PCI DSS/ Security Compliance
Are you minimising your ongoing PCI DSS compliance costs?
It’s often the case that credit card merchants while being aware that they need to comply with the PCI standards, they remain resistant, because they do not realize that embracing the process can in fact help them reduce – rather than increase – the ongoing costs associated with credit card security & compliance.
On the other hand many companies that have been lucky enough to achieve compliance, often struggle with maintaining compliance, often due to a lack of ongoing project oversight, increasingly onerous compliance requirements, complexity and/or costs. A Verizon study found that 75% of 100 PCI DSS compliant companies surveyed had lapsed on their regulatory needs only a year later. In other words, they were leaving themselves vulnerable to data breaches and not effectively leveraging their initial investment in data security.
So what are the steps you can take to reduce the ongoing complexity & costs associated with maintaining PCI compliance? Firstly, be realistic about the scope and costs associated with the process over the long term (companies tend to focus on the short term costs and underestimate long term costs, this narrow view can result in poor solution selection and increased total costs).
In addition to which our team has seen examples of companies who haven’t gotten the right levels of executive support and budget allocation. This is common particularly within corporate or trans-Tasman projects which transcend divisional, business or geographical boundaries, this can prolong projects and result in underutilization of resources.
One of the best ways to reduce your ongoing costs is to de-scope your environment as much as possible. By reducing your cardholder data environment you reduce your ongoing audit assessment costs and are less exposed to changes to the PCI DSS standards as they evolve.
An excellent way to reduce the card data environment is via cloud based tokenization, this will result in credit card data being replaced by financially none sensitive tokens which cannot be reverse engineered. As such if your company is the victim of a data breach the tokens cannot be used fraudulently in the open market.
If your payment channels and systems only process tokens your systems will be removed from PCI DSS scope, and your assessment costs will fall dramatically. To maximise the cost reducing benefits of tokenization its important to incorporate multi-bank cloud based payment processing to remove downstream payment process from scope. Tokenization when done correctly can overcome the common trade-off between security and innovation, while facilitating progress towards improved Omni channel customer interactions.
For those companies that have achieved PCI DSS certification, it’s important that a governance team is maintained to ensure new card initiatives do not result in sensitive data entering your environment, as the cost of remediation later can be high.
In addition to which companies can leverage card scanning platforms to quickly identify any unprotected card data entering their environment, this will also ensure that unencrypted card data is identified, deleted or secured as soon as possible. Our clients often use our card scanning services in conjunction with quarterly workshops to ensure that card data and new payment projects do not jeopardise the companies PCI DSS position.
Companies do not have an understanding of the potential conflicts of interest between industry participants such as banks, QSA’s and vendors – and as such can sometimes be ill advised, this is not helpful in terms of cost minimisation. You should to talk to a team who understand your company’s specific needs, can see the big picture, and deliver practical cost effective solutions. .