Building a security enabled resilient IT Architecture for payment systems. By Mahendra S. Joshi PMP, CISM, MCA

Size: px

Start display at page:

Download "Building a security enabled resilient IT Architecture for payment systems. By Mahendra S. Joshi PMP, CISM, MCA"

Barbara McCormick
5 years ago
Views:

1 Building a security enabled resilient IT Architecture for payment systems By Mahendra S. Joshi PMP, CISM, MCA 1

2 Biography Over 12 years of experience in Information Security and Information Technology. Post graduate in computer application (MCA) with number of industry certifications Certified Information Security Manager (CISM) - ISACA, Project Management Professional (PMP) - PMI, ISMS ISO27001 Adv. Auditor Course - DNV ITIL Foundation Certificate - EXIN Various Technical Vendor Certifications from Symantec, Cisco, Microsoft etc. At present working with NPCI as Senior Manager - Risk Management Prior to present employer worked with J.P. Morgan India, Mastek and various IT/IS service solutions provider during work tenure. 2

3 Company Profile National Payments Corporation of India (NPCI) was incorporated in December NPCI is authorised for operating various retail payment systems in the country and also granted Certificate of Authorisation for operation of National Financial Switch (NFS) ATM Network. NPCI has a mandate to create a domestic card scheme. The Brand name finalised for the same is 3

4 Key Reasons to choose this topic. World Payments Report 2011, released by Capgemini, The Royal Bank of Scotland (RBS) and European Financial Marketing Association (Efma) reveals: 1.eGovernment initiatives are emerging as a key enabler of non-cash payments. 4

Key Reasons to choose this topic. World Payments Report 2011, released by Capgemini, The Royal Bank of Scotland (RBS) and European Financial Marketing Association (Efma) reveals: 2.

5 Key Reasons to choose this topic. World Payments Report 2011, released by Capgemini, The Royal Bank of Scotland (RBS) and European Financial Marketing Association (Efma) reveals: 2.E-payments and m-payments collectively accounted for an estimated 22.5 billion transactions in Mobile payments will represent 15% of all cards transactions by 2013, and will overcome cards volumes within 10 years if growth continues at the same rate. 3.Cards remain the preferred non-cash payment instrument globally, with a market share of more than 40% in most markets. 4.The use of cheques continues to lessen, accounting for just 16 % of all noncash global transactions in 2009, down from 22 % in One of the prominent trends pertaining to the Indian market which the report highlights is how the long-time reliance on checks in the Business to Business (B2B) sphere has kept cheque usage high, but it is declining (to 65% of all transactions in 2009 from 93% in 2001) while during the same tenure, the market share of cards has increased from 6% to 19%. 5

6 Global Card Fraud Card fraud has increased consistently along with usage in recent years. Popular fraud types Identity Theft (phishing), Lost/Stolen Card, Fraudulent Application, Counterfeit Card (Skimming) etc. 6

7 Chip and PIN Technology Answer to Card Fraud The payments industry is pursuing various innovations to tackle fraud and better secure non-cash transactions and thereby bolster consumer confidence. 7

8 Chip and PIN Technology Answer to Card Fraud 95% of European ATMs are now EMVcompliant. Asia-Pacific has also witnessed growth in EMV-based smart cards, though adoption is greater in developed countries such as Japan and South Korea than in emerging markets such as India and China. EMV has proved highly effective in reducing fraud, especially related to face-toface (POS) transactions, ATM withdrawals and lost and stolen cards. In the U.K., for example, counterfeit card fraud losses have dropped by 77% since 2004 when chip-and-pin cards were first rolled out. And across Europe, fraud losses have declined dramatically as more ATMs have become EMVcompliant. At present, financial institutions and merchants are absorbing fraud-related costs, and significant investment continues to be made in fraud prevention solutions, using both tactical and strategic measures. Technology and technical specifications are proving to be a critical tool in fighting fraud, and full global interoperability, most likely around EMV standards, could potentially prevent even more fraud from a variety of attack points within the payments system. 8

9 Outsourcing Risk Management 'Outsourcing' may be defined as a bank's use of a third party (either an affiliated entity within a corporate group or an entity that is external to the corporate group) to perform activities on a continuing basis that would normally be undertaken by the bank itself, now or in the future. ' Continuing basis' would include agreements for a limited period. The world over, banks are increasingly using outsourcing as a means of both reducing cost and accessing specialist expertise, not available internally and achieving strategic aims. Phases of Outsourcing Risk Management 1. Due Diligence 2. Commissioning 3. Continual Assessment & Monitoring 4. Decommissioning 9

10 Outsourcing Risk Management Due Diligence Continual Assessment & Monitoring Commissioning Decommissioning 1. Due Diligence A. Define Outsourcing Requirements Reason for outsourcing, Benefits of outsourcing and Outsourcing Risk B. Reason for outsourcing will cover type of service, importance of service, inhouse capabilities etc. C. Benefits of outsourcing will cover Cost savings, time to market, value add from outsource partners etc. D. Outsourcing Risk will cover Business Impact Analysis, Turn Around Time, and Senior Management approval 10

11 Outsourcing Risk Management Due Diligence Continual Assessment & Monitoring Commissioning Decommissioning 2. Commissioning A. SLA should cover service expectation including penalty clause if any. B. NDA should cover terms and means of data/information protection. C. Contract should cover Right to Audit, Compliance to applicable regulation, company policies and reasonable contract closure clause. D. Financial Viability Assessment: Vendor financial strength to sustain and provide uninterrupted services during market turbulent time. E. Business Continuity and DR Plan: Vendor preparedness towards tested business continuity & DR plan. F. Vendor Control Assessment: Vendor controls effectiveness to meet SLA, NDA & Contract clauses. G. Securing the interface though which vendor will connect or deliver services. 11

12 Outsourcing Risk Management Due Diligence Continual Assessment & Monitoring Commissioning Decommissioning 3. Continual Assessment & Monitoring A. Vendor Risk Profile will be maintained internally for each outsource service and for vendor. B. It will be reviewed on periodic basis and at time of any amendment in service scope. C. Appropriate level of control assessment reviews will be performed for each vendor. Based on service control assessment will include sections such as Information Security, Change management, Incident management, Encryption, Physical Security, System development, BCP/DR etc. D. Identified gaps in such reviews need to be reported, tracked and closed in agreeable timeline. 12

13 Outsourcing Risk Management Due Diligence Continual Assessment & Monitoring Commissioning Decommissioning 4. Decommissioning A. Decommissioning should happen as per clause mention in contract with prior notification. B. All interfaces, system ids should be terminated and disabled. C. Transfer or disposal of information/data in custody of vendor has to be confirmed. D. Knowledge transfer, documents and copies of working paper have to be submitted for smooth transition to new outsource vendor or to the internal team. 13

14 THANK YOU Mahendra Joshi Mobile Contact