Payment Card Industry Data Security Standard considerations

To many business owners who collect card details, there are many reasons why they wouldn’t consider being Payment Card Industry Data Security Standards (PCIDSS). They consider it too onerous to meet many of the asks and what’s more, most of these companies don’t know what exactly to do to meet some of these standards. But PCIDSS remains relevant especially if, as a business, payment card details are processed through American Express, Discover Financial Services, JCB International, Mastercard Worldwide, and Visa Inc.

PCI DSS, to be clear, must be followed if organisations wish to process, store, or transmit the cardholder data of their customers issued by these card brands or if this is not possible, most companies now outsource their payment process to bigger companies. I always advise companies, regardless of the size, to consider the need for PCI compliance if they are processing card details even when they are outsourcing, the reason being that I’ve seen businesses collect over the phone card details and save on paper (that’s just bad practice).

Businesses need to consider the people, processes, and technology within their organisation that interact with and are exposed to payment card information. Companies that process card details, therefore, need to adhere to the twelve requirements, including security checks within PCI DSS. It’s not a small feat but can be achieved.

An average of just over thirty percent of companies collect payment card information, share it and store it in a way that presents vulnerabilities and present threats within their business. But by employing the twelve strategies they can begin to cultivate the capable approaches to protecting this information. There are implications when a business fails to protect these details, they can be banned by one of these five card providers. So, what are the 12 PCI DSS compliance categories companies must consider?

The first step is to build and maintain a secure network and systems. This goes without saying because security is the first step any company must take before considering processing card details. Therefore, the company must maintain a strict policy that addresses information security for all data processed.

Second is to maintain protection of cardholder data, meaning that all card information must be protected while at rest and encrypted while in transit across open and public networks. Third, companies must maintain a vulnerability management programme where they regularly update anti-virus software or other threat detection and prevention programmes.

Another important step is implementing strong access control measures which restrict access to cardholder data by business on a need-to-know basis, assigning a unique ID to each person with computer access and restriction of physical access to cardholder data. Step five involves regular monitoring of test networks which basically means tracking and monitoring all access to network resources and cardholder data.

Step six would involve maintaining a robust information security policy which addresses all information security including but not limited to data protection protocols, security approaches and bring your own device schemes. These are some of the compliance categories (I would cover the rest in other articles).

It must be noted here that the PCI DSS is not a regulatory requirement, but organisations could face penalties from PCI DSS as a response for noncompliance. As such, if as a business, you want to conduct business by accepting physical, mobile, or online payments from the major card brands, then the business needs to make sure that they are compliant with the PCI DSS. I’m happy to provide excellent approaches to companies’ PCI DSS compliance journey.

• business a.m. commits to publishing a diversity of views, opinions and comments. It, therefore, welcomes your reaction to this and any of our articles via email: comment@businessamlive.com