PCI standard should be seen as an opportunity rather than a burden

The Payment Card Industry (PCI) Data Security Standard is one of the first information security standards to come to market that is backed by severe penalties for companies that do not comply with its prescriptions.

The standard was created by major credit card associations - Visa, MasterCard, American Express, Discover Financial Services, and JCB - in response to the billions of dollars lost to credit card fraud each year.

"It represents one of the first technical standards for Internet security that has severe penalties for companies that cannot demonstrate that they have passed an audit for compliance with the standard," says David Naude, product manager at SecureData.

"Companies must be audited annually and be prepared to embrace new aspects of the standard as they are introduced. Senior executives at companies that handle consumer credit card data are more accountable than ever for ensuring that this information is secured."

The PCI standard is essentially a set of best practice requirements for protecting credit card data throughout the information lifecycle. It applies to all companies that process credit card transactions, from merchants and payment processors through to financial service providers, Naude says.

The standard outlines a number of responsibilities for companies that handle credit card data. They have to know where all of their cardholder data resides, and ensure that this data and access to this data is completely secure. Organisations also have to be able to prove that they have taken all the precautions the standard demands and that they actively monitor their card data and associated systems for unauthorised access.

PCI is a wide-ranging standard with requirements that range from building a secure network, through to restricting physical access to the systems where credit card data is secured. It even demands that companies have a written information security policy.

"The standard is informed by an understanding that there is far more to information security than technology," Naude says. "Companies need to take a holistic approach that ensures that the behaviour of their staff and other factors don't leave their credit card data in vulnerable state. PCI also demands that they continually evaluate their security and go through an annual audit."

The holistic nature of the PCI standard means that there are no silver bullets for compliance, Naude adds. Companies can't simply put a technical solution in and expect to comply. The reason that 60% fail their audits is that they don't have an information security policy in place, something which is a fundamental of good information security.

Companies that take PCI's demands to heart can extend the practices, policies and systems it insists on into the rest of their business, enhancing information security throughout the enterprise, says Naude.

"There are other pending and existing regulations and standards that touch on the importance of information security," says Naude. "Companies that embrace a good data governance framework for PCI can therefore also reduce their compliance costs in the future."

If regulators and standards bodies introduce new information security requirements in the years to come, a company that embraces PCI as a means of enhancing security systems, policies and practices will find it easier to comply. Companies that take PCI seriously will also be better able to protect their businesses and customers from breaches, sparing them the reputation and legal risks attached to serious security incidents.

Concludes Naude: "Time is running out for organisations to embrace the PCI standard. The credit card issuers are becoming impatient with slow adoption of the standard and have promised to start enforcing it more strictly going forward. Rather than doing the minimum needed to comply, businesses should use this as an opportunity to strengthen their enterprise security."