Businesses should reduce scope in order to achieve compliance with global Payment Card Industry (PCI) standards, says Peter Harvey, MD of PayGate.
There is increasing pressure on businesses to comply with these standards, but compliance is difficult, he notes. "Anybody considering it should prepare themselves for at least two years of intense effort."
Gaining PCI compliance necessitates rethinking and redefining everything about the business, from IT infrastructure, to recruitment practices, he explains. "If I had one piece of advice to give to anyone embarking on this journey, it would be this: reduce the scope of the exercise as much as possible."
Anyone who transmits, processes or stores full credit card details needs PCI compliance - so the first step is to explore the business' use of credit card information and determine if compliance is necessary, or if the systems can be changed so that compliance is no longer necessary, says Harvey.
"For example, for various historical reasons, many systems still use credit card numbers as account numbers. This made sense in the old days, but nowadays, it's a disaster waiting to happen," says Harvey. To avoid subjecting the entire organisation to PCI compliance, he suggests, the system could be reduced to "one central card process that you can secure. This will have knock-on consequences for your [customer relationship management] systems - but the costs will be much, much lower than PCI compliance.
"Your goal should be that your systems should handle credit card information only when it's absolutely necessary and unavoidable. If you can replace a stored card number with a secure token or alias, for example, do it. Tokenisation is a powerful security tool that we're urging more and more of our customers to use," he continues. "In fact, if processing card payments is not your core business, there is a strong argument to outsource it to a third party completely. I believe that, in the next two to five years, we'll see many more companies, including point of sale system providers, turning over the complex and difficult business of processing card transactions to specialist providers."
If it is vital for the business to process, store or transmit credit card details, these processes should be isolated to one or two maximum-security systems, says Harvey. "Throw everything you have at it; not just the usual firewalls and anti-virus protection, but also data encryption, intrusion detection and file integrity management. Then have an outside security expert - an 'ethical hacker' - test your system for vulnerabilities before you start working on your PCI certification. The insight you gain will be well worth it."
Share