Ensuring PCI DSS compliance across your business activities
PCI DSS is something I hear a lot about these days. It’s only natural that as we become more aware of issues like user privacy, cybersecurity, and the relentless nature of cybercriminals, businesses become keener on security standards like this.
Recently, I was at a store checking out a fancy pair of sneakers. After about 30 minutes of back-and-forth between the white version and the black, I finally made a decision and headed to the counter to pay for it. As the cashier swiped my card, more curious than concerned, I asked him whether they store credit card details and customer information when a sale goes through.
“I don’t really know, man”, he replied, “I just swipe the card and hand it back to the customer. I mean maybe they do maintain some record? That would make sense, I guess. Not really sure about credit card details, though. That seems kinda unethical.”
I thanked him, took my sneakers, and left. What I was most struck by was the fact that this guy had no clue about what security measures were being taken to protect sensitive customer information! For me, this is very telling about the general level of security a business enjoys.
This little interaction had me thinking about PCI DSS - a leading information security standard for companies that handle and process credit cards as part of their activities - and exactly why it’s such an important security standard for B2C businesses, especially those in the retail sector.
PCI DSS COMPLIANCE STARTS WITH MEANINGFUL EMPLOYEE TRAINING AND EMPOWERMENT
While compliance is a fancy word and one that companies get very excited about, the first thing I tell them is that meaningful and sustained compliance comes down to something most people don’t like: Employee training.
While this isn’t exactly the most exciting thing to do, it’s crucial if you want to ensure that your teams abide by the security policies you set in place. If they don’t know the importance of why they need to do something, which, in this case, might include switching over to a more secure order processing/payment environment, they’re unlikely to put in their full effort at maintaining cybersecurity.
When it comes to the PCI DSS, make sure your training covers:
What PCI DSS compliance means and requires
Knowledge on how to apply PCI standards at your workplace
Who takes responsibilities for key parts of this process
MAKE SURE YOUR PCI DSS PROGRAMME HAS ROBUST CONTROLS IN PLACE
A recommendation coming directly from the PCI Security Standards Council is to make sure that you have powerful controls in place to monitor, test, and document the execution of your PCI DSS compliance programme.
To begin with, make sure you have a comprehensive policy outlined to govern your compliance and that you have review and analysis mechanisms in place, so you can constantly check whether your controls are working.
In this process, make sure you’re also looking for control failures. These might be highlighted as a result of a security incident or if you’re lucky, before that happens. If you do detect a control failure, look at how you can restore the control, conduct a root-cause analysis, and look at what remediation efforts can be made.
Once you update your controls, make sure you’re constantly reviewing them to make sure they work.
ARE YOU OUTSOURCING COMPLIANCE? MAKE SURE YOUR SERVICE PROVIDERS ARE ON POINT
Nowadays, it’s a common practice for businesses to outsource their compliance and overall security management to external service providers.
While this is recommended if you have no idea what you’re doing when it comes to PCI DSS compliance, your responsibility doesn’t stop at finding a professional and experienced team. Even after you bring them on board, you need to make sure their activities are ensuring your compliance with your chosen security standards.
One thing I’d recommend, here, is having frequent debriefs with your security team to understand whether you’re on track and are staying there.
LEVERAGE PCI DSS COMPLIANCE TO SECURE YOUR BUSINESS