Month: January 2019

28 Jan 2019

PCI Matters: Gain The Customers Trust with PCI Compliance

The Payment Card Industry has grown to the extent that it touches hundreds of millions of people worldwide every day. While most payments are being made through debit/credit card transactions, consumers are now also using mobile devices to make electronic payments. Whenever a customer uses a debit/credit card to make a payment, there is personal data been transmitted electronically that includes customer name, card number, security code and expiration date, and this information gets stolen and miss-utilized.

History behind PCI

Between 1988 to 1998, Visa and Mastercard reported a credit card fraud loss totaling 750 million dollars, a minuscule amount compared with hundreds of billions of dollars in the transaction processed yearly. In October 1999, VISA became the first Card brand to develop security standards for merchants conducting online sales. However, with the growth of usage of credit cards and internet, the frauds also increased to four times greater than the average transaction.

Formation of PCI     

The PCI Security Standards Council was formed to promote the Payment Card Industry standards for the safety of cardholder data across the globe. The Council was founded in 2006 by American Express, Discover, JCB International, MasterCard and Visa Inc. They share equally in governance and execution of the Council’s work. The PCI Security Council periodically add new clauses to the requirement and releases the updated version of PCI. The first officially PCI was released in 2004 with PCI 1.0 version and currently it is PCI 3.2 which released in 2016.

The twentieth century U.S. criminal Willie Sutton was said to rob banks because “that’s where the money is.” The same motivation in our digital age which makes merchants the new target for financial fraud. It’s a severe problem, more than 510 million records with sensitive information have been breached since January 2005, according to So, the merchants, who are at the center of payment card transactions, it is imperative that they should use standard security procedures and technologies to thwart the theft of cardholder data.

PCI customer information the Payment Card Industry Data Security Standard and this council have set 12 requirements as a security measure.  In this article, we are going to discuss the critical elements under PCI now required to adhere by the organizations which accept payment cards for thier business. These organizations have to protect the card holder’s information including their names, card numbers and security code which is saved in the system when the consumes makes payment. The PCI has formed to stop the data breaches which was increasing between 2000 – 2005 and this can only be prevented with a strong regulation to set the necessary security measures and standard needs to be set for Payment Card Industry. Moreover, it allows programming engineers and gadget producers with the required direction which will adhere to compliance.

Risky Behavior

A survey of businesses in the U.S. and Europe reveals activities that may put cardholder data at risk. 81% store payment card numbers

73% store payment card expiration dates

71% store payment card verification codes

57% store customer data from the payment card magnetic stripe

16% store other personal data

Source: Forrester Consulting: The State of PCI Compliance (commissioned by RSA/EMC)

Payment Application Data Security Standard:
Some of the key points for implementing security steps.

  1. Need to use the authorized and approved pin entries devices.
  2. Use appropriate software to make the Payment.
  3. Need to create Most important security that is fire wall protection between the pc and network.
  4. Make sure wireless router password encryption. Training is required to the employees to protect the data of card holder’s data.

Security Controls and Processes for PCI DSS Requirements

1.Build and Maintain a Secure Network

Right off the bat, the Cardholder information is just as secure as the ways that give access to it. From one viewpoint, PCI DSS necessities are intended to guarantee that system security rehearses dispose or limit known dangers. Then again, they ensure that the association characterizes well‐ organized strategies, techniques and practices that can be followed and inspected. To guarantee both secure information pathways and adherence to strict Network security arrangements, PCI DSS requires specific rules for handling card installments to help anticipate Mastercard extortion, skimming, and other security dangers.

Following and evaluating of firewall activities consistently, including clear meanings of parts and duties.

  1. Entirely restricting interior hierarchical access to customer information.
  2. Recording, authorizing and inspecting every single operational technique and practices.
  3. Around 40% of PCI DSS are identified with Network security, yet this is extremely the essence of pain, entanglements and unsettling influence for PCI internal auditors, IT administrators and their groups.

For arrange security groups to coordinate a repeatable, consistent method that doesn’t disturb business as usual, it’s essentially not plausible for IT administrators and PCI inward evaluators to physically oversee and test. The numerous IT errands associated with recording, following and reviewing system security techniques manually can take weeks.

2. Protect Card Holder Data

Cardholder data alludes to any information contained on a client’s installment card. The data is imprinted on either side of the card and is contained in the digital format on the attractive stripe implanted in the rear of the card. Some installment cards store data in chips inserted on the front side. The front side, for the most part, has the essential record number (PAN), cardholder name and termination date and the 3-4-digit card check number (CVV2). The CVV2 might be on the back, contingent upon the card. The attractive stripe or chip holds these in addition to other touchy data for verification and approval.

