The Payment Card Industry Data Security Standard (PCI DSS) V3.2 is an information security standard for any company that handles cardholder information for the major credit card providers. The five global payment brands — American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc. — incorporate the PCI DSS in each of their data security compliance programs. As such, any company that stores, processes or transmits cardholder data is required to comply with these requirements. Each merchant or payment card processor company is required to submit an annual compliance report to its merchant bank.
Benefits of PCI Compliance
- Customers have confidence that their private information is protected. PCI compliance demonstrates to customers that they can entrust their credit card payments to your company without having to worry.
- PCI compliance is held in high regard by banks and credit card companies and is often a requirement to secure merchant accounts and payment gateways.
- On-going PCI compliance demonstrates a commitment to the shopping experience of customers and a desire to protect their credit card data from security breaches.
Drill Down Approach
PCI Compliance is not just a fantastic way for your Director of Operations to sound important in meetings. It’s also key to ensuring all of your customer payment data is secured from attack.
Beyond the fact that inadvertently exposing customer information is the wrong thing to do to people who have trusted your organization enough to hand over their money, exposing customer payment data will absolutely wreck both your company’s reputation and bottom line. Large businesses like Target may have a big enough customer base with enough built-in goodwill that they’re able to ride out such a storm. But some organizations aren’t so lucky.
According to a report released by Verizon in 2015 (their most recent), only 20% of businesses are fully compliant with PCI-DSS. This is significant not only because of the low number, but also because all breaches investigated by Verizon were found to have occurred to businesses and organizations that were not fully compliant at the time they were breached. This implies that full compliance can allow for a certain peace of mind.
Yet, only 29% of fully compliant organizations remain compliant year-over-year. If PCS DSS is so incredibly important, why aren’t more companies staying on top of the continually updated standard?
Security requires resources. Resources that could be used to build new features, sell more products, and deal directly with customer needs. Unlike bugs or missing features that are continually encountered and discussed by customers, it is not obvious that security is flawed until the moment it’s breached. This makes it easy to ignore or put off until later. What are the chances something bad is going to happen tomorrow? Or the next day? Or the day after that? Suddenly it’s six months later and no improvements have been made.
But breaches are constantly happening in the world of cyber security. Waiting until the moment customer data is compromised is way too late. How can your company stay on top of things?
Someone responsible about compliance: It doesn’t necessarily have to be their only job, but it should be their responsibility to push the company to stay on track. To hassle decision makers during meetings so it stays on their radar.
Automation of your compliance: Though there is no way to fully automate compliance, automating and streamlining as many compliance steps as possible with platforms like Halo, and tools like Puppet will help to ensure continual compliance with many PCI standards so that you don’t have to spend as much time worrying about updates and the continually evolving threats that led to those changes. This is also significantly less expensive, (and more accurate) than hiring the staff you’d need to stay manually up-to-date.
Habit of auditing on security practices during every release: Compliance isn’t a one-and-done process only because the Security Standards Council is constantly making updates, it’s also that way because developers will release code that breaks your security just like they release code that breaks everything else. That’s just the nature of software development.
Remember that the end purpose of this process isn’t to get a certificate and declare your company compliant. It’s to protect your customers from breaches and your company from the kind of terrible blowback that comes with allowing your customers to be robbed. There are few things more important to the long term success of your organization than that.