Many organisations have developed an appreciation that PCI Security should never have been perceived as a technical issue, but a core part of their business strategy, however not all currently share this view, writes Ciske van Oosten
First things first, if you haven’t already taken a business approach to PCI Security then take a step back and rethink!
PCI Security is all about business. Business success requires the ability of an organisation to adapt at the speed of change. It is about improving the capability to properly manage the business risks associated with cardholder data – to help maintain business profitability. Ultimately, it is about helping organisations to continue to exist.
Sound business practice requires the on-going protection of business investments, and increasing the earning potential of every asset a business uses. The acceptance of payment cards remains a very valuable business asset. When it is well managed and protected, payment card acceptance continues to offer a good return on investment to organisations; however problems occur when it is not.
The PCI Security Landscape in 2014
The general awareness of the PCI Security compliance requirements is quite high across industry verticals. Most organisations know that they are required to demonstrate adequate protection of cardholder data, in accordance with the relevant PCI Data Security Standard (PCI DSS), and they recognise this is a long-term compliance program that will remain a significant part of business for many years to come.
With a majority of merchants and service providers in several regions already compliant with PCI DSS or well-underway towards compliance certification, most organisations have learned (some the hard way) that PCI Security programs can be truly complex. The scope of PCI Security should never be underestimated; neither should the immediate and long-term impact it has on the underlying business.
Yet, despite significant advances over recent years in understanding the impact of PCI Security – in particular in terms of the resources required for a sustainable compliance program – many organisations still find it challenging.
Where do the challenges lie?
Fundamentally, the knowledge and know-how required to achieve effective data protection and the ability to maintain compliance in a cost-efficient manner, is simply not available in many organisations.
We have now entered another new year, 2014, and it is a staggering nine years since the release of the original version of the PCI Data Security Standard by the Payment Card Industry Security Standards Council, DSS version 1.0, back in December 2004.
PCI DSS is on a three year lifecycle. Currently organisations are required to comply with PCI DSS 2.0, but with the recent launch of version 3.0 (effective from 1st January, 2014), organisations will be urged to make payment security part of their business-as-usual activities. It will introduce more flexibility, and an increased focus on education, awareness and security as a shared responsibility. The new standard will pose new challenges for organisations centred on the requirement of specific penetration testing for the perimeter and greater responsibilities in relation to the use of third parties.
The threat landscape is constantly changing and this, combined with the exponential growth of data within organisations, comes not only with greater challenges but also increased responsibility. Many organisations view data as power. However, in reality, the more personal data they store, the more they are exposed to potential data breaches and vulnerabilities.
Risk to cardholder data is evolving, and risk management practices need to adapt to keep up to date with advances made in the payment card industry – in particular when considering the rapid entry of mobile payment technology.
What does the future hold?
In 2014, PCI Security programs are expected to remain a complex business issue for many organisations; even after achieving initial compliance certification. The ability to maintain compliance in a cost-effective manner depends on the maturity of an organisation in managing a compliance program.
Compliance Officers are expected to report on the Total Cost of Ownership (TCO) of their compliance programs. However, more importantly, research conducted by Verizon in the latter part of 2013, found that, although some organisations do calculate the TCO of their compliance programs, very few of them take the next step: to calculate the Return on Investment (ROI) of their compliance programs.
This lack of financial and compliance performance insight places Compliance Officers at a major disadvantage. This complete transparency is required in order to obtain the full support from the business for their compliance strategies. And more importantly, complete visibility and clarity is crucial in order to determine how the new changes in the compliance industry, such as updates to the PCI Data Security Standard, evolving threats to sensitive data, or innovation in payment card industry technology will ultimately impact on the business success of their organisation.
Ciske van Oosten is Global Business Development director at Verizon PCI Security Services