Cybersecurity in Retail: The Big Brothers Watching

A look at the various governing standards, and organisations that deal with data protection in the retail sector

New Delhi: Around the world, management and governance of data have been done by various organisations and national bodies. These bodies, responsible for security and ethical data management, have defined various regulations for handling data.

Cyber risk remains one of the top threats with around 40% of Indian organisations feeling extremely exposed as per a survey by PricewaterhouseCoopers. As a result, retailers who handle an enormous amount of data have all moved towards indigenous approaches that are governed by different regulations in India and overseas.

These data security standards provide guidelines for safeguarding sensitive information and preventing unauthorized access or disclosure. Additionally, organizations must comply with data protection regulations, which legally mandate the proper handling of personal and sensitive data based on location and industry.

In India, the main cybersecurity regulatory bodies are the Computer Emergency Response Team (CERT-In), National Critical Information Infrastructure Protection Center (NCIIPC), Cyber Regulations Appellate Tribunal (CRAT), Securities and Exchange Board of India (SEBI), Insurance Regulatory and Development Authority, Telecom Regulatory Authority of India (TRAI) & Department of Telecommunications (DoT) according to a data by Upguard, a California-based IT services and consulting company.

Here are some of the popular governing bodies and standards applicable to Indian retail. Among the below-mentioned list of data security standards, most retailers are compliant with the International Organisation for Standardisation (ISO) and Payment Card Industry Data Security Standard (PCI-DSS).

Global standards followed in India

ISO Standards: The International Organisation for Standardization (ISO) develops and publishes a wide range of proprietary, industrial, and commercial standards. Currently, it has over 24,362 standards.

Of these, ISO27001 is the one that deals with data security and other areas like risk management, security controls, and security management systems. Some specific standards within the series include ISO 27018, ISO 27031, ISO 27037, ISO 27040 and ISO 27799.

PCI DSS: The second standard used in India is the payment card industry data security standard (PCI-DSS). Established in 2004 by major credit card companies like Visa and MasterCard, PCI DSS aims to enhance the security of credit and debit card transactions, reducing the risk of data theft and fraud.

Other prominent global standards include the National Institute of Standards and Technology (NIST) from the US Department of Commerce, Control Objectives for Information and Related Technology (COBIT) by the Information Systems Audit and Control Association (ISACA), Center for Internet Security (CIS) by the United States, General Data Protection Regulation (GDPR) by the European Union, and more, according to data from the Israel-based cybersecurity company Reflectiz.

Key Indian regulations

The Information Technology Act, 2000: The Information Technology Act of 2000 was India’s first cybersecurity law. Enacted by the Parliament of India and overseen by the Indian Computer Emergency Response Team (CERT-In), this legislation serves as a guiding framework for cybersecurity, data protection, and the regulation of cybercrime in the country. Its scope extends to safeguarding various sectors including e-governance, e-banking, e-commerce, and the private industry.

The Information Technology (Amendment) Act 2008: The Information Technology Amendment Act 2008 (IT Act 2008) served as an amendment to the IT Act of 2000, introducing updated terms. It broadened the definition of cybercrime and reinforced the legitimacy of electronic signatures. Furthermore, it placed a strong emphasis on companies to adopt enhanced data security practices, holding them accountable for breaches and making them liable for data security lapses.

National Cyber Security Policy, 2013: In 2013, the Department of Electronics and Information Technology (DeitY) unveiled the National Cyber Security Policy 2013, serving as a security framework for both public and private organizations to enhance their defence against cyberattacks.

The primary objective of the National Cyber Security Policy is to establish and enhance dynamic policies that contribute to the heightened protection of India’s cyber ecosystem.

Know Your Customers (KYC): The RBI mandates the implementation of KYC processes, which are globally recognized standards and practices. KYC involves the systematic tracking and monitoring of customer data security to enhance protection against fraud and the theft of payment credentials.

The Digital Personal Data Protection Act of 2023: In August 2023, the Government enacted the Digital Personal Data Protection Act. The Act is designed to shield data principals and regulate the actions of data managing companies. These companies are mandated to follow key provisions, including engaging third-party data processors through legally binding contracts that adhere to procedure.

Other rules in data management and protection include the Information Technology Rules, 2011, Indian SPDI Rules, 2011 for Reasonable Security Practices, Information Technology Rules, 2021.