Compliance with PCI DSS (Payment Card Industry Data Security Standard) data security requirements is a key initiative for any company that processes or stores credit cards or holds correspondence which might include credit card numbers. PCI, an industry-wide adoption of Visa’s CISP (Cardholder Information Security Program), is the credit card industry’s standard for securing cardholder data. Visa’s CISP and MasterCard’s Site Data Protection standards merged into the PCI standard in December 2004.
In the UK, compliance was mandatory by 30th September 2010, for any business that stores, processes, or transmits this data. The PCI guidelines provide a list of requirements to ensure that a company is providing the requisite level of security.
The objective of these requirements are to encourage companies to:
• Build and Maintain a Secure Network
• Protect Cardholder Data
• Maintain a Vulnerability Management Program
• Implement Strong Access Control Measures
• Regularly Monitor and Test Networks
• Maintain an Information Security Policy
Why adopt the PCI standard
• Customer retention, as they feel safe using their credit cards with you
• Avoid fines of up to £50,000 per incident
• Large clients require their trading partners to be compliant if not they cannot trade
• Good PR in the marketplace and retain reputation of brand
• Follow ‘Best Practices’ to ensure good business processes
• Hackers are blocked and any loss of back up data not compromised
• You have to do it eventually!
What the market says
• USA. Citifinancial (part of Citibank) lost 3.9 million customer records including credit card data when tape back-ups were ‘mislaid’. With PCI rules this tape would have been encrypted
• Sweden: Over €800,000 in counterfeit fraud losses from almost 24,000 Visas cards was tracked back to a number of merchants in the bar, restaurant and hotel sectors all of whom used the same third party payment processor. With PCI rules this would have secure access controls and encryption
• USA. More than 40 million accounts were compromised in a major USA bank. The accounts were not only limited to US citizens but included 10 million customers. With PCI rules this data would have had better access controls and data encryption
• India. Channel 4 investigations secured 40,000 card details from a call centre which operated for many leading UK financial institutions. With PCI rules this data would have been encrypted
• USA. A back up CD was stolen from Deloitte and Touche which contained the personal details of over 6000 employees from its client, McAFee. With PCI rules this CD would have been encrypted
• USA. Marriott Hotels lost data of over 206,000 time share owners and customer’s data which included personal information and credit card numbers. It was forced to contact every client and warn them of the loss. With PCI rules this data would have been encrypted
Should you decide not to adopt PCI
• You face the credit card companies naming your business for non-compliance
• Your reputation will be damaged coupled with long term loss of customer confidence
• Competitors who have been PCI cleared will have a competitive edge over you
• Hackers will know your data is not protected leaving your systems vulnerable
• You will lose business and in turn revenue
• You will get fined if your data is compromised
How Digital Pathways can help
Digital Pathways is experienced in delivering solutions to meet the needs of its clients to become compliant in the ever increasing regulations and corporate governance rules in force in Europe. Our skill is bringing the right solution to our clients in a cost effective manner and providing ongoing support and training to ensure the solution meets their needs well into the future.
Our proven methodology is to understand the clients business in relation to the regulation and deploy appropriate products, tools or consultancy to meet the requirements set out by an assessor or auditor. Thereafter we provide ongoing technical support and reviews to ensure the solution is meeting the regulation which in turn speeds up annual assessments by auditors hence reducing their onsite time and fees.