Payment Card Industry Data Security Standard

How enhanced Payment Card Industry Data Security can protect the lifeblood of your business.

Several years ago, an employee from one of the world’s leading media companies lost a CD holding the encrypted bank details of some 3,000 customers and, in a separate incident, a hacker stole the credit card details of 38,000 customers from the website of a major retail brand. Horror stories such as these highlight the reality of what can go wrong when organisations fail to have the right data security processes and technology in place.

Since then, financial giants American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa have set out to counteract the growing threat of security breaches and have developed the Payment Card Industry Data Security Standard (PCI DSS). All organisations that take payments from credit or debit cards, or keep data relating to card–based payments, are affected by the PCI DSS. It is a set of 12 requirements and processes for security management, policies and procedures, network architecture, software design and critical protective measures.

Ignore the standard at your peril: failure to comply can, at best, result in heavy fines, a forensic investigation charge, legal costs and, at worst, significant damage to your company’s reputation and even losing your card acquiring facility effectively putting you out of business.

So what does compliance with the standard really mean and where do you turn if you are finding the process of meeting the standard too demanding?

Why comply?

As real–life examples reveal, take no chances with the lifeblood of your business: one small vulnerability in your transaction and data security systems can cause incalculable damage.

Trust is a critical issue for customer relationship management. In a world in which defence data can go missing on a memory stick, it is essential to demonstrate data security to your customers. If you are taking card payments online, or over the counter, PCI DSS compliance protects customers’ data, boosts customer confidence and safeguards the reputation of your own brand. As part of a company’s continuous improvement programme, compliance with PCI DSS ensures best practice and can be implemented alongside ISO27001 to identify and address risks within an organisation.

Longer–term, knowing you have done everything you can to create a robust security environment gives you a strong competitive advantage, encouraging higher spends and more frequent transactions.

First steps to compliance

Before the compliance process begins, step back and take a close look at your organisation. Your need to comply with the PCI standard which will be defined by the volume of transactions you are handling and the way you hold data. Carrying out the following procedures will put you on the right path to a successful compliance programme:

• Scope your environment
• Undertake a GAP analysis
• Complete a self–assessment questionnaire or undertake an annual onsite audit
• In preparation for the annual assessment, carry out appropriate remediation work following all GAP analysis

Hints and tips

In these tough times when your IT department is already stretched to the limit, a lengthy process to comply with yet another industry standard is probably low down on your list of priorities. A word of advice – don’t try and do it all yourself. If necessary, look for help outside your organisation – here are a few guidelines:

• Work with a technology partner who combines technical know–how with a track record of guiding businesses through the PCI compliance process and building a suitable infrastructure
• Before you begin the process of compliance, take advice from specialists who can help you determine the level of conformity that your organisation requires to ensure that the solution you put in place is appropriate and cost–effective
• Entrusting your PCI compliance to specialists with exceptional experience of implementing successful solutions frees up your staff and takes away the pain of keeping up–to–date with changes in the standard.

Once your security deployment has met the appropriate requirements:

• Put in place flexible policies, procedures and practical action points that will maintain your protection and ensure compliance for the future
• As new amendments to the standard are published, ensure your plans will allow them to be adopted rapidly and with minimal disruption, without the need to re–define the whole deployment
• Be prepared to transition to the next level of compliance should the volume of card transactions within your organisation increase

Correct execution of the process from the outset and integrating it into your overall business planning or continuous improvement programme will remove any potential headaches associated with ongoing maintenance and make the transition to future compliance as smooth as possible.

When all is said and done, the Payment Card Industry Data Security Standard is not just another standard or a matter of irksome red tape. While no security system is infallible, compliance with PCI DSS keeps the risk of a breach to a minimum and provides you with robust proof that you have taken every possible step to protect the interests of your customers, the lifeblood of your business.