Three cornerstones of cryptographic compliance
Cryptographic compliance can be a complex subject. India has many cryptographic regulations with which organizations must maintain compliance. In this article we will cover three common compliance requirements that organizations with cryptographic infrastructure must often take into consideration: data localization, the IT Act (message authentication in particular), and PCI compliance.
While each of these compliance considerations is unique in its own way, security architects, IT managers, and CISOs are well advised to bear them in mind while planning or managing cryptographic infrastructure.
Data localization requirements
India has data localization (sometimes called data residency) regulations in place that require organizations to store and process data within India. When a payment is submitted, or when a user provides personal data to an application, the data involved cannot be processed or stored in a foreign country. These regulations are intended to make it easier for law enforcement or other authorities to access the data when the need arises. They also allow government organizations to ensure that data is protected according to their specific standards.
As one of the world’s fastest growing payment processing hubs, there are naturally companies operating in India whose datacenters are located in foreign countries. These might be banks, big tech companies, or other enterprise organizations. To continue operations, such companies must rely on local datacenter solutions.
While India is a fintech capital with thousands of new companies emerging in that sector, it is not known for a fast rate of cloud adoption. This could be a result of the pace at which foreign cloud providers are seeking out local datacenter solutions. If that is the case, then as more local datacenter solutions emerge, more cloud solutions are likely to emerge as well that offer their services while remaining compliant.
One recent development in data localization is a proposed update to the Data Protection Bill. This revised version would ease data localization requirements somewhat, allowing customer data to be processed in “trusted jurisdictions” in foreign countries. The drive to increase security through data localization might continue nevertheless, and there will likely be some additional clarification of how trusted jurisdictions are to be determined. All the same, this issue will be important to monitor as it develops.
Information Technology Act, 2000
The Information Technology Act, 2000 (also known as the IT Act) was passed in 2000, and significantly amended in 2008. The IT Act provides the definitive legal framework for dealing with cybercrime, regulating e-commerce, and protecting technological communications and networks. One aspect of the IT Act that is notable from a compliance perspective is the Act’s requirement to authenticate messages with digital signatures.
A digital signature is a cryptographic object applied to a device, application, code, or other digital object to authenticate that object. It is based on asymmetric (or public key) cryptography, where a public key is used to encrypt data and a private key is used to decrypt it. Digital signatures and the entities that issue them — called certificate authorities, or CAs — are all within the spectrum of public key infrastructure (PKI).
Simply put, the IT Act requires organizations to use PKI and CA to validate the integrity of messages (as well as payments and other transactions). Though this compliance requirement may seem complex, its solution is fairly straightforward. Organizations can deploy hardware security modules (HSMs) or other key management solutions to secure private keys and establish a CA with which to authenticate data.
Many HSMs are both physically and logically secure, making them a good long-term investment for improving security while staying compliant. This leads us to our next section, which more directly involves cryptographic infrastructure.
Payment Card Industry (PCI)
The Payment Card Industry Security Standards Council, or PCI SSC (or simply PCI) is a global regulatory body founded by a group of global financial services corporations to manage an international payment security standard. This standard, called PCI DSS (for Data Security Standard), is intended to increase security controls for payment data and to reduce fraud. In addition to the national standards defined by the Central Government, many payments organizations within India adhere to the PCI standard as a best practice.
The backbone of payments processing infrastructure, HSMs, are physically and logically tested against the rigorous PCI HSM standard. Using HSMs certified under this standard limits an organization’s compliance scope, which reduces compliance fees. On a more holistic level, PCI compliance is a symbol of trust for an organization’s partners, such as acquiring banks, payment processors, and card brands. Most importantly, it ensures that an organization’s systems are secure, fostering trust among its customers. In the payments sector in particular, trust is vital.
Compliance may be complicated, but maintaining compliance is often a matter of choosing vendors that prioritize it. With the right IT security vendor, an organization can rest easy knowing that the solution being deployed meets the highest compliance requirements.
Whether it’s a cloud service provider operating local data centers, a key management server that can deploy PKI and CA to authenticate messages, or HSMs that are certified under PCI HSM, a diligent and compliant vendor can help organizations lower their compliance scope, heighten their security, and build trust with their customers and business partners.
[This article is authored by Ruchin Kumar, VP, South Asia, Futurex. The views expressed are solely of the author.]