In today’s online world, payment card security is a growing concern. Its impact is being felt by organisations and individuals around the world. So, what does it mean? How does it affect us? And, most importantly, what can we do to ensure we’re meeting, and where possible exceeding, our security obligations?
The pinnacle of data security
When it comes to data security, the pinnacle is the Payment Card Industry Data Security Standard (PCI DSS). This is a globally recognised commercial compliance standard for organisations that store, process or transmit credit cardholder information. Established in 2004 by five major international credit card companies, it represents a common set of industry tools and measurements to help ensure the safe handling of sensitive information.
PCI DSS compliance is validated at four different levels, depending on transaction volumes. Companies at levels 3 and 4 can self-assess, level 2 can self-assess or be externally audited, and level 1 must be externally assessed, with approximately 380 mandatory controls. These include building and maintaining a secure network, protecting cardholder data, regularly monitoring and testing networks, implementing data security awareness training with employees and maintaining an Information Security Policy.
Essentially, level 1 compliant companies must have the policies, procedures, physical structures, and technologies to ensure credit card information is protected. This involves assessor visits to validate compliance and extensive external and internal penetration testing.
The increasing importance of data security
PCI DSS compliance provides several key advantages for businesses. It helps them respond to and mitigate potential data security breaches and cyber security attacks; as well as assisting customers to become more efficient, leading to an improved bottom line.
The security of personal information has become its own business. It’s viewed as a competitive difference for the ‘haves’ and ‘have nots’ of the business world, and typically boosts the reputation of organisations employing it.
Fines for non-compliance from acquiring banks range in value and, in some cases, banks may terminate a merchant relationship or increase transaction fees. Given this, the impact on businesses can be significant.
Good for customers. Good for business
Comprehensive compliance is not about simply ticking a checklist! It takes focus and commitment. It also takes time and money. Structures and processes need to be adequately implemented and continually reviewed, even between audits. Ultimately, compliance encourages better security practices, avoids non-compliance fees, and makes sound business sense.
Businesses that place importance on detailed data security measures clearly demonstrate they take their responsibility as a trusted organisation seriously, giving peace of mind to all involved.