Is Your Company PCI DSS Compliant?
Posted 22 June 2014, Australia
Orginally Published in the June 2014, CEO Magazine
Is your company PCI DSS compliant? It’s something every CEO needs to know
Law suits, loss of business, compensation expenses, the cost of achieving compliance – overall costs of millions, or even billions, of dollars have been mooted in relation to some recent breaches of the Payment Card Industry Data Security Standard (PCI DSS). Few companies would face repercussions on quite such an epic scale, but these figures serve to remind us all that the PCI standard has to be taken seriously.
Any organisation that accepts credit card payments must comply. Failure to do so can attract fines of up to $500,000 a month until compliance is achieved. The bank could increase the ongoing merchant fees or even terminate your merchant facility. And recovering from a security breach is an expensive process in itself. Benchmark Research conducted by the Ponemon Institute puts the average cost of a data breach at US$194 for each record compromised. In many organisations, records run into their thousands or even their tens of thousands; this could be enough to bring a business to its knees.
The potential for damage to the brand is equally unnerving.
A growing need for security
According to the Reserve Bank of Australia, there were 38 million debit cards and more than 15 million credit cards in circulation in Australia in January 2014. Not surprisingly concern for the security of credit card transactions is keeping pace. In 2006, the five major card providers – Visa, MasterCard, American Express, Discover and JCB – came together to form the PCI Council and take on responsibility building awareness of the issues surrounding security as well as developing and managing PCI standards.
The Council describes PCI DSS as the keystone – an “actionable framework for developing a robust payment card data security which includes the prevention, detection and appropriate reaction to security incidents”. Its primary aim is to ensure that merchants meet minimum levels of security when they store, process and transmit cardholder data. And it applies to every business, whatever its size, which accepts credit cards as a form of payment.
The standard has passed through a number of incarnations since its inception. The latest version, 3.0, was released in November 2013.
“New payment channels and new technologies are being developed every day and the standard must be continuously amended to account of this,” says Da Silva. “For example, the rate at which mobile technology is growing everyday means we have to stay vigilante of data security.”
Technology grows a lot faster than law, so compliance can’t guarantee security. As Target Chairman, President and Chief Executive Officer Gregg Steinhafel pointed out, when last year’s security breach led to the theft of about 40 million credit and debit card records and 70 million other records containing information such as shoppers’ addresses and phone numbers, Target was certified as meeting the standard for the payment card industry.
”Hackers and criminals will always stay one step ahead,” says Da Silva. “As soon as you draw a line in the sand with the law, they’ll find a way to cross it. The standard can only ensure that everyone who accepts credit card payments is doing everything they reasonably can.”
Limiting exposure to risk
Many organisations are limiting their exposure to risk by working in partnership with a company like ADVAM.
“ADVAM complies with all of the security requirements established by the card schemes and the banking industry,” says Da Silva. “CEOs can be confident that every customer transaction processed through our payment solutions are protected by the latest in encryption technology. A combination of state-of-the-art firewalls and intrusion detection systems guard every point of ingress and egress on our network. And, of course, we also undergo regular audits designed to highlight any points of possible vulnerability.”
However, this kind of relationship with a third party doesn’t free your company from the need to comply with PCI.
“It’s part of a CEO’s role to understand all the risks which threaten the organisation, including those associated with privacy and data security, and to be satisfied that the correct policies and procedures are in place,” says Da Silva. “Those policies and procedures need to be flexible enough to accommodate continuous change. And, as the CEO also sets the tone of the organisation, it’s vital that he or she promotes a culture of risk management. Companies which make risk management part of their DNA are by far the most resilient.”
If your business stores, processes or transmits any payment cardholder data you are subject to 12 PCI requirements. For the purpose of compliance, these requirements can be organised into three distinct areas – assessment, remediation and reporting.
Assessment involves identifying any weaknesses in your system that might pose a risk to the security of cardholder data. Remediation is the process of strengthening those weaknesses and repairing any cracks. You must also report regularly to the relevant bank and the owners of the cards you accept.
“The journey to compliance starts with understanding how you transact with your customers and how this flows through the business,” says Da Silva. “You’re then in a position to ensure your business is taking the holistic approach to credit card security that the PCI DSS demands.”