PCI security gauges are specialized, and operational requirements set by the PCI Security Standards Council (PCI SSC) to ensure cardholder data. The norms apply to all associations that store, process or transmit cardholder data – with direction for programming engineers and producers of utilization and gadgets utilized as a part of those exchanges. The Council is in charge of dealing with the security guidelines, while compliance with the PCI set of gauges is enforced by the establishing individuals from the Council, American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc.

3. Implement strong access control measures

Access control allows merchants to permit or deny the use of physical or technical means to access. PAN and other cardholder data. Access must be granted on a business need to know basis. Physical access control entails the use of locks or restricted access to paper-based cardholder records or system hardware. Logical access control permits or denies use of PIN entry devices, a wireless network, PCs, and other devices. It also controls access to digital files containing cardholder data.

4. Compensating Controls for PCI DSS Requirements

Compensating controls might be considered for most PCI DSS requirements when an element can’t meet a prerequisite unequivocally as expressed. All together for a compensating control to be viewed as substantial, it must be investigated by a qualified assessor.

Compensating controls must fulfill the accompanying criteria:

  1. Meet the purpose and meticulousness of the first PCI DSS necessity.
  2. Give a comparable level of protection as the primary PCI DSS necessity, with the end goal that the compensating controls adequately counterbalances the hazard that the first PCI DSS prerequisite was intended to safeguard against.
  3. Be “well beyond” other PCI DSS requirements. (Just complying with other PCI DSS requirements isn’t a compensating control.)

5. Choosing an Approved Scanning Vendor (ASV) for PCI

An Approved Scanning Vendor (ASV) is a data security firm utilizing a scanning answer for deciding if the client is agreeable with the PCI DSS outer helplessness scanning necessity. ASVs have been prepared and are qualified by the PCI Security Standards Council to perform external system and framework checks as required by the PCI DSS. An ASV may utilize its programming or an approved business or open source answer for approving consistency. ASV arrangements must be non-troublesome to clients’ frameworks and data – they should never cause a framework reboot or meddle with or change area name server (DNS) steering, exchanging, or address determination. Root-units or another programming ought not to be introduced unless a piece of the arrangement and pre-approved by the client. Tests not allowed by the ASV arrangement incorporate foreswearing of administration, cushion flood, beast constrain assault bringing about a secret key lockout, or exorbitant utilization of accessible correspondence data transfer capacity. An ASV scanning arrangement incorporates the scanning tool(s), the related scanning report, and the procedure for trading information between the scanning vendor and the client. ASVs may submit consistence reports to the procuring foundation for the benefit of a trader or specialist co-op.

6. The scope of Assessment for PCI DSS Compliance

PCI Compliance scope includes Cardholder Data Environment (CDE) and other system applications & components associated with CDE. A Cardholder Data Environment (CDE) consists of different processes, technologies, and hardware & software applications that stores, process and transmits customer’s data like card number, CVV number, and magnetic strip data.

Below are the system components which are included in the scope:

  1. Networking devices
  2. Firewalls
  3. Servers
  4. Switches
  5. Routers
  6. Computing devices
  7. Applications

The initial step of a PCI DSS compliance effort is to precisely decide the scope of the earth. The perusing procedure incorporates recognizing all framework parts that are situated inside or associated with the cardholder data condition. The cardholder data condition is included individuals, procedures, and innovation that handle cardholder data or delicate confirmation data. Framework segments incorporate system gadgets (both wired and remote), servers and applications. Virtualization segments, for example, virtual machines, virtual switches/switches, virtual apparatuses, virtual applications/work areas, and hypervisors, are additionally considered framework segments inside PCI DSS. Perusing must happen at any rate every year and preceding the yearly assessment. Shippers and different substances must recognize all areas and streams of cardholder data to guarantee all pertinent framework segments are incorporated into scope for PCI DSS. Elements ought to affirm the exactness and suitability of PCI DSS scope by performing these means:

  1. The evaluated element recognizes and archives the presence of all cardholder data in their condition, to confirm that no cardholder data exists outside of the right now characterized cardholder data condition (CDE).
  2. Once all areas of cardholder data are recognized and reported, the substance utilizes the outcomes to confirm that PCI DSS scope is fitting (for instance, the outcomes might be a graph or a stock of cardholder data areas).
  3. The element considers any cardholder data observed to be in the scope of the PCI DSS assessment and part of the CDE unless such data is erased or moved/merged into the at present characterized CDE.
  4. The element holds documentation that shows how PCI DSS scope was affirmed and the outcomes, for assessor survey as well as for reference amid the following yearly PCI SCC scope affirmation action.

7. Reporting

Reporting are very important part of any organization as they serve as a record and proof when needed. Reports are the mechanism which is prepared by the concern person for specific purpose or general and time also varies depending upon the company. Every Business has different merchant bank and level tied which determines what kind of reporting and validation is require and even the volume of transactions does matter. Reports can be weekly, monthly, quarterly and annually all depends upon what reports, purpose of report and decision to be made on that report. In the same way PCIDSS Compliance do have an reporting requirements which should consist of following things:

  • Executive Summary which should include the cardholder business description of payment card and network diagram which shows relationship and gives more clear idea.
  • More detail description of assessment, scope of work and approach been used and how much it has effect on security of data of cardholder
  • All the details about hardware and software, service providers, third party applications
  • Basic details about date of report and contact information


  5. PCI Security Standards Council, (2016): Payment Card Industry (PCI) Data Security Standard. Requirements and Security Assessment Procedures.
21 Jan 2019
Check-In Ahead of the Competition – Travel & Hospitality Industries Digital Trends

Check-In Ahead of the Competition – Travel & Hospitality Industries Digital Trends

Travel Industry Trends:

Global online travel sales totaled an impressive $564B in 2016, but the market research company eMarketer is projecting revenues to skyrocket to $755B by 2019, growing to an incredible $817B by 2020.

Digital travel sales worldwide from 2014 to 2020 (In billion U.S. dollars)

There are multitudes of travel options for consumers to choose from, and the competition to provide excellent shopping experiences by the travel industry is fierce.  It was not so long ago that families and business travelers worked through travel agents or contacted airlines, hotels or car rental companies directly in order to reserve and book their travel but the travel industry has evolved significantly over the last decade.Now with the click of a button, consumers are able to book their own travel using modern websites and mobile apps offered by the leading travel and hospitality companies having digitally transformed their businesses.  Technological advancements have empowered travelers to research, plan and book travel arrangements independently, design their own itineraries, create bespoke packages, compare prices and take other travelers reviews into account when planning their vacations.

Today, the majority of travel transactions are completed through desktop websites, closely followed by apps and then by mobile websites.   However, the growth and popularity of travel apps are rising the most and already proving to be one of the more popular categories in the Apple App Store representing almost 4% of all app categories and reaching approximately 95% of the Android users in the United States.  Online Sales from these mobile channels are set to grow from $52 billion in 2015 to $95 billion by 2019 (source: Statista).

Omnichannel Optimization

Current research suggests that travelers prefer researching travel destinations via their smartphones but are still making their purchases on desktops because it is more user-friendly and secure.  Phocuswright for Bing’s ‘The Travel Marketer’s Guide’ reports that 40% of users conduct research using a mobile phone to find flights, hotels, and accommodations, compared to only 21% of shoppers that complete their transactions on mobile.  Given this trend, those in the travel and hospitality sector must work to make the transition between their channels seamless, with effective mobile optimization, websites, and apps, that keep their customers engaged and prevent them from leaving to shop at a competitor.

Omnichannel Optimization

Social Media Influence

There has been an enormous increase in the number of people sharing their travel experiences on social media platforms. It is no secret that millennials enjoy sharing images and comments on their travels and that it has become a large part of their identity creation, with many becoming influencers among friends, colleagues and their community, through sharing their experiences.

The dramatic growth of social media posts and reviews on holiday and travel activities have made the importance of a positive public image for travel hospitality destinations vital. Expedia’s ‘Millennial Traveler Report’ states that many customers base their choice of holiday destinations on their friends’ influence.

Social Media Influence

Having happy customers who post online is incredibly valuable to any business in travel and hospitality, making it one of the most important touch points in the customer journey. Satisfied customers become brand advocates through their posts, feedback and reviews on social media, magnifying every brand’s message and reputation significantly, as well as growing the customer base and awareness. Additionally, a positive presence on social media enables travel and hospitality companies to influence potential customers and get them interested in the complementary products and services they offer.

Analytics and Personalization

Vacationers look for unique experiences when booking their travels, and hospitality companies must personalize their shopping experiences accordingly.  An adrenaline filled adventure, a holiday with friends or a romantic getaway should all have unique content that is personalized and relevant to the traveler in order to provide the ultimate shopping experience.

Analytics and Personalization

State of the art analytics and personalization tools enable travel and hospitality companies to provide personalized shopping experiences by serving up relevant content throughout the shopper’s journey.    Theses tools measure and take into account customer searches, preferences, realtime site behavior, purchase history, and social habits when personalizing the content shown.  When done effectively, sales and conversions improve dramatically.

NextGen Technologies

Artificial Intelligence (AI): With the help of AI, travel, and hospitality companies are now able to analyze their customer’s unstructured data including pictures, social post, reviews, natural language, searches, and history. Now more than ever before, targeted, personalized content that is based on a deep understanding of what they are most interested in can be curated to capture the attention of their shoppers.

Artificial Intelligence (AI)

Internet of Things: IoT is driving the connected world of the future, and the travel and hospitality industries are going to reap the benefits of these new technologies. For example, in the future, hotel beds will be able to measure body temperature, mood, and hydration levels, linking with smart home technology climate controls to provide the ultimate in-room experiences.