Failing to plan is planning to fail when it comes to PCI DSS
The PCI DSS (Payment Card Industry Data Security Standard) is a security standard that any organisation taking Visa, MasterCard or Amex credit or debit cards must be certified as meeting.
Its latest incarnation (Version 2.0) was released last October.
By Helen Dickinson
Although most retailers are aware of PCI DSS and the need to comply, given the recent changes some are struggling to interpret the standard, let alone meet its requirements, even though deadlines for compliance have all now passed.
The standard itself is quite complex covering payment card data security processes, including those that relate to the prevention, detection and appropriate reaction to security incidents. Many are still trying to understand how best to attain the compliance required, particularly when they operate across multiple channels. And some businesses have agreed a programme to demonstrate the path to compliance which is now proving difficult to achieve, thereby increasing the risk of fines in the future.
Retailers that take credit cards but fail to adhere to it can be subject to sizeable fines, or have their ability to take credit cards withdrawn. So avoiding the pitfalls that can happen and ensuring that time and money is being invested in the most beneficial areas of PCI DSS is crucial. One of the most overlooked areas when running a PCI DSS Programme is ‘PCI DSS Sustainability’ – ensuring that upon successful PCI DSS certification, the correct roles, responsibilities and processes will be in place to allow successful recertification the following year.
But PCI DSS is also causing many retailers to think about all the various systems containing data they need to protect, whether it is credit card details, wider customer information, or intellectual property. This issue has been brought sharply into focus this week after it was reported that online customers of several companies were warned that they may experience an increase in spam email after hackers accessed their details in a wider attack on marketing firm Epsilon.
A data leakage incident – whether linked to PCI DSS or not – could seriously damage a retailer’s brand not to mention undermine customer confidence and expose the retailer to fines and legal action. For example, the Information Commissioner has the ability to impose fines of up to £500,000 for losing personal data. With technology continuing to advance, the increasing portability and ease of transferring data just intensifies the problem and makes protecting it much more difficult.
Interestingly, most retailers consider that they are well-controlled in this area but we often see examples of software source codes being sent to personal email addresses, sensitive board level information being sent outside the business unprotected, as well as employee data being sent to personal email accounts – e.g. starters and leavers salary details, national insurance numbers, and reasons for leaving etc.
Although many retailers may have bought data loss tools in the past, quite often they haven’t implemented or ‘tuned’ them appropriately to identify the necessary data, or identified how they should be used in the organisation with defined roles and responsibilities. Therefore although they assume they are protected, some are not getting the benefits of the protection they should have and being lulled into a false sense of security.
Obviously indentifying and managing the risk is just one part of the equation – the solution needs to be cost effective. However, with an average of 1 in 400 email messages presenting a critical business risk and, if data loss does occur, the average cost of the loss being £64 per record (Source: Ponemon Institute 2010) the business imperative is certainly there.
And one final tip: whilst managing the risk of an incident is the highest priority, it’s also important to have a plan to deal with data leakage. Knowing how to contain the situation and protect against additional brand damage that could occur by not appropriately dealing with the situation is equally as important.
Helen Dickinson is Head of Retail at KPMG
