Master Direction - Information Technology Framework for the NBFC Sector		Master Direction DNBS.PPD.No.04/66.15.001/2016-17 June 08, 2017
RBI	Guidelines on Information security, Electronic Banking, Technology risk management and cyber frauds		DBS.CO.ITC.BC.No. 6/31.02.008/2010-11 April 29, 2011
RBI	Master Direction on Digital Payment Security Controls		DoS.CO.CSITE.SEC.No.1852/31.01.015/2020-21 February 18, 2021
RBI	Basic Cyber Security Framework for Primary (Urban) Cooperative Banks (UCBs)		DCBS.CO.PCB.Cir.No.1/18.01.000/2018-19
RBI	Master Direction - Information Technology Framework for the NBFC Sector		DNBS.PPD.No.04/66.15.001/2016-17 June 08, 2017
RBI	Membership of Credit Information Companies (CICs)		DBR.No.CID.BC.60/20.16.056/2014-15 January 15, 2015

In addition, the Indian government has also enacted Digital Personal Data Protection Bill, 2022, which lays down the framework for protection of personal data of individuals and makes it mandatory for organizations to comply with it. Banks are also under obligation to comply with the bill.

To meet most of the Security requirements and best practices mentioned in the above guidelines, as a starting point, banks may take some of the global standards/frameworks for implementation such as PCI DSS, ISO 27001 Etc., to protect sensitive customer information and ensure compliance with industry standards and regulatory requirements.

• PCI DSS (Payment Card Industry Data Security Standards) is a set of security standards that apply to organizations that accept credit and debit card payments. Compliance with these standards is mandatory for all banks that accept card payments and failure to do so can result in significant fines and penalties.
• ISO 27001 is an information security management standard that outlines the requirements for an information security management system (ISMS). Compliance with this standard demonstrates a commitment to protecting sensitive information and managing risk effectively.
• In addition to these specific compliance requirements, it is also important for banks to implement good cyber security practices to protect against a wide range of potential threats. This includes activities such as regular security testing, incident response planning, and employee education and awareness programs.

Not meeting these compliances can put the bank at significant risk. Failure to comply with PCI DSS can result in significant fines and reputational damage, while a lack of an effective ISMS can lead to data breaches and loss of sensitive customer information. Inadequate cyber security practices can also lead to costly data breaches and loss of customer trust.

Role of the C-Level Management:

As a CISO or CIO of a bank, the protection of sensitive customer information and compliance with industry standards and regulatory requirements is of the utmost importance. One of the keyways to ensure this is through compliance with PCI DSS, ISO 27001 and implementing good cyber security practices.

Key message for CISOs and CIOs to consider when implementing compliance with PCI DSS, ISO 27001 and good cyber security practices include:

• Compliance is not optional it is mandatory for maintaining the safety and security of customer data
• By implementing these standards, you are demonstrating a commitment to protecting sensitive information and managing risk effectively
• Regular security testing, incident response planning, and employee education and awareness programs are essential for maintaining good cyber security practices

As a CISO or CIO, it is important to take a proactive approach to compliance and implement regular security testing, incident response planning, and employee education and awareness programs to ensure that the bank's information and assets are protected.

To achieve these compliances, the bank's higher management should take the following additional activities:

• Regularly conduct Risk Assessments and Gap Analysis
• Implement Information Security Risk Management.
• Regularly conduct penetration testing and vulnerability assessment
• Regularly conduct security training for employees
• Implementing a robust incident response plan
• Regularly conduct internal and external audit.

In conclusion, compliance with PCI DSS, ISO 27001 and good cyber security practices is essential for protecting sensitive customer information and maintaining the safety and security of the bank's infrastructure.

Scope of PCI DSS in General Banking Environment:

The Payment Card Industry Data Security Standards (PCI DSS) applies to all organizations that accept, process, store or transmit credit card information. Banks are required to comply with the PCI DSS to protect sensitive customer information and ensure the security of cardholder data.

In a bank, the major function that handles credit and debit card information is typically the card services, payment processing, Back Office etc. This services responsible for storing, transmitting, and processing card-related data.

The following areas, functions, and processes within a bank should be compliant with PCI DSS:

1. Cardholder data environment (CDE): This includes all systems and networks that store, process, or transmit cardholder data, including servers, databases, applications, and point-of-sale terminals.
2. Network infrastructure: This includes routers, switches, firewalls, and wireless networks that are used to connect the CDE to the rest of the bank's systems and networks.
3. Security controls: This includes firewalls, intrusion detection and prevention systems, and other security devices that are used to protect the CDE from unauthorized access.
4. Access controls: This includes procedures for controlling access to the CDE, such as user authentication and authorization, and physical security measures to prevent unauthorized access to the CDE.
5. Vulnerability management: This includes regular vulnerability scans, penetration testing, and vulnerability management to identify and remediate vulnerabilities in the CDE.
6. Incident response: This includes incident response procedures that are in place to handle security breaches and other security incidents.
7. Compliance and reporting: This include regular compliance testing and reporting to ensure that the bank is in compliance with the PCI DSS.

The new guidelines underscore the importance of digital transformation and the need for banks to take proactive measures to protect their customers' information. Banks must now invest in advanced technology and security systems to safeguard the increasing volume of financial data they handle. This includes implementing multi-factor authentication, encryption, and intrusion detection systems, as well as regular security audits and assessments.

How QRC Can support Banks to meet these requirements:

1. Being a PCI QSA Company, QRC support banks to Attain, Maintain, Retain PCI Compliances.
2. Being a Cert-In Empanelled vendor, QRC Perform all types of Security Configuration Audits, Perform Vulnerability and Penetration testing on all bank critical assets like Networks, Servers, Applications and Other security Solutions.
3. Having Qualified CISA Auditors, we can perform Information Systems and Cyber security assessments for the bank as per the requirement.
4. Being a ISO Certification body, QRC Can Perform ISO 27001, ISO 27701 standards assessment and certify the banks for these compliances.
5. QRC Can deploy proprietary GRC Platform called QRCAssist, for Managing all Compliances and effectively monitor the projects at levels within the Banks. Which also helps the banks to manage their day to day security functions and all audit data can be managed centrally.

In terms of PCI DSS Compliance QRC can support in the ways:

1. Guiding Bank to determine the PCI DSS Scope and document the Card Data Flows.
2. Perform readiness assessment w.r.t. PCI DSS Standard and Identify the gaps.
3. Provide Remediation Plans for closing the Gaps
4. Remediation Support while implementing PCI DSS Controls within the Banking environment.
5. Conducting PCI Trainings for stakeholders
6. Performing VA and PT and Application Security Testing
7. Help the process owners to document required Policies, Procedures
8. Perform PCI DSS Final Assessment and Issue the PCI DSS Certification.

The digital transformation of the banking industry is here to stay, and it is vital that banks take the necessary steps to protect their customers' information. By complying with the RBI's guidelines and investing in advanced security systems, banks can ensure the safety and security of their customers' financial data and maintain their trust in the digital age.