Compliance with PCI DSS (Payment Card Industry Data Security Standard), data security requirements, is a key initiative for any company that processes or stores credit cards or holds correspondence, which might include credit card numbers.
PCI, an industry-wide adoption of Visa’s CISP (Cardholder Information Security Program), is the credit card industry’s standard for securing cardholder data.
Visa’s CISP and MasterCard’s Site Data Protection standards merged into the PCI standard in December 2004.
In the UK, compliance was mandatory by 30th September 2010, for any business that stores, processes, or transmits this data. The PCI guidelines provide a list of requirements to ensure that a company is providing the requisite level of security. The objective of these requirements are to encourage companies to:
Build and Maintain a Secure Network
Protect Cardholder Data
Maintain a Vulnerability Management Program
Implement Strong Access Control Measures
Regularly Monitor and Test Networks
Maintain an Information Security Policy
Why adopt the PCI standard
Customer retention, as they feel safe using their credit cards with you
Avoid fines of up to £50,000 per incident
Large clients require their trading partners to be compliant if not they cannot trade
Good PR in the marketplace and retain reputation of brand
Follow ‘Best Practices’ to ensure good business processes
Hackers are blocked and any loss of back up data not compromised
You have to do it eventually!
What the market says
USA. Citifinancial (part of Citibank) lost 3.9 million customer records including credit card data when tape back-ups were ‘mislaid’. With PCI rules this tape would have been encrypted
Sweden: Over €800,000 in counterfeit fraud losses from almost 24,000 Visas cards was tracked back to a number of merchants in the bar, restaurant and hotel sectors all of whom used the same third party payment processor. With PCI rules this would have secure access controls and encryption
USA. More than 40 million accounts were compromised in a major USA bank. The accounts were not only limited to US citizens but included 10 million customers. With PCI rules this data would have had better access controls and data encryption
India. Channel 4 investigations secured 40,000 card details from a call centre which operated for many leading UK financial institutions. With PCI rules this data would have been encrypted
USA. A back up CD was stolen from Deloitte and Touche which contained the personal details of over 6000 employees from its client, McAFee. With PCI rules this CD would have been encrypted
USA. Marriott Hotels lost data of over 206,000 time share owners and customer’s data which included personal information and credit card numbers. It was forced to contact every client and warn them of the loss. With PCI rules this data would have been encrypted
Should you decide not to adopt PCI
You face the credit card companies naming your business for non-compliance
Your reputation will be damaged coupled with long term loss of customer confidence
Competitors who have been PCI cleared will have a competitive edge over you
Hackers will know your data is not protected leaving your systems vulnerable
You will lose business and in turn revenue
You will get fined if your data is compromised
How Digital Pathways can help
Digital Pathways is experienced in delivering solutions to meet the needs of its clients to become compliant in the ever increasing regulations and corporate governance rules in force in Europe. Our skill is bringing the right solution to our clients in a cost effective manner and providing ongoing support and training to ensure the solution meets their needs well into the future.
Our proven methodology is to understand the clients business in relation to the regulation and deploy appropriate products, tools or consultancy to meet the requirements set out by an assessor or auditor. Thereafter we provide ongoing technical support and reviews to ensure the solution is meeting the regulation which in turn speeds up annual assessments by auditors hence reducing their onsite time and fees.