PCI compliance is not a luxury; it’s a necessity for businesses taking transactions by payment card, Robin Varley our Senior Data Security Manager, explains
For organisations pivoting to a more modern, digital way of doing business, compliance with the Payment Card Industry Data Security Standard (PCI DSS) should be top of the to-do list and not a task for another day.
After times like no other, it’s hardly surprising to find that businesses everywhere are being pulled from pillar to post. With so much turmoil and uncertainty, PCI compliance may not seem the most urgent task on the to-do list. But one knock-on effect of the Coronavirus pandemic has been a rapid acceleration in the digital transformation of enterprises and, in particular, an explosion in the number of companies now geared up for online card payment.
PCI compliance has never been more important
It has been a long time since cash was king. A quiet revolution was already taking place, with the adoption of contactless, online and mobile phone payments following a gently incremental curve. As consumers have become increasingly comfortable with technology, transactions have become fast and frictionless. Yet, despite more than 80 per cent of the UK population owning a contactless card, it is estimated that only 50 per cent had used it as their preferred payment method prior to 2020.
Then along came Covid-19.
The pandemic has driven a rapid adoption of new technology within the business community and encouraged many to embrace online and contactless payment options. However, it is crucial for businesses to remember that speed of transformation should never come at the expense of high standards of data protection and information security. Indeed, you ignore compliance with the Payment Card Industry (PCI) Data Security Standard (DSS) at your peril.
It is a testament to the resilience and agility of the business community that so many have embraced the opportunities presented by digital transformation. But it must also be remembered that any business accepting, transmitting, processing or storing cardholder data has a responsibility to do so safely and securely.
The value of PCI DSS
The intention behind the PCI DSS compliance process is not to conduct a tick-box exercise to achieve compliance; it is to keep your business and your customer data safe on an on-going basis.
Yet, while many businesses understand its value, there are some who see it as an expensive, painful exercise which is to be endured. But if you turn that perspective on its head, you will see the immense advantages in using the PCI DSS to bolster security, safeguard data and improve resilience. In the event of a breach you will have a clear plan to manage and mitigate its impact, meaning you can recover more quickly and minimise disruption.
Card payments: what are the risks?
There’s no doubt that there are many benefits to accepting card payments and making it easier for consumers to make purchases at the touch of a button or the tap of a card. In fact, you could experience significant growth in your business simply by offering more ways to pay.
Alongside these benefits, you need to remain alert and aware of your responsibilities and the risks involved. Fundamentally, you need to take steps to protect cardholder data from both accidental data loss and malicious attempts to manipulate data – which might come in the form of a fraudulent purchase or the threat of a data breach initiated by a hacker.
Thanks to Covid-19, these risks are more apparent than ever before. In many instances, employees who have been sent to work remotely now find themselves taking payments over the phone in hastily assembled home offices – often using their own personal devices.
All of this represents an opportunity for hackers who are alert to the vulnerabilities of organisations forced to change their business model at short notice. If PCI DSS compliance was important before, since the pandemic it is more crucial than ever.
The cost of a breach
The financial implications of a breach will vary, depending on a number of factors, including the size and scale of a breach, the payment channel affected and the number of transactions of cards involved.
Another consideration is the cost of the breach response in the form of a Payment Card Industry Forensic Investigation – known as a PFI. Once the relevant regulator and affected parties have been notified, an investigation is required to identify the full extent of the breach and inform any remedial work that is necessary.
The cost of a PFI may vary significantly depending on the nature of the breach, but with broad costs totalling anywhere between £20,000 and £100,000 it immediately becomes apparent that working hard to prevent a breach through a proactive approach to compliance is always preferable to a reactive one.
Add to this equation, a post PFI PCI assessment by a Qualified Security Assessor (QSA), the hefty reputational damage caused by a breach and tough disciplinary action given out by the Information Commissioners Office (ICO), card companies and acquiring banks, and we can begin to see the value in prioritising PCI compliance.
Finally, payment card breaches may also be punishable under the General Data Protection Regulation (GDPR) with fines of up to €20 million or 4% of annual global turnover (whichever is greater).
The role of a QSA
The compliance process need not be costly or difficult. Although the PCI DSS compliance process can sometimes be rigorous, engaging with a trusted PCI Qualified Security Assessor (QSA) will help to make it a more manageable and stress-free process. By providing you with expert guidance to get your business up to speed, a qualified QSA can help identify specific and precise requirements, thereby delivering value and saving unnecessary expense.
Certified by the PCI Security Standards Council, a good QSA will be responsive and accessible, working collaboratively to ensure you achieve and maintain compliance which, in turn, means improved security for your customers’ card data.
It is important to remember that even if you have passed a compliance audit within the last 12 months you may find any recent changes made to your systems and processes require a new audit and assessment process.
The key message to any business that accepts payment cards is that the benefits of accepting card payments will far outweigh the challenges of PCI compliance, if a proactive and committed approach is taken. Treat it as a luxury or afterthought, however, and the damage caused can often be irreparable.
Elavon can help and support you with any other PCI DSS, GDPR or Cybersecurity challenges you may face. Contact us to discuss your data security needs