The saying “nothing worth having comes easy…” couldn’t be truer in the case of fortifying an organisation’s systems and infrastructure and ensuring it meets the industry standards and compliance requirements.
By Simeon Tassev, MD and qualified security assessor at Galix
And whilst it might seem daunting at first, it’s well worth the effort. Unfortunately, this is where it gets sticky as some businesses simply don’t see the value and will – as long as possible – sidestep responsibility particularly when it comes to compliance.
The Payment Card Industry Data Security Standard (PCI DSS) is a prime example and has over the years been riddled with misconceptions and some instances of resistance.
Not me
One of the of the major misconceptions of PCI DSS is that organisations believe the standard does not apply to them and they aren’t obligated to meet its requirements. Moreover, they believe the responsibilities lie with their chosen financial services partner or outsourced supplier.
This couldn’t be further from the truth. Whilst outsourcing, for example, simplifies payment card processing it does not provide automatic compliance. Organisations must address policies and procedures for cardholder transactions and data processing.
Put in layman terms, you must protect cardholder data on receipt, charge back and refund. Additionally, all transaction applications and card terminals must comply with the PCI standards and not store sensitive cardholder data.
Critically, when using an outsourced provider, you must request a certificate of compliance (annually) and properly defined roles and responsibilities to ensure compliance.
Time doesn’t stand still
Compliance is not static and an ongoing process that requires commitment and importantly maintenance. In the case of PCI DSS, we often find organisations believe that once they’ve successfully completed an assessment, they are compliant.
PCI DSS is not a snapshot in time; security exploits remain constant and become more sophisticated as time goes by. PCI compliance efforts must be a continuous process of assessment and remediation to ensure the safety of cardholder data.
It’s just too difficult
Often, organisations will try to get away with the minimum, however, as a business you must take ownership – the protection of payment and cardholder data lies with you, no one else.
Yes, it can seem overwhelming, particularly to those merchants and businesses with large IT departments, however, at the very foundation of PCI DSS is sound security.
If anything, PCI DSS offers invaluable and proven steps towards strengthening business operations and security. Importantly, the business risks and ultimate costs of non-compliance can far exceed initial implementation expense.
Applying PCI DSS should be part of a sound, basic enterprise security strategy, which requires making this activity part of your ongoing business plan and budget
It’s not only up to IT
IT is not the answer to organisation’s PCI DSS compliance issues. The same goes for the Protection of Personal Information Act, 2013 (POPIA) which came into effect on 1 July 2020.
Granted, the IT department is responsible for technical and operational aspects of PCI and POPIA-related systems, however, compliance is and remains a business responsibility. As mentioned, it’s not a project with a beginning and an end; it’s a constant process of assessment of remediation and reporting.
In conclusion, PCI compliance must be addressed by multi-disciplinary team that includes reaching out to outsourced experts to ensure all the compliance requirements are met and maintained for the foreseeable, future.