Johannesburg, 20 May 2014
With fraud and cybercrime on the rise, every business that accepts credit card payments must comply with the Payment Card Industry Data Security Standard - and it need not cost a mint to do so either. That's according to Jan Lewis, Managing Director of iEnterprise Solutions, who adds that though the risks faced by anyone accepting payments has heightened, the cost and ease of compliance has decreased substantially.
"Safeguarding transactions has become critically important due to the massive growth in fraud, cybercrime and other threats. In addition, mobile money transfers have added a new level of risk to making transactions," Lewis says.
Lewis explains that PCI-DSS was designed by key payments industry stakeholders to protect payment card transactions. The standard covers a range of criteria, including the installation and maintenance of a firewall configuration, monitoring of access to network resources and even testing of Web applications. These criteria are all targeted at protecting cardholder data.
"Over the past five years, the PCI-DSS framework has evolved from being guidelines without enforceable sanctions, to a 'must-have' certification for those in the business of manipulating, storing or transmitting cardholder data," Lewis notes.
While in place for some time, until recently it was only major enterprises which tended to aim for full compliance. However, Lewis says, with transactions moving from the point of sale to mobile, and thanks to the ability to transfer money between mobile devices and conduct internet banking via mobile, confidential banking information is now available everywhere.
"Rogue users can log in from anywhere in the world. The transactional environment is much bigger now, with many more users, much more activity and greater risk. This is a situation which is only going to intensify in the foreseeable future, so every business that accepts card payments needs to take effective steps to secure these transactions," Lewis stresses.
While PCI-DSS requirements may seem onerous, they are comprehensive and as such provide an effective barrier to protect sensitive information. "The bottom line is that those who are PCI-DSS compliant are far less vulnerable to fraud and cybercrime," he notes.
Importantly, Lewis says that while many businesses hold back on compliance out of concerns for the cost, phased approaches are possible and affordable. "Achieving PCI-DSS compliance need not involve an 'all or nothing' approach. Instead, it is possible to begin a path to compliance by focusing first on the most relevant aspects of the standard; in any event, since the criteria for compliance are continually updated as new threats emerge, full compliance is always a work in progress."
He therefore points out that of the 12 important requirements in the PCI-DSS table, those responsible for security can address the most relevant while remaining mindful of budget or resource constraints.
"Supporting the move to a more secure transaction environment, technology vendors are cutting process and many outsource providers and reseller companies deliver PCI-DSS as a managed service or even as a full on-site service. Information and training is widely available online to educate businesses and support them as they move to comply," Lewis adds.
Providing some perspective, he notes that awareness of the importance of fully securing card transactions is growing fast in South Africa. In Nigeria, there is now a rush to achieve compliance as the "cashless society" takes off in the country; elsewhere in Africa, awareness of and the move to PCI-DSS compliance is somewhat slower.
Share