There isn’t anything more essential to a business’s success than the trust of its clients. Long gone are the days when cash was king; today’s customers pay largely by credit or debit card, which requires the placement of their highly sensitive financial information in the hands of the merchant. It will only take one misstep to put clients at risk of a security breach and the business at risk of losing credibility, a surefire recipe for losing customer patronage.
Fraud and identity theft are lurking out there in cyberspace, and no company is truly immune. Even large, highly-trusted companies have been burned, including Target and Neiman Marcus. While the reputations of these companies suffered, they have the PR power and financial means to stay afloat. This is not true of every business, which is why it is so essential for every company, large or small, to make the effort to stay PCI DSS 3.0 compliant.
PCI DSS 3.0 is the latest incarnation of the Payment Card Identity Data Security Standard. Set forth by the Payment Card Industry Security Standards Council, the PCI DSS is a set of standards, policies and procedures meant to prevent security breaches and protect the sensitive data of consumers from fraudulent access. Because data and related technology is always evolving, the PCI DSS must necessarily evolve as well; consequently, it is updated on a 3-year cycle, and the latest 3.0 version was implemented in January of this year.
In spite of the obvious benefits, few companies – an estimated 11 percent, in actuality -- are fully and consistently compliant with PCI DSS. After the Target and Neiman Marcus breaches, it was found that neither company was in full compliance at the time of the incident. But why?
It takes a great deal of time, effort and work to stay PCI DSS compliant. This is a fact that can’t be changed or glossed over. It is intentionally a difficult process – the more points that are covered, the more effective the security will be – but covering those points takes a great deal of ongoing effort.
Unfortunately, many companies don’t invest enough time or manpower into maintaining PCI DSS compliance. They scramble to reinstate compliance each year, only to fall short just weeks or months later.
It is important for businesses to view PCI DSS compliance in a positive light, and to try to see the act of maintaining compliance as an investment, as opposed to a frustrating hurdle to overcome. After all, while PCI DSS compliance is not foolproof, it decreases the opportunity for fraud in untold ways. It helps to look at compliance like insurance -- yes, the business is continually investing time and money for the prevention of something that may never happen. But if the worst does happen, that company will be far better off with it than without it.
There are a number of things that businesses can do to make compliance a simpler, more streamlined process. First and foremost, they can run a business analysis to determine how much work will be involved and what measures must be taken to maintain compliance on a day-to-day basis. This will help them develop an appropriate budget and adequate staffing. They can reduce the scope of the information they store – less information means less risk and less expense. And they can integrate PCI DSS into their day-to-day business practices so that it becomes part of the status quo, rather than a side project that needs special handling.
In the end, PCI DCC compliance really is the best thing a business can do for its customers, and for its own well being.