Opinion: Top three reasons for businesses to be PCI DSS compliant
JOHANNESBURG – With rising levels of credit card fraud along with regulatory and industry pressure, Payment Card Industry Data Security Standard (PCI DSS) compliance is becoming more critical for businesses to attain.
Combined losses from card fraud were up by 18 percent between 2017 and 2018, costing South African individuals and businesses R873 394 351. Given the increasing digitisation of all commercial transactions – from banking to shopping to paying for services on the go – PCI compliance has now become unavoidable for any business that stores, processes or transmits cardholder data.
If there was any doubt for companies as to why they should take PCI compliance seriously, here are a few reasons why.
What is PCI DSS?
The Payment Card Industry Data Security Standard applies to an organisation that in any way stores, processes or transmits data cardholder. Despite the name, it’s not a single standard, but rather a group of standards that apply depending on the nature of the organisation and the manner in which it handles cardholder information.
In the PCI DSS space, there are potentially three types of organisations - those that deal with the acquisition and issuing of cards, and merchants and service providers. Merchants are easily defined as a business or individual that sells goods or services for payment with a credit card, irrespective of whether the transactions are Card Present, or Card Not Present.
Card Present means a sale with a card that is physically swiped or inserted into a card machine, and Card Not Present is where merchants accept payments, either over the phone or on an ecommerce website. Within the merchant classification, there are four different levels, all of which have different requirements in terms of achieving and maintaining compliance. Such merchant classifications do not depend on the value of the transactions, but rather the volume.
Reasons why PCI compliance can no longer be ignored:
Boosts customer confidence
The main purpose of the PCI DSS is to minimise the risk of debit and credit card data loss by outlining how to prevent, detect and react if potential data breaches materialise. These days, it is critical that customers be able to ascertain that the website they’re shopping on is secure – they use their cards online to purchase products or services and put themselves at risk for financial loss.
Card fraud and identity theft is a massive problem in South Africa, so merchants need to pay careful attention to securing sensitive data on their websites.
Provides businesses with a level of protection if a breach does occur
PCI compliance might not be sufficient to prevent every single data breach, however, if a breach does occur and the business is compliant, there is the assumption that because all the correct processes were in place, the breach that occurred was due to circumstances beyond the control of the business, which could potentially mean that the organisation can avoid a penalty fine, because they’ve done everything they can.
Compliance is less complicated than businesses think
PCI DSS is the minimum standard, which covers the minimum from a best practice point of view. The requirements are clearly defined, which simplifies compliance, which means that compliance is not an insurmountable obstacle. Furthermore, once compliance is achieved, maintaining it is not difficult.
The PCI compliance requirement is here to stay, which means that businesses need to acknowledge its importance and approach it with the right attitude - it’s not simply to become compliant and tick boxes, but rather a necessity to improve security which is for the benefit of every business and its customers, ultimately.
Simeon Tassev is managing director and QSA at Galix Networking.