Even I wasn’t sure and assuring him to provide him with an answer before his landing, I started exploring, and the result is this blog post –
Not really! All entities dealing with payments and money matters, need to follow standards from PCI [Payment Card Industry] or ISO [International Organization for Standardization]. While PCI is a mandatory for plastic cards issuer’s ISO is voluntary. Here are some of the key differences worth noting –.
PCI and ISO both have a set of regulations to be followed by firms concerning information security management. Specifically, for money matters PCI DSS, ISO 27001 and ISO 20022 are adopted and followed. Although the goal is the same, the method differs in the way to protect and control customer data. Both need audits and regular checks to show compliance readiness with these standards. A big similarity that exists is one could use PCI DSS as a part of becoming ISO 27001 compliant. Let’s take a closer look at the specific compliances standards –
Any merchant or service provider that handles, processes, stores or transmits credit card data.
ISO 27001 has been developed to "provide a model for establishing, implementing, operating, monitoring, reviewing, maintaining and improving an information security management system."
Many organizations have implemented the standard(s) without going for the certification – one obvious example is banks and other financial institutions. Regulations in most countries are such that they had to implement very strict information security and business continuity procedures and safeguards, and most did that that using ISO 27001.
Most financial institutions that want to streamline their communication infrastructure and associated costs by opting for a single, common "language" for all financial communications, whatever the business domain, the communication network and the counterparty (other financial institutions, clients, suppliers and market infrastructures). ISO 20022 - Universal financial industry message scheme (which used to be also called "UNIFI") is the international standard that defines the ISO platform for the development of financial message standards.
Now we know the standards followed by different entities depending on whether they store the customer data or just use it for processing using a third-party API or need to use it for online transactions. But how these compliances are followed in different countries? Or Traditional Banks had a set of regulation and compliance to be followed, with fintech firms evolving signing customers at the global level, even compliance methods need to meet the current requirement.
Let’s take an example of Digital Payments, in India Cashless Payments increased by 22% in 2016 but has the compliance seen that growth? Compliance standards need to be automated with the help of technology to meet the needs of modern customers. One of the technology keen on helping Fintech firm is Cloud Computing! Thanks to cloud computing that Payment Banks, Financial Institutions and NBFC’s are expanding their horizons and going global!
RegTech [or an amalgamation of Regulation +Technology] is the new buzzword to address the regulatory requirements and comes with exciting feature like –
Financial Institutions and regulations had been two faces of the same coin, with banking that has moved out to other entities even regulation need to venture out. Thanks to technologies that compliance is still maintained and customer data are secured and protected.
PCI vs. ISO
Payment Card Industry Data Security Standard - Wikipidea
Who Needs to be PCI Compliant?
12 Reasons why you should be considering ISO27001
ISO 27001/ISO 22301 Knowledge base
ISO 20022 Universal financial industry message scheme
Samiksha Seth Content Strategist