Since the introduction of electronic payments systems in Nigeria, the Central Bank of Nigeria (“CBN”) has sought to maintain a high standard of conduct within the banking sector to protect consumers.
One of the measures implemented by the CBN to achieve this, is the requirement that financial institutions involved in electronic payments are required to comply with the provisions of the Payment Card Industry Data Security Standards (“PCI DSS”).
Also read: Nigeria President tells central bank to allocate more dollars to Emirates
This newsletter provides a brief exposition on PCI DSS and the compliance requirements.
What is PCI DSS?
PCI DSS is a set of security standards developed by prominent card schemes: MasterCard, Visa Inc., American Express, Discover Financial Services and JCB International, to ensure the security of debit and credit card transactions and prevent data theft and fraud. It includes technical and operational requirements which are designed to protect the data of payment cards. The PCI DSS is managed by the above- mentioned card schemes, which form the Payment Card Industry Security Standards Council and are responsible for the review of the PCI DSS .
Who should comply with the PCI DSS?
The PCI DSS requires all financial institutions that store, process, and/or transmit cardholder data to be compliant. Furthermore, merchants/vendors that accept or process payments cards are also to comply with the standards.
In addition to the above, the CBN through its Guidelines for Card Issuance; and Usage in Nigeria and the Guidelines on Operation of Electronic Payment Channels in Nigeria, requires all financial institutions that process, transmit and/or store cardholder information to ensure compliance with the PCI DSS and to conduct continuous reviews of their policies and practices in line with the standards.
Examples of these financial institutions include Deposit Money Banks, Microfinance Banks, Payment Service Operators e.t.c.
Also read: Daewoo inks US$741M Nigeria Kaduna refinery upgrade contract
What are the Requirements of the PCI DSS?
To be compliant with the PCI DSS, the financial institution is required to meet 6 goals as highlighted in the table below.
|1.||Build and maintain a secure network and systems||•Install and maintain network security controls.
•Apply secure configurations to all system components.
|2.||Maintain an Information Security Policy||•Support information security with organizational policies and programs.|
|3.||Regularly Monitor and Test Networks||•Support information security with organizational policies and programs.
•Log and monitor all access to system components and cardholder data.
•Test security of systems and networks regularly.
|4.||Protect Account Data||•Protect stored card account data.
•Protect cardholder data with strong cryptography during transmission over public network.
|5.||Maintain a Vulnerability Management Program||•Protect all systems and networks from malicious software.
•Develop and maintain secure systems and software.
|6.||Implement Strong Access Control Measures||•Restrict access to system components and cardholder data by business need to know.
•Identify users and authenticate access to system components.
•Restrict physical access to cardholder data.
Also read: Cash crisis a great opportunity for mobile-money startups in Nigeria
How are PCI DSS assessments conducted?
Entities required to comply with the PCI DSS are to undergo a form of assessment to determine their compliance with the PCI DSS. Each card scheme is permitted to develop their compliance programs which would dictate the form of assessment the entity needs to conduct.
The assessment could be through Self- Assessment Questionnaires which is filled by the entity or Report on Compliance- a report by Qualified Security Assessors appointed by the Payments Card Industry Security Standards Council which is constituted by the card schemes.
Although the PCI DSS does not provide for sanctions and penalties for failure to comply with its requirements, card schemes are at liberty to set out penalties against financial institutions and vendors found to be non-compliant. In addition, the CBN is also empowered to sanction non-compliant organisations. It is therefore advisable that all financial institutions take the relevant steps to understand the requirements of the PCI DSS and adhere to them.