The Payment Card
Industry Data Security Standards (PCI DSS) is a set of requirements for
enhancing payment account data security.
Developed in 2004 by the PCI Security Standards Council, these standards
set out industry-wide, global adoption of consistent data security measures.
It was originally founded
by American Express, Discover Financial Services, JCB International, MasterCard
Worldwide and Visa International and applies to all businesses that take credit
and debit cards, regardless of size or transaction volume.
Essentially the credit
card companies and merchant banks have shifted the risk of data breach to the
merchants through the introduction of PCI DSS.
It applies to all entities involved in credit card
processing. In fact, any business
involved in the storage, processing and/or transmission of payment card numbers
must comply. The scary thing is that most
merchants have no idea that the PCI requirements exist!
In its 10th year,
there have been various iterations but we are now on PCI DSS 3.0. PCI ensures customers’ personal data is
protected, allows companies to protect themselves from financial losses and
remediation costs. In turn, this higher
level of data security inspires customer confidence and trust, ultimately safeguarding
brand reputation.
Simple right? Actually, PCI compliance can be a confusing
and costly exercise, and so often it is cast aside as businesses deal with
other more pressing issues. The market
is filled with inaccurate information and myths around PCI. Non-compliance can leave your business
exposed (worst case scenario means a hacker can effectively steal customer
credit card details from your system)
However if dealt with
in a timely and logical manner, it can save both financial pain and your reputation
in the long run. Requirements can differ
according to merchant level and card issuer so it’s important to check with
your suppliers to ensure that you are meeting all the requirements.
In Ireland, Loyaltybuild
was recently at the centre of a major data breach, in which the full card
details of over 376,000 customers were taken. 70,000 were Supervalu Getaway
customers and over 8,000 were AXA Leisure Break customers. It transpires that the
details of an additional 150,000 clients were also potentially compromised. This has caused material damage to
Loyaltybuild and also to the brands affected, in some cases perhaps further
fuelling customer suspicion in terms of handing over credit card/personal
details to retailers.
The large retail
brand Target, in the US, was also hit by a major credit-card attack at the end
of last year, involving up to 40 million customer accounts. The data breach began
around Black Friday, the day after Thanksgiving and
the busiest shopping day of the year. With almost 1,800
stores in the United States and 124 in Canada, Target is a robust brand and to
some extent could weather this. However
for smaller brands, this type of hit would be a disaster.
At the moment in Korea, millions of cards are being
re-issued following another massive data leak scandal. Consequently banks there have been raising
their security measures to protect customers’ data. Some of the major credit card firms, such as
KB Kookmin Card, Nonghyup and Lotte Card are affected. In fact, there are reportedly some 20 million
card users in Korea and reports say that personal data of at least 10-17
million bank and credit cards holders has been leaked!
Apparently the majority of financial firms in Korea were
not even aware of the leaks for nearly one year, after which time the damage
has been done.
Clearly the US and
Korean examples are on massive scale but this is just as important for SME and
medium sized businesses, where reputation is the cornerstone of repeat
business.
Any retailers who
take credit cards have to be careful of who they select as their service
provider –security and compliance are essential. Many companies — large and small — are
typically under-prepared when they face a data breach. There are key procedures to follow in the
event that this happens namely to work closely with those affected and the
Regulator and to draft in the right experts to address the data breach. It’s a very short window in which you have a
chance to preserve public trust in your company.
It’s a good idea to do a
thorough check of any IT and security systems in place and to review your
service provider to ensure they are up to speed with PCI DSS 3.0. We regularly work with companies in this
area, and offer audit services for any business to confirm their compliance.
If this is something that
affects your business, get in touch with either of us to discuss your options.
086 231 9484
086 242 6382
No comments:
Post a Comment