Hectic race to meet Visa's PCI-DSS compliance deadline

We discuss Visa's global deadlines for PCI-DSS compliance and whether Indian banks, merchants and service providers will be able to meet the same.

If you are a bank, service provider or a merchant dealing in Visa and Master's credit/debit card then you definitely come under the ambit of PCI-DSS's compliance requirements. Both payment brands Visa and Master card have set up specific deadlines for banks, merchants as well as service providers toget compliant with PCI-DSS. In this article we discuss Visa's global deadlines for PCI-DSS compliance. The attempt is to find out whether Indian banks and merchants are well aware of these deadlines and have initiated steps in the direction to meet them.

From a budget perspective, getting management buying for PCI-DSS compliance is a major task for merchants.

Sameer Ratolikar
CISO, Bank Of India

Requirement related to merchants: Visa requires acquirers to provide an Attestation of Compliance (AOC) Form by September 30, 2010 for each of their Level 1 merchants, demonstrating that each merchant is PCI DSS compliant.

An acquirer could be the bank or entity that the merchant uses to process the payment-card transactions. Volume-wise, a Level 1 merchant has been defined by Visa as a merchant processing over 60,00,000 transactions per year. Dharshan Shanthamurthy, Chief Consultant at SISA believes that this deadline had been well communicated by payment brands by way of mandate letters, apart from the many awareness sessions for member banks and other verticals. But Indian banks which are dealing in Visa cards, although being aware of this PCI-DSS compliance deadline, may not necessarily be able to meet them.

Sameer Ratolikar, CISO of Bank of India says: "I feel that this PCI-DSS compliance deadline is a tough call, given the scale and size of merchants involved." His reading is that it is difficult to hit the target unless the bank has started the exercise much in advance, as it takes at least six months to do the gap assessment and undertake remediation measures. Bank of India has already started discussion with its leading merchants and is sensitising them about the PCI-DSS compliance deadline.

Vishal Salvi, CISO HDFC says: "We are well aware of the PCI-DSS compliance deadline and we started to work on it nearly two-and-a-half years ago. But this deadline will be applicable to fewer Indian banks as the country itself has very few entities that qualify as Level 1 merchants. As far as HDFC bank is concerned we are trekking our Level 1 merchants and their compliance and expect to meet this deadline."

HDFC started the awareness and engagement a few years ago. The bank has also been ensuring that merchants build the necessary controls as prescribed by PCI-DSS.

Meeting this deadline will basically mean that the merchants will have fill up the attestation (AOC) form and submit it to banks, which in turn will be submitted to Visa by banks. AOC can be filled by merchants either after self assessment or after a full-fledged audit by a third party auditor (QSA).  

Shanthamurthy feels that with regard to large merchants the compliance is in the process of taking off in India, while in Europe and US it is in a fairly good state. What are the issues that merchants are grappling with? Salvi feels that the challenge lies in making merchantsrealise the benefits of the PCI-DSS compliance deadline and motivating them to achieve the same. Ratolikar agrees with him and points out that it is very important to sensitise them about the card data security as their primary concern remains business. "From a budget perspective also getting management buying is a major task for merchants," he says.

Requirement related to service provider:  Third party Visa net processors (VNP) and client VNP acting as service provider will have to be certified as PCI-DSS complaint via an onsite review by QSA by September 30, 2010.

VNP is basically an entity that is directly connected with Visa via a VisaNet Extended Access Server (VEAS).  The requirement essentially involves the banks to ensure that their VNP or service providers are PCI-DSS compliant. Both HDFC and Bank of India say their service providers are already compliant and will be meeting the deadline.

Suresh Dadlani, CEO at ControlCase says, "Service providers have been quite aggressive in getting certified for PCI-DSS compliance and hence most of them in India are already on the right track. And Shantamurthy adds: "The compliance deadline has been strictly enforced for service providers who are either BPO (because it's a client mandate) or Third Party Processors, because of the mandate by many acquiring banks."

Requirement related to Banks: They have to complete a PCI-DSS onsite review by September 30, 2011

This essentially means that the banks will have to complete their PCI-DSS audit through a QSA before the stipulated deadline. Dadlani believes that very few banks have actually taken any steps in the direction of certification. But he also adds: "Most banks' risk and compliance departments must have already started the exercise of gap analysis."  

Many top private and public sector banks have taken up this initiative already, believes Shanthamurthy.

 HDFC Bank and Bank of India have already initiated the process for achieving the PCI-DSS compliance deadline. To begin with, being client acquiring VNP, HDFC bank will send confirmation to Visa whether prohibited data is stored post authorization. HDFC has not set itself a particular date for achieving the compliance; however, it is confident about its commitment.

Bank of India on the other hand is almost on the verge of achieving the PCI-DSS compliance deadline. "We have finished the PCI-DSS related implementation and are waiting for the final certification. We went through a rigorous exercise to meet stringent requirements for protection of cardholder data," says Ratolikar. The bank had started the exercise in November 2009.

Shanthamurthy believes that the deadlines for banks are achievable provided they start early as they would require time for remediation. SISA global survey of 25 top banks that are undergoing PCI Compliance revealed that banks take average 12 months to complete the PCI Compliance. "It is imperative that Indian banks take up this initiative early," he concluded.

Read more on IT risk management