US-focused financial services business process outsourcing (BPO) player Zenta which deals in confidential credit card transactions of companies, found it imperative in January 2008 that it ensures security and protects their clients' data. Due to this need, Zenta's India office got its Payment Card Industry Data Security Standard (PCI DSS) certification. "We went in for PCI DSS purely on grounds of compliance requirements. We deal in credit card related processes of US multinationals, for which PCI DSS certification is a must," says Vaibhav Patkar, the chief security officer of Zenta.
Established in 2001, the Zenta Group offers services related to credit cards, consumer banking, healthcare and insurance. In order to achieve the PCI DSS certification, the company needed to understand the PCI DSS requirements that were in place (and what was lacking). It
hired ControlCase, a US-based GRC provider (having its operations in Mumbai) as consultants and also a Qualified Security Assessor with PCI security standard council. The consultant mapped Zenta's infrastructure against 12 requirements of the PCI DSS standard, and suggested areas where it needed to bring in more control. Zenta achieved PCI DSS certification in December 2008. Join us as Patkar gives us a detailed tour of the areas that Zenta focused on.
PCI DSS focus area: Build and maintain a secure network
Requirement 1: Maintain a firewall configuration to protect cardholder data
Requirement 2: Do not use vendor-supplied defaults for system passwords
Zenta already had these PCI DSS requirements in places, but it needed to be documented. Patkar feels that it is necessary for a company to have basic security infrastructure like firewall or IPS for quick PCI DSS certification. The company was also required to make minor format changes in its firewalls and intrusion detection system. Fortunately, Zenta did not have any wireless network in place, which is subjected to stringent controls.
PCI DSS focus area: Protect card-holder data
Requirement 3: Protect cardholder data
Requirement 4: Encrypt transmission of cardholder data across open, public networks
As per PCI DSS requirements, a company can store credit card data only in encrypted form. It cannot save CVV numbers in any form, informs Patkar. Running the software and using LUHN formula, it fished out all credit card information from the system. "We wiped out credit card data where not required, and encrypted it in critical areas," says Patkar. Zenta always uses encrypted VPN tunnel for connecting with clients.
PCI DSS focus area: Maintain a vulnerability management program
Requirement 5: Regularly update antivirus
Requirement 6: Maintain secure systems and applications
Zenta has a team in place to regularly update the antivirus. Antivirus software now come with master servers and picks up updates from security agencies.
PCI DSS focus area: Implement strong access control measures
Requirement 7: Restrict access to cardholder data by need-to-know
Requirement 8: Assign an ID to each person
Requirement 9: Restrict physical access to data
In terms of physical security, Zenta had put in controls. The whole office premise is covered with CCTV cameras. Each floor at Zenta has a unique individual entry controlled by an access card.One of the requirements is avoiding generic user IDs for customers. "We kept generic IDs that were really needed and wiped out the rest. Every month the company undertakes reconciliation on user access policies.
PCI DSS focus area: Regularly monitor and test networks
Requirement 10: Monitor access to network resources and data
Requirement 11: Regularly test security systems and processes
Zenta had to prepare documents explaining connectivity with various clients. It also went in for a simple log monitoring and an analysis tool. The company tied up with a security vendor for conducting vulnerability assessment and penetration testing. PCI DSS demands a quarterly check as mandatory.
Requirement 12: Maintain a policy that addresses information security
Proper documentation is a key to successful PCI DSS certification. Although Zenta had an information security policy, it required tweaking to adhere to PCI DSS requirements. The standard also mandates yearly policy review and regular awareness activity. After creating security posters and wallpapers, Zenta plans online awareness sessions that can be accessed by employees conveniently, but will have to attend them once in six month.
Zenta went in for two PCI DSS audits—pre-assessment and final audit. A company can also directly go in for a final audit. At the pre-assessment the auditor suggested improvements. After implementing these, Zenta went in for a final PCI DSS audit. In December 2008, the company was certified as PCI DSS compliant. PCI-DSS has brought in extra confidence in Zenta's security team and has also helped the company to cultivate confidence among clients and get more business.