IN PRAISE OF PCI
- Hackers will get smarter and PCI-DSS standards will change to combat them
The war between hackers and merchants will continue. Hackers will find new ways to penetrate Websites or network environments, and security hardware and software will fight back. The PCI-DSS will evolve to ensure merchants are doing everything they can to protect data and reduce losses.
As an example, a new requirement goes into effect in June stating that merchants must either have an application firewall for all Web applications or regularly review all custom application code. Expect additions like this on an ongoing basis as technologies such as network architectures, data encryption, access control, and forensic tools improve. This will mean merchants must continually invest in programs, technology, people, and processes to stay up to date.
- Technology and service providers are constantly adapting
Your responsibility to demonstrate compliance to PCI-DSS includes validating security within your own walls as well as proving that any outside service providers that are handling credit card transactions or sensitive customer data meet the standards.
Expect and plan for updates from providers delivering technology “on-premise” or those that are hosting for you. Proactively work with providers to understand their PCI-DSS related plans, releases and upgrades.
The technology environment of the multichannel merchant is particularly complex, requiring secure environments, data flows and processes to be considered between online and offline systems and the varying points of integration between them.
Understand what levels of certification they are providing, and which to include in the compliance paperwork. Budget and plan accordingly to not only to stay in compliance, but also to have the most up-to-date and most secure releases.
This requires a tight linkage and business planning process between IT or risk management and the finance arms of any merchant. Small investments in technology upgrades can help avoid big PR problems or fines later.
- Laws based on PCI standards are in discussions
Consumer data security is not only a concern of the credit card associations and banks, but it is also on the radar of state and federal legislators. Minnesota has already passed a law holding Minnesota-based merchants legally accountable for data