printer friendly version

Protecting information is not optional

Horror stories of companies carelessly losing thousands or even millions of records containing customers’ credit card information will soon be a thing of the past. A new compliance standard, designed by Visa and MasterCard, and endorsed by other card giants, now forces merchants that retain clients’ personal information to efficiently safeguard the information.

“The Payment Card Industry (PCI) Data Security Standard creates common industry security standard that effectively eliminates the possibility of careless or malicious loss of information,” says Amir Lubashevsky, director of Magix Integration. “Merchants wanting to continue accepting credit or debit card payments, collect, process or store credit card transaction information, regardless of their transaction volume, are required to meet the PCI standard. Failure to comply may result in substantial fines or permanent expulsion from card acceptance programmes.”

Amir Lubashevsky, director of Magix Integration

Lubashevsky adds that the demands of the PCI standard extend much further than simply protecting a database or a server. Everything from the network to the database must be protected according to best practice standards and certified by the card companies. And even this is only the beginning.

Organisations must also ensure they encrypt any and all transmissions of data including this sensitive information to prevent it from falling into the wrong hands. Additionally, to be fully compliant steps must be taken to ensure an employee is not able to copy data onto a USB drive, walk out the door and give it to unauthorised parties.

“This is not a exercise in risk mitigation and it is definitely not one of those nebulous risk minimisation processes organisations undertake to project an image of security,” Lubashevsky explains. “Since failure is not an option, organisations involved with card transactions will have to implement a PCI compliance process of risk elimination. This process can not allow for the continued existence of gaps or unsecured connections.”

To accomplish this difficult task requires more than a once-off risk management project. It requires an organisation to run an initial compliance audit to identify and eliminate its current vulnerabilities. Thereafter it needs to continually audit its systems, processes and infrastructure for new vulnerabilities and resolve them as they occur. This is a resource intensive task and is best done via automated compliance tools that operate seamlessly in the background and only require human intervention in exceptional circumstances.

Paying lip service to data protection in the world of credit and other transaction cards is over. Once the grace period is over and merchants are forced to comply, failure will not result in a public relations challenge, but serious financial penalties and even the inability to transact with plastic – a death knell in today’s society.

Share this article:

Further reading: