Introduction
Since the introduction of electronic payments systems in Nigeria, the Central Bank of Nigeria (“CBN”) has sought to maintain a high standard of conduct within the banking sector to protect consumers. One of the measures implemented by the CBN to achieve this, is the requirement that financial institutions involved in electronic payments are required to comply with the provisions of the Payment Card Industry Data Security Standards (“PCI DSS”).
This newsletter provides a brief exposition on PCI DSS and the compliance requirements.
What is PCI DSS?
PCI DSS is a set of security standards developed by prominent card schemes: MasterCard, Visa Inc., American Express, Discover Financial Services and JCB International, to ensure the security of debit and credit card transactions and prevent data theft and fraud. It includes technical and operational requirements which are designed to protect the data of payment cards. The PCI DSS is managed by the above- mentioned card schemes, which form the Payment Card Industry Security Standards Council and are responsible for the review of the PCI DSS [1].
Who should comply with the PCI DSS?
The PCI DSS requires all financial institutions that store, process, and/or transmit cardholder data to be compliant. Furthermore, merchants/vendors that accept or process payments cards are also to comply with the standards.
In addition to the above, the CBN through its Guidelines for Card Issuance; and Usage in Nigeria and the Guidelines on Operation of Electronic Payment Channels in Nigeria, requires all financial institutions that process, transmit and/or store cardholder information to ensure compliance with the PCI DSS and to conduct continuous reviews of their policies and practices in line with the standards.
Examples of these financial institutions include Deposit Money Banks, Microfinance Banks, Payment Service Operators e.t.c.
What are the Requirements of the PCI DSS?
To be compliant with the PCI DSS, the financial institution is required to meet 6 goals as highlighted in the table below.
S/N |
Goals |
Requirements |
1. | Build and maintain a secure network and systems | •Install and maintain network security controls.
•Apply secure configurations to all system components. |
2. | Maintain an Information Security Policy | •Support information security with organizational policies and programs. |
3. | Regularly Monitor and Test Networks | •Support information security with organizational policies
and programs.
•Log and monitor all access to system components and cardholder data. •Test security of systems and networks regularly. |
4. | Protect Account Data | •Protect stored card account data.
•Protect cardholder data with strong cryptography during transmission over public network. • |
5. | Maintain a Vulnerability Management Program | •Protect all systems and networks from malicious software.
•Develop and maintain secure systems and software. |
6. | Implement Strong Access Control Measures | •Restrict access to system components and cardholder data
by business need to know.
•Identify users and authenticate access to system components. •Restrict physical access to cardholder data. |
How are PCI DSS assessments conducted?
Entities required to comply with the PCI DSS are to undergo a
form of assessment to determine their compliance with the PCI DSS.
Each card scheme is permitted to develop their compliance programs
which would dictate the form of assessment the entity needs to
conduct.
The assessment could be through Self- Assessment Questionnaires
which is filled by the entity or Report on Compliance- a report by
Qualified Security Assessors appointed by the Payments Card
Industry Security Standards Council which is constituted by the
card schemes.
Conclusion
Although the PCI DSS does not provide for sanctions and penalties for failure to comply with its requirements, card schemes are at liberty to set out penalties against financial institutions and vendors found to be non-compliant. In addition, the CBN is also empowered to sanction non-compliant organisations. It is therefore advisable that all financial institutions take the relevant steps to understand the requirements of the PCI DSS and adhere to them.
Additional information about the PCI DSS is contained here.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.