Several years ago, an employee from one of the world’s leading media companies lost a CD holding the encrypted bank details of some 3000 customers and, in a separate incident, a hacker stole the credit card details of 38 000 customers from the website of a major retail brand. Horror stories such as these highlight the reality of what can go wrong when organisations fail to have the right data security processes and technology in place.
Since then, financial giants American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa have set out to counteract the growing threat of security breaches and developed the Payment Card Industry Data Security Standard (PCI DSS). All organisations that take payments from credit or debit cards, or keep data relating to card-based payments, are affected by PCI DSS. It is a set of 12 requirements and processes for security management, policies and procedures, network architecture, software design and critical protective measures.
Ignore the standard at your peril: failure to comply can, at best, result in heavy fines, a forensic investigation charge, legal costs and, at worst, significant damage to your company’s reputation – even losing your card acquiring facility and effectively putting your organization out of business.
So what does compliance with the PCI standard really mean and where do you turn if you are finding the process of meeting the standard too demanding?
Why comply?
As real-life examples reveal, take no chances with the lifeblood of your business; ensure that your company's assets and reputation are not a risk as a result of not having applied the right level of security controls.
Trust is a critical issue for customer relationship management. In a world in which defence data can go missing on a memory stick, it is essential to demonstrate data security to your customers.
If you are taking card payments online, or over the counter, PCI DSS compliance protects customers’ data, boosts customer confidence and safeguards the reputation of your own brand. As part of a company’s continuous improvement programme, compliance with PCI DSS ensures best practice and can be implemented alongside ISO27001 to identify and address risks within an organisation.
Longer-term, knowing you have done everything you can to create a robust security environment gives you a strong competitive advantage, encouraging higher spends and more frequent transactions.
First steps to compliance
Before the compliance process begins, step back and take a close look at your organisation. Your need to comply with the PCI standard will be defined by the volume of transactions you are handling and the way you hold data. Carrying out the following procedures will put you on the right path to a successful compliance programme:
- Scope your environment
- Undertake a GAP analysis to identify the variances that may exist between the PCI standard and your organisation’s existing environment
- Complete a self-assessment questionnaire or undertake an annual on-site audit
- In preparation for the annual assessment, carry out appropriate remediation work following all GAP analyses
Hints and tips
In these tough times, when your IT department is already stretched to the limit, a lengthy process to comply with yet another industry standard is probably low down on your list of priorities. A word of advice – don’t try and do it all yourself. If necessary, look for help outside your organisation. Here are a few guidelines:
- Work with a technology partner that combines technical know-how with a track record of guiding businesses through the PCI compliance process and building a suitable infrastructure
- Before you begin the process of PCI compliance, take advice from specialists who can help you determine the level of conformity that your organisation requires to ensure that the solution you put in place is appropriate and cost-effective
- Entrusting your PCI compliance to specialists with exceptional experience frees up your staff and takes away the pain of keeping up-to-date with changes in the PCI standard
Once your security deployment has met the appropriate requirements:
- Put in place flexible policies, procedures and practical action points that will maintain your protection and ensure compliance for the future
- As new amendments to the PCI standard are published, ensure your plans will allow them to be rapidly adopted and with minimal disruption, without the need to re-define the whole deployment
- Be prepared to transition to the next level of compliance should the volume of card transactions within your organisation increase.
Correct execution of the process from the outset, and integrating it into your overall business planning or continuous improvement programme, will remove any potential headaches associated with ongoing maintenance, making the transition to future compliance as smooth as possible.
When all is said and done, PCI DSS is not just another standard or a matter of irksome red tape. While no security system is infallible, compliance with PCI DSS keeps the risk of a breach to a minimum and provides you with robust proof that your organization has taken every possible step to protect the interests of your customers, the lifeblood of your business.
Gary Duke is a company director and co-founder of UK-based network provider LAN2LAN where he is responsible for business development and establishing technologies. Originally trained as an accountant, Duke has been working with IT systems since the days when a computer the size of a house was needed to run the simplest accounts ledger. Once he saw the potential computing offered, he moved into technical consultancy.