"Identity Theft has Come into Prominence"
Sep 28, 2007

Srikiran Raghavan, regional manager (sales) of RSA, the security division of EMC, talks to Abhinna Shreshtha about the need for the Data Security Standards (DSS) and how it can prove to be beneficial to users and enterprises alike

The idea of DSS has been around for quite some time, so what is the need for it being felt more strongly now?

There has been an increase in the availability and utilization of point of sales from retail perspective as well as online services in the past few years, which has led to an increase in the use of credit cards. At the same time, the phenomenon of identity theft has also come into prominence, especially in case of credit cards. Such fraudulent activities lead to a complete chain of revenue loss, including the customers as well as the issuing organization and the merchant.

More importantly, until the time this fraud is brought to notice, it can be used multiple times. This is the issue which the DSS aims at addressing. It's basically making merchants and all others involved in the chain of transaction accountable for protecting credit card information and reduce compromise of information due to inadequate control or governance. The founding organizations felt the need for a standard platform on which to communicate with their participating entities, and from this need the PCI-DSS was born.

What are the compliance demands of DSS?

There are several, the most important being - data protection. The organization is expected to identify the various places where the information could potentially reside within their organization and the places where it has been shared externally. They should take steps to then secure these places. But as a bare minimum, organizations should at least have a security management process and framework to monitor data on an ongoing basis. Any organization that accepts processes or stores credit card information is accountable to meet the compliance demands of DSS.

Are organizations of all sizes and in all sectors expected to confirm to the same set of guidelines?

The standards are the same for everybody. All organizations are expected to follow each and every one of the standards. However, the timeframes differ depending upon the volume of transactions carried out by the organization.

Why is the PCI confident of the success of these guidelines? What do organizations stand to gain by meeting the compliance standards?

Consumer satisfaction is always the main criteria for organizations. If you want consumers to continue to work with you, you must show them that you're taking the necessary steps to safeguard their personal information. From the merchants' perspective, the more efforts you take to protect data, the less chances are there of getting hit by charge-backs. There are other benefits that the program offers to the participants, for example, as incentives to the merchants, lower interchange-exchange rates are offered to them if they meet the compliance standards. At the same time there are penalties in case compliance isn't met.

The additional incentives in terms of transaction volumes for the large merchants could reach between USD 5000 to USD 10000.

What is the role of the PCI certified auditors and who are the auditors in India?

There can be very little ambiguity in terms of the format and the phases in which these standards are implemented. In order to make this easier for the enterprises and organizations, certified auditors have been appointed who are involved in guiding the process. They will not only benchmark the position of the organization with respect to the standards, but will also guide them in chalking out an appropriate plan to meet the standards. ControlCase is one of the auditors in India, in addition to 2-3 other auditors.

There have been certain criticisms against the DSS, like, they're too broad in some aspects and too detailed in others. Also, the time taken for concrete implementation of the standards has also been criticized. Do you think these complaints are justified?

Any legislation at the onset, because of the nature in which it impacts people's day-to-day operations, will always pose challenges. To meet the extremely granular and detailed expectations of the guidelines is definitely a challenge. Besides, the guidelines certainly have some shortcomings, but what is important is that they evolve according to the feedback obtained by the community that's recommending the change and the community that's impacted by the change. In fact, we can now see that concrete steps are being taken to implement these standards with deadlines being set up. Penalties have also been started to be levied on the organizations that were unable to meet the deadlines.