Financial Services is one of the most heavily regulated industries there is. Outsiders often find their compliance requirements difficult to understand and interpret – an absolute minefield. But there are some real lessons organisations and their personal dataInformation which relates to an identified or identifiable natural person. and privacy professionals can learn from the latest Payment Card Industry Data Security Standard, the “PCI DSS”.
Card fraud is a massive problem. Nilson has estimated that by 2020, worldwide card fraud will be a US$31 billion issue.
The PCI DSS is the information security standard all businesses taking payments through debit or credit cards are required to follow to prevent card fraud. The most current version, 3.2, was introduced in February 2018 – it’s a vital enabling standard for ecommerceThe buying or selling of products or services online., business and banking.
Credential Stuffing Attacks are a major factor in card fraud. A cyber attacker makes large scale automated login requests against a web application using stolen account credentials (usernames, email addresses and associated passwords). These credentials often fall into the hands of attackers after large scale data breaches.
The Shape Security (2018 credential stuffing analysis) highlighted that typically 80-90% of traffic to an on line retailer’s site is made up of credential stuffing attacks. With this level of traffic, it’s essential the card industry does everything it can to protect against the threat.
The report estimates potential losses to the US consumer banking industry due to stuffing attacks could be as high as $50 million per day.
To help protect against these attacks the PCI Security Standards Council identified twelve data security steps that all businesses, regardless of revenue or volume of transactions, should adhere to:
The principles are clearly written, simple and straightforward – you don’t need to be a Financial Services expert to follow them.
The PCI DSS is primarily aimed at securing card data – but the principles are directly relevant and transferable to the protection of personally identifiable information. Why should “personal data” be treated any differently from card data? – both are sensitive and valuable.
Simply adding the word “personal” to each “data” reference throughout the 12 Step Code makes a great set of guidelines for managing personal data and ensuring compliance with the GDPR and Data Protection Act 2018The Data Protection Act 2018 is a United Kingdom Act of Parliament which updates data protection laws in the UK (and supersedes the Data Protection Act 1998), and implemented the GDPR into UK legislation.:
…..And so on..
The PCI DSS is a great example of how two regulations originating from different industries can work together. If we treat personal data as we’d expect our own card details to be treated, then we won’t go far wrong.
To find out more about how our Data Protection Services can help you please contact us