General Cybersecurity Maturity Assessment Model: Best Practice to Achieve Payment Card Industry-Data Security Standard (PCI-DSS) Compliance

Khairur Razikin; Agus Widodo

doi:10.21512/commit.v15i2.6931

Authors

Khairur Razikin Bina Nusantara University
Agus Widodo Bina Nusantara University

DOI:

https://doi.org/10.21512/commit.v15i2.6931

Keywords:

General Cybersecurity Maturity Assessment Model, Best Practice, Payment Card Industry-Data Security Standard (PCI-DSS)

Abstract

The use of technology in the era of the Industrial Revolution 4.0 is essential, marked by the use of technology in the economy and business. This situation makes many companies in the payment sector have to improve their information technology security systems. In Indonesia, Bank Indonesia and the Financial Services Authority (Otoritas Jasa Keuangan - OJK) are agencies that provide operational permits for companies by making Payment Card Industry-Data Security Standard (PCI-DSS) certification as one of the requirements for companies to obtain operating permits. However, not all companies can easily get PCI-DSS certification because many companies still do not meet the PCI-DSS requirements. The research offers a methodology for measuring the level of technology and information maturity using general cybersecurity requirements adopted from the cybersecurity frameworks of CIS, NIST, and Cobit. Then, the research also performs qualitative calculations based on interviews, observations, and data surveys conducted on switching companies that have been able to implement and obtain certification. PCI-DSS to produce practical cybersecurity measures, in general, can be used as a measure of the maturity of technology and information security. The results and discussion provide a model assessment tool on the procedures and requirements needed to obtain PCI-DSS certification. The maturity level value of PT XYZ is 4.0667 at maturity level 4, namely quantitatively managed, approaching level 5 as the highest level at maturity level.

Dimensions

Plum Analytics

Author Biographies

Khairur Razikin, Bina Nusantara University

Computer Science Department, BINUS Graduate Program - Master of Computer Science

Agus Widodo, Bina Nusantara University

Computer Science Department, BINUS Graduate Program - Master of Computer Science

References

PCI Security Standards Council, “Document library.” [Online]. Available: https://www.pcisecuritystandards.org/document library

Otoritas Jasa Keuangan, “Peraturan Otoritas Jasa Keuangan nomor 38 /POJK.03/2016 tentang Penerapan Manajemen Risiko dalam Penggunaan Teknologi Informasi oleh Bank Umum,” 2016. [Online]. Available: https://bit.ly/3j4wrgG

Bank Indonesia, “Peraturan Bank Indonesia No. 19/10/PBI/2017 tentang Penerapan Anti Pencucian Uang dan Pencegahan Pendanaan Terorisme bagi Penyelenggara Jasa Sistem Pembayaran Selain Bank dan Penyelenggara Kegiatan Usaha Penukaran Valuta Asing Bukan Bank,”2017. [Online]. Available: https://www.bi.go.id/id/publikasi/peraturan/Pages/pbi 191017.aspx

S. Yulianto, C. Lim, and B. Soewito, “Information security maturity model: A best practice driven approach to PCI DSS compliance,” in 2016 IEEE Region 10 Symposium (TENSYMP). Bali, Indonesia: IEEE, May 2016, pp. 65–70.

S. Thakar and T. Ramos, PCI compliance for dummies. John Wiley and Sons, 2011.

J. Liu, Y. Xiao, H. Chen, S. Ozdemir, S. Dodle, and V. Singh, “A survey of payment card industry data security standard,” IEEE Communications Surveys & Tutorials, vol. 12, no. 3, pp. 287–303, 2010.

Bank Indonesia, “Peraturan Bank Indonesia nomor 18/40/PBI/2016 tentang Penyelenggaraan Pemrosesan Transaksi Pembayaran,” 2016. [Online]. Available: https://www.bi.go.id/id/publikasi/peraturan/Documents/PBI 184016.pdf

PCI Security Standards Council, “About us.” [Online]. Available: https://www.pcisecuritystandards.org/about us/

——, “Maintaining payment security.” [Online]. Available: https://www.pcisecuritystandards.org/pci security/maintaining payment security

——, “PCI DSS quick reference guide: Understanding the Payment Card Industry Data Security Standard version 3.2.1,” 2018. [Online]. Available: https://www.pcisecuritystandards.org/documents/PCI DSS-QRG-v3 2 1.pdf

R. Umar, I. Riadi, and E. Handoyo, “Analisis keamanan sistem informasi berdasarkan framework COBIT 5 menggunakan Capability Maturity Model Integration (CMMI),” Jurnal Sistem Informasi Bisnis, vol. 1, pp. 47–53, 2019.

O. M. Al-Matari, I. M. Helal, S. A. Mazen, and S. Elhennawy, “Adopting security maturity model to the organizations’ capability model,” Egyptian Informatics Journal, vol. 22, no. 2, pp. 193–199, 2021.

I. Lee, “Internet of Things (IoT) cybersecurity: Literature review and IoT cyber risk management,”Future Internet, vol. 12, no. 9, pp. 1–21, 2020.

A. Aliyu, L. Maglaras, Y. He, I. Yevseyeva, E. Boiten, A. Cook, and H. Janicke, “A holistic cybersecurity maturity assessment framework for higher education institutions in the United Kingdom,”Applied Sciences, vol. 10, no. 10, pp. 1–15, 2020.

M. F. Saleh, “Information security maturity model,” International Journal of Computer Science and Security (IJCSS), vol. 5, no. 3, pp. 316–337, 2011.

L. Elluri, A. Nagar, and K. P. Joshi, “An integrated knowledge graph to automate GDPR and PCI DSS compliance,” in 2018 IEEE International Conference on Big Data (Big Data). IEEE, 2018, pp. 1266–1271.

R. H. Diputra, “Analisis manajemen risiko pada sistem “bring your own device” menggunakan metode cybersecurity framework NIST: Studi kasus di PT XYZ,” mathesis, Magister Sistem Informasi, Universitas Bina Nusantara, 2018.