The Payment Industry Data Security Standard (PCI-DSS) is the world-recognized standard concerned with the protection of cardholder data in storage, processing, and transit. To keep the Cardholder data safe, there are a number of controls needed to ensure the safety of the data.

PCI DSS REQUIREMENTS

The PCI DSS requirements consist of 6 distinct goals and can further be expanded into 12 sets of security controls:

1. Install and maintain a firewall configuration to protect cardholder data
2. Do not use vendor-supplied defaults for system passwords and other security parameters
3. Protect stored cardholder data
4. Encrypt transmission of cardholder data across open, public networks
5. Use and regularly update anti-virus software or programs
6. Develop and maintain secure systems and applications
7. Restrict access to cardholder data by business need-to-know
8. Assign a unique ID to each person with computer access
9. Restrict physical access to cardholder data
10. Track and monitor all access to network resources and cardholder data
11. Regularly test security systems and processes
12. Maintain a policy that addresses information security for employees and contractors

ISO 27001: Over the years, institutions across the world implement ISO 27001 to achieve the level of security required to mitigate related risk in the best possible way. Security breaches and cyberattacks are on the increase and cost organizations several trillions of dollars every year. An ISMS is a framework of policies and procedures that includes all legal, physical, and technical controls involved in an organization’s information risk management processes.

Implementation of ISO 27001 will increase reliability and security of systems and information, improve customer and business partner confidence, increase business resilience among others.

ISO 22301: Every second of every day somewhere in the world things are happening. Events that might have consequences effect that no one can foresee- Natural disasters and manmade ones. We may not be able to stop them from happening but we can be prepared. The implementation of ISO 22301 standard will improve organization’s resilience during disruptions and effectively plan for pandemic and natural disasters like fire and evaluate third parties business continuity capabilities

With 10 main clauses, ISO 22301 will continue to help organizations to plan establish, implement, operate, monitor, review, maintain and continually improve a documented management system to protect against, mitigate the likelihood of occurrence, prepare for, respond to, and recover from disruptive incidents if and when they happen.

Nigeria Data Protection Regulation (NDPR 2019), was passed into law by National Information Technology Agency (NITDA) for organizations that handle personal data. As a result of the rising increase in the need to protect personal data of Nigerian citizen, resident, or non-Nigerian Individual by Organizations that control and processes data.

NITDA also highlighted some guidelines for compliance to NDPR in terms of collection, storage, usage, access, security, and transfer of personal data.

Clear consent of the data subject must be obtained before processing sensitive personal data such as health, ethnicity, political affiliation, religious beliefs, trade union membership, biometric, genetic, and sexual orientation. Where personal data relating to a child is processed the consent of the child’s parent or guardian must be obtained. Failure to adhere to the best practices stated in the framework by organizations shall lead to a fine by NITDA. In addition to financial loss, such an organization’s reputation is at stake.

Every Organization shall retain the service of a Data Protection Compliance Organization (DPCO) to help provide data protection audit, training, and compliance services to the Organization.

Infoprive Services Limited is a licensed DPCO and can help organizations to be compliant with the NDPR by first evaluating the status of compliance of the organization, then, drawing out a remedial plan to remediate identified non-compliances, and lastly, ensuring that the Organization implements all the necessary action to be in full compliance to the NDPR.

Also, Organizations who seek to access and use the personal data legally collected and stored by another statutory body shall require our service to conduct and submit a Data Protection Impact Assessment (DPIA) to NITDA. That way, such an organisation can gain access and use the required personal data lawfully.

Framework focuses on using business drivers to guide cybersecurity activities and considering cybersecurity risks as part of the organization’s risk management processes. The Framework consists of three parts: the Framework Core, the Implementation Tiers, and the Framework Profiles. The Framework Core is a set of cybersecurity activities, outcomes, and informative references common across sectors and critical infrastructure. Elements of the Core provide detailed guidance for developing individual, organizational Profiles. Through Profiles, the Framework will help an organization align and prioritize its cybersecurity activities with its business/mission requirements, risk tolerances, and resources. The Tiers provide a mechanism for organizations to view and understand the characteristics of their approach to managing cybersecurity risk, which will help prioritize and achieve cybersecurity objectives. While this document was developed to improve cybersecurity risk management in critical infrastructure, organizations can use the Framework in any sector or community. The Framework enables organizations – regardless of size, degree of cybersecurity risk, or cybersecurity sophistication – to apply risk management principles and best practices to improve security and resilience.

The Framework provides a standard organizing structure for multiple approaches to cybersecurity by assembling standards, guidelines, and practices that are working effectively today. Moreover, because it references globally recognized standards for cybersecurity, the Framework can serve as a model for international cooperation on strengthening cybersecurity in critical infrastructure and other sectors and communities

With the digital revolution and the payment landscape changing in ways that no longer require the traditional payment approaches to consummate transactions, there is an evolution of modern payment methods to digital devices, software and applications. Hence, the conventional methods of securing the software and code that facilitates payments should also evolve.

Based on this evolution, the PCI Standard Security Council puts forward the PCI Software Security Framework (PCI SSF) to support a broader array of payment software types, technologies, and development methods. This framework is a set of defined software security standards and asserts all the associated validations related to the design and development of modern payment software systems.

Currently, there are two standards under PCI Software Security Framework:

1. Secure Software Life Cycle Standard (PCI Secure SLC) outlines the requirements and procedures for software vendors to have secure software lifecycle management practices in place to ensure its payment software is designed and developed to protect payment transactions and data, minimize vulnerabilities, and defend against attacks.

1. Secure Software Standard (PCI SSS) illustrates that the payment software product is designed, engineered, developed, and maintained in a manner that protects payment transactions and data, minimizes vulnerabilities, and defends against attacks.

As the leading payment security company in Sub-Saharan Africa and trusted security advisor, Infoprive is positioned and ready always to ensure the digital payment revolution continues to grow securely.