For consumers, access to credit and debit cards (collectively ‘Payment Cards‘) offers highly attractive benefits when paying for goods and services such as not having to carry cash, deferred payments and the option to pay for things over time. And for the most part payment cards do provide these benefits.
For businesses on the other hand, consumer access to digital payment mechanisms such as payment cards is a match made in heaven. It means they can receive payment for their goods more quickly, sell on line with no need for brick and mortar stores, and maintain invaluable data on consumers that cash payments could never provide.
And therein lies the problem!
There are around 175 million adults with credit or debit cards in the US. The data related to those payment card accounts has huge intrinsic value – both for legitimate and illegitimate applications.
Payment card fraud is now $16 billion industry in the US alone,. And this is an industry with every kind of nefarious individual you can imagine playing a role, from the mischief making opportunistic amateur, through to nation states intent on much more serious and disruptive cyber based criminal activity (‘Who are the ‘Bad Guys’ Committing Cyber Crime?‘).
Payment Card Security
So who exactly is responsible for protecting payment card information and how does the governance of the industry work?
The Payment Card Industry Security Standards Council (PCI SSC) is an independent industry body that governs Payment Card Industry standards on a global basis. The Council is backed by, the five major payment card brands: American Express, Discover Financial, JCB International, MasterCard and Visa, Inc., so it has significant authority to act. One of the standards governed by the Council is the PCI Data Security Standard (PCI DSS) which applies to any organization that stores, processes or transmits credit or debit card data.
If you operate your busness as a ‘merchant’, that is a company that takes payments via credit or debit cards, you are required to adhere to PCI DSS (currently at version 3.2). Merchants must ensure that the operating environment in which card data is stored, processed or transmitted is compliant with the latest version of PCI DSS (PCI DSS: An Expert Practitioners’ View).
The Data Security Standards themselves comprise a series of technical and operational requirements for best practices when protecting cardholder data. To become compliant with DSS is no small task and, depending on the size and scope of your organization, may require significant resources, time and focus to achieve.
Maintaining PCI Compliance often proves to be even more challenging and many companies, once they have expended the time and effort to become compliant, lose their compliant status within 12 to 24 months. In the main this is because achieving compliance with standards like DSS is not a one-time exercise. It requires and on going data security and operational strategy that continually assesses your internal operating environment as well as external factors such as new security threats and changes to standards requirements, to ensure that you remain compliant.
So What are the Risks?
Businesses that are not PCI DSS compliant may be subject to fines, sanctions, and loss of privileges from banks and credit card processors. Clearly, this would be highly damaging for most business given the general reliance on card payments for securing income from customers. In fact the US National Cyber Security Alliance found that, following a cyber attack, 60 percent of small companies ceased trading within six months.
The situation gets significantly worse if the PCI failure results in an actual loss of data. Businesses face fines, higher fees, and other sanctions as well as the cost of repairing the damage to brand, compensating affected customers, communicating with all affected parties and the general loss of business confidence that results from a data breach. There are many very public examples of organizations that have suffered a data breach and seen the cost of making reparations spiral into the hundreds of millions of dollars. But even for smaller companies the real costs of a breach are significant. According to the 2016 Ponemon Cost of Data Breach report, the average cost to US businesses of a breach to was $7.01 million.
Just to add one more issue to be concerned with, businesses that are not PCI compliant may be subject to lawsuits and governmental prosecution for failing to protect customer data.
A reasonable first step towards mitigating the risk of a data breach, and all of the bad things that come along with such an event, would be to implement a security strategy that assesses the current level of compliance within your business. From this you can determine a path to a future PCI Compliance status along with the associated improvements in data security.
About Welford Management & Consulting
Welford is a multi faceted technology consultancy providing advice, support and solutions for companies in a wide range of industries. We develop and execute strategies for our clients in three practice areas: Security & Compliance, Business Strategy & Support and Sales & Marketing Automation. Our expertise comes from a team of individuals who focus on one area of our practice disciplines so that we can bring the necessary skills and experience to the business challenge or opportunity that you’re currently facing.
In the Security & Compliance practice we help assess your current level of risk related to the sensitive customer information that you may hold within your organization. This may be payment card information, personal health information or data on European citizens that fall under the requirements of the General Data Protection Regulation (GDPR) which becomes law on May 25th, 2018. We develop and execute strategies to address your data security requirements and support the implementation of the technologies and processes that help reduce the likelihood of you suffering a damaging and expensive data breach.