Enter your details below and we'll get back to you.
Share this article
It’s important to establish that any business which stores, processes or transmits payment card information must be PCI DSS compliant.
PCI DSS – or Payment Card Industry Data Security Standard, to provide the full title – is a mandatory requirement designed to be met by all card-handling organisations in the UK. This helps to ensure that customer and client card details are kept safe and confidential, protected from cybercriminals and data breaches.
At SRM we understand that facing compliance issues and working towards certification can feel like an arduous and challenging process. To combat this, our approach is always to encourage businesses to find the most efficient and effective steps that they can take to improve their risk posture. Not only that, but by getting the correct framework in place it becomes much easier to retain compliance and maintain those high standards, year after year.
Let’s take a closer look at how PCI compliance can be made cost effective rather than all consuming.
There’s no denying the fact that maintaining compliance can be difficult. In fact, the PCI Security Standard Council reports that more than 44% of organisations see the effectiveness of their PCI DSS security controls decline following their assessment.
The reasons for this can be severalfold, and include:
It’s understandable for businesses to be put off by the prospective time, effort and cost of becoming PCI DSS compliant, but what many organisations don’t understand is that the implications of not achieving compliance can be far greater. The financial exposure of non-compliance alone should be enough to convince you that caution should always be taken with the card data you are entrusted with.
Developing and maintaining a sustainable security program is key to ongoing compliance. The primary function of PCI DSS is of course to protect cardholder data. This includes everyone in the payment chain, from merchants and service providers to acquirers, card issuers, payment brands and consumers.
Cardholder data remains one of the easiest forms of data to convert directly into profit, which is why nearly three quarters of breaches on retail, hospitality and food service companies involve PCI. That’s why it’s important that companies only store sensitive card information when necessary. Any data not deemed critical to the business should be removed from the environment, therefore reducing the risks as well as the complexity and cost of remaining PCI DSS compliant.
A compliance program is just that: a program. This means there should be a formalised set of policies, processes and procedures in place within your organisation to ensure that your compliance continues to meet the necessary standards and requirements.
“It is important that every member of staff within the organisation who has any involvement in any card processing activities has relevant awareness training and assessments,” says SRM Consultant, Katie McMillan.
“This not only assists in achieving compliance, but provides an organisation with the confidence that all colleagues are competent and aware of the importance of protecting cardholder data.”
Consider the objectives, roles and responsibilities involved in maintain compliance, as well as rules that must be followed such as a strong password policy. The right procedure will outline step-by-step tasks that responsible personnel can follow to properly complete tasks in line with compliance requirements.
Although each business is different, there are a number of ways to adapt the card payment process to limit the scope of the PCI assessment. A segregated cardholder data environment provides a smaller footprint and a less accessible system for cybercriminals. This not only enhances the security of the environment but could also have a considerably positive impact on the cost, time and internal resource required to conduct a PCI Assessment.
At SRM, our approach is often to look at how we can help you avoid adding greater complexity to those processes and procedures, and instead look to streamline systems so that it becomes easier to monitor, assess and repeat the program every time. By being organised now, you can save your business from a PCI-induced headache in the future.