Monday 3 March 2014

PCI DSS 3.0 –failure to comply and your reputation is at stake.


The Payment Card Industry Data Security Standards (PCI DSS) is a set of requirements for enhancing payment account data security.  Developed in 2004 by the PCI Security Standards Council, these standards set out industry-wide, global adoption of consistent data security measures.
It was originally founded by American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa International and applies to all businesses that take credit and debit cards, regardless of size or transaction volume.
Essentially the credit card companies and merchant banks have shifted the risk of data breach to the merchants through the introduction of PCI DSS.
It applies to all entities involved in credit card processing.  In fact, any business involved in the storage, processing and/or transmission of payment card numbers must comply.  The scary thing is that most merchants have no idea that the PCI requirements exist!
In its 10th year, there have been various iterations but we are now on PCI DSS 3.0.  PCI ensures customers’ personal data is protected, allows companies to protect themselves from financial losses and remediation costs.  In turn, this higher level of data security inspires customer confidence and trust, ultimately safeguarding brand reputation.
Simple right?  Actually, PCI compliance can be a confusing and costly exercise, and so often it is cast aside as businesses deal with other more pressing issues.  The market is filled with inaccurate information and myths around PCI.  Non-compliance can leave your business exposed (worst case scenario means a hacker can effectively steal customer credit card details from your system)
However if dealt with in a timely and logical manner, it can save both financial pain and your reputation in the long run.  Requirements can differ according to merchant level and card issuer so it’s important to check with your suppliers to ensure that you are meeting all the requirements.
In Ireland, Loyaltybuild was recently at the centre of a major data breach, in which the full card details of over 376,000 customers were taken. 70,000 were Supervalu Getaway customers and over 8,000 were AXA Leisure Break customers. It transpires that the details of an additional 150,000 clients were also potentially compromised.  This has caused material damage to Loyaltybuild and also to the brands affected, in some cases perhaps further fuelling customer suspicion in terms of handing over credit card/personal details to retailers. 
The large retail brand Target, in the US, was also hit by a major credit-card attack at the end of last year, involving up to 40 million customer accounts. The data breach began around Black Friday, the day after Thanksgiving and the busiest shopping day of the year.  With almost 1,800 stores in the United States and 124 in Canada, Target is a robust brand and to some extent could weather this.  However for smaller brands, this type of hit would be a disaster.
At the moment in Korea, millions of cards are being re-issued following another massive data leak scandal.  Consequently banks there have been raising their security measures to protect customers’ data.  Some of the major credit card firms, such as KB Kookmin Card, Nonghyup and Lotte Card are affected.  In fact, there are reportedly some 20 million card users in Korea and reports say that personal data of at least 10-17 million bank and credit cards holders has been leaked! 

Apparently the majority of financial firms in Korea were not even aware of the leaks for nearly one year, after which time the damage has been done.

Clearly the US and Korean examples are on massive scale but this is just as important for SME and medium sized businesses, where reputation is the cornerstone of repeat business. 
Any retailers who take credit cards have to be careful of who they select as their service provider –security and compliance are essential.   Many companies — large and small — are typically under-prepared when they face a data breach.  There are key procedures to follow in the event that this happens namely to work closely with those affected and the Regulator and to draft in the right experts to address the data breach.  It’s a very short window in which you have a chance to preserve public trust in your company.
It’s a good idea to do a thorough check of any IT and security systems in place and to review your service provider to ensure they are up to speed with PCI DSS 3.0.  We regularly work with companies in this area, and offer audit services for any business to confirm their compliance. 

If this is something that affects your business, get in touch with either of us to discuss your options.

086 231 9484

086 242 6382




No comments:

Post a Comment