Regulations on CDR

Introduction

The whole world is shifting towards a cashless economy, with innovative payment transaction systems such as UPI payments, card payments, etc. These payment systems require processing, storage, and movement of millions of cardholders data which is crucial for any successful transaction.

And therefore to maintain the credibility of this payment ecosystem, security or secure movement and processing of cardholders data becomes paramount. Entities involved in a payment ecosystem are responsible for the security of cardholders data. Security is also important because if breaches happen in cardholders data it would amount to financial loss. Fraudsters are attempting smart ways to leverage any kind of security loopholes in the payment system.

So these entities which are involved in the payment ecosystem need to maintain some security standards set by one council of network providers in the payment industry popularly known as the Payment Card Industry Security Standard Council.

Overview of what is PCI and PCI DSS Compliance

Earlier every network providers in the payment industry have their own set of security standards but later they all together i.e., Visa, Mastercard, American Express, Discover, and JCB constituted an independent body to come up with comprehensive security standards like PCI DSS, PA DSS, PCI-PTS, etc.  And these network providers ensure the enforcement of the security standards by putting conditions on services being provided to the merchant or acquirer bank.

In other words, PCI DSS particularly is the global standard that provides a baseline of technical and operational requirements designed to protect account data. PCI DSS is a security standard specially designed for merchants and service providers in the payment ecosystem to protect the cardholders data against any fraud or theft.

It applies to all the entities including third-party vendors which are involved in processing storing and transmitting cardholders data. In organization, even all CDE (Card Holder Data Environment) including system components or network component that stores and process cardholders data, has to comply with all the requirements of PCI compliance.  Recently PCI has released a new version of PCI DSS v4.0 a few months ago with certain changes from the previous version after three years of the review cycle.

12 Requirements of PCI DSS

This is the most important part of PCI DSS as following these requirements can make any organization to some extent PCI compliant. So what are these requirements:

• Installing firewalls or maintaining security controls in the networks
• Use strong password in order to secure the CDE( Card holders data environment)
• Protection of cardholder data
• Encrypting the cardholder data during transmission over an open and public network.
• Timely detection and protection of the cardholders data environment from any malicious activity or software.
• Regular updating the software thereby maintaining a secure system.
• Rule of business need to know should apply to access the cardholders data
• Identification and authentication of the user are important to access the system components.
• Physical access to cardholders data should be restricted.
• Monitoring or screening of system components to know the malicious activity internally in real-time.
• Regular auditing of security control and finding any vulnerabilities available in the systems.
• Make policies and programs accordingly in order to support information security.

How organization can become PCI compliant

• Scope: First step is to determine all the system components or networks storing and processing cardholders data i.e., Cardholders Data Environment.
• Assess: Then test whether these systems or networks are complying with all the requirements of PCI DSS COMPLIANCE.
• Report: Documenting all the assessment through self assessment questionnaire by answering following questions like whether the requirements are met or not? Whether the requirements are met with customized approach.
• Attest: Then the next step is to complete the attestation process available on the website of PCI SSC.
• Submit: Then organization can submit all the documents including reports and other supporting documents if it is requested by other entities such as payment brands, merchant or acquirer.
• Remediate: Then the organisation should take remedial action for the requirements which are not in place on the system components or networks.

Conclusion

One of the most important issues facing those involved in the digital payment ecosystem is cybersecurity. The likelihood of being exposed to cybersecurity hazards including online fraud, information theft, and virus assaults is rising as more and more users prefer using digital payments.

And thus complying and adopting with these security standards is the need of the hour. And moreover RBI has also mandated all the regulated entities ( NBFCs Banks etc) under one recent notification to comply with these standards.

Introduction

India’s digital growth journey has been moving at a tremendous pace. According to MeitY’s report, India’s digital economy is expected to rise to US$ 500 billion by 2025, up from US$ 200 billion in 2019. The digitisation drive that we are experiencing is likely to foster and boost a favourable business environment that will attract rapid investment and augment economic growth across sectors. This will, in turn, compel businesses to adopt digital platforms as solutions to meet customer expectations. Due to accelerated digitisation, cyber risks often deter business growth. Cybercrimes are becoming more rampant and complex and the costs associated with such breaches are not only increasing but also becoming more systemic.

Development of the Cyber Insurance Landscape

Digitization of businesses started in the 1980s with the use of mainframes. Personal computers entered the game and further modified the landscape from the 2000s along with LANs, the internet and the dot-com boom of the 2000s. In the late 1990s, cyber-insurance was developed as a risk management tool to ensure information security. Coverage was limited, and clients included SMEs in need of insurance to qualify for tenders, or community banks too small to hedge the risks of their online banking operations. The first cyber insurance policy was written in 1997 through AIG, against hacking as a third-party liability policy. 

The current trends in the cyber insurance space are focused on the prevention of cyber risks, which by nature are hard to outline and constantly evolving. The result is that the buyers have limited clarity on the types of cyber risks covered under cyber insurance, and even lesser visibility on the scope and amount of optimum coverage. Unfamiliarity with the claim procedure and resolutions, ambiguous claim thresholds during settlements, and confusion around exclusions and coverage of regulatory fines and penalties under a purchased scheme further discourage potential buyers from seriously investing in cyber insurance products. 

Key Factors in Cyber Insurance Evolution and Its Role in Risk Management

The cyber insurance market in India has three key influencing factors, namely the speed of achieving digital maturity, government initiatives to digitise and enforce stringent cyber laws, and the evolving landscape with technology giants and MNCs entering the cyber insurance domain. The latter  are the catalyst for intensifying competition in this market. 

Advancements in technology in terms of AI, machine learning, big data, robotics, blockchain, augmented and virtual reality, and IoT are expected to reshape the insurance industry and help reach untapped audiences in a more digital-forward manner. With the absence of a standard cyber insurance policy, regulators need to take the following variables into consideration while developing cyber insurance policies: the risk insured against, the scope of the loss covered and the limits/ sub-limits.

Challenges 

With the complexity of cyber risks increasing exponentially the challenges to counter the same are growing too which is leading to gaps in the coverage offered for cyber threats. Resultantly, the compliance regulations are dependent on the risks which exist and cyber threat actors adopt new technologies faster and exploit them to their benefit. A lack of historical data and predictability in future cyber risks, the possibility of large overwhelming loss events, uncertainties among market participants about what is specifically covered under such policies, and legal battles over fundamental issues are some of the challenges identified.

Future Outlook/ Recommendations

India's cyber infrastructure requires a multi-faceted approach that involves collaboration between government, industry, and academia should be developed. Some recommendations are:

• Risk assessments should be a general practice and the cyber insurance policies should be simplified, clearing the mismatch between the premium paid and insurance coverage and there should be standard verbosity across cyber policy language.
• Promoting R&D tailored to India focused on education programs that have public-private partnerships and global collaborations to share threat intelligence, best practices, and expertise in critical infrastructure protection.
• Cyber insurance can also be promoted as compliance with the DPDP Act, which would lead to better development of cyber infrastructure and cyber hygiene practices.
• Regular updates to cyber insurance policies to ensure relevance and effectiveness. Insurers could create and offer holistic cyber insurance risk management plans.

Conclusion

According to a report by Deloitte in 2023, the cyber insurance market in India is expected to grow by 27-30 per cent in the coming years and it is currently valued at USD 50-60 million, while maintaining a steady 27-30 per cent CAGR in the past three years. The Indian cyber infrastructure’s nature is challenging, however, it offers opportunities for growth, innovation, and collaboration. A proactive approach, supported by robust policies, advanced technologies, and skilled professionals, will be essential to building a resilient cyber infrastructure capable of withstanding evolving threats.

Reference

• https://www2.deloitte.com/content/dam/Deloitte/nl/Documents/financial-services/deloitte-nl-fsi-demystifying-cyber-insurance-coverage-report.pdf
• https://www.dnaindia.com/business/report-what-s-cyber-liablity-insurance-and-why-you-may-need-it-2136556‍
• https://economictimes.indiatimes.com/industry/banking/finance/insure/cyber-insurance-gains-momentum-in-india-set-to-witness-exponential-growth-deloitte/articleshow/104189297.cms?from=mdr

Introduction

The Kerala High Court banned the use of mobile phones during office hours on the 2nd of December 2024, and issued an Official Memorandum titled, ‘Indulgence In Online Gaming And Watching Social Media Content During Office Hours’. This memorandum, issued by the Registrar General, prohibits mobile phone usage for personal activities such as gaming and social media during working hours. This memorandum aims to curb the productivity woes and reinforce professional discipline and further ensure the smooth functioning of the office operations. 

The memorandum reiterated its earlier notices from 2009 and 2013, where the High Court had emphasised that violations would be taken seriously. This reflects the High Court’s commitment to maintaining efficiency and professionalism in the workplace.  According to the memorandum, controlling officers will monitor the staff for violations and strict actions will be taken if the rules are flouted. 

Background

The circumstances that led to the Kerala HC’s decision are as follows: staff engaged in playing online games, browsing social media, watching videos or movies and even engaging in online shopping or trading during work hours, excluding the allocated lunch recess (as per the memorandum). 

As mentioned earlier, this memorandum is not the first of its kind. There were similar directives that were issued in 2009 and 2013 to target the poor productivity standards, rooted in the staff members' behaviours. The present memorandum is unlike the previously mentioned ones as, it specifically addresses the rise in mobile-based distractions, like online gaming and trading. The present directive does not outline any exceptions to senior officials with designated responsibilities, and emphasises universal adherence for all levels of the workforce. 

According to Cell Phones at Workplace Statistics, around 97% of workers use their smartphones during work hours, mixing personal and job-related activities. And more than 55% of managers say that cell phones are a major reason for lower productivity among employees.

Therefore, it can be safely concluded that even though smartphones have become indispensable tools for communication, their misuse has wider implications for overall organisational productivity. 

CyberPeace Outlook

The Kerala High Court's decision to restrict personal mobile phone usage during work hours underscores the importance of fostering a disciplined and focused workplace environment. While smartphones are vital for communication, their misuse poses significant productivity challenges. Some proactive steps that employers can take are implementing clear policies, conducting regular training sessions and promoting a culture of accountability. Balancing digital freedom and professional responsibility is the key to ensuring that technological tools serve as enablers of efficiency rather than distractions in the workplace.

References

• https://www.thehindu.com/sci-tech/technology/kerala-high-court-issues-memo-banning-staff-from-gaming-and-social-media-during-work-hours/article68963949.ece
• https://timesofindia.indiatimes.com/technology/tech-news/kerala-high-court-bans-mobile-gaming-and-social-media-for-staff-during-work-hours/articleshow/116101149.cms 
• https://images.assettype.com/barandbench/2024-12-05/1hiq8ffv/Kerala_High_Court_OM.pdf 
• https://www.coolest-gadgets.com/cell-phones-at-workplace-statistics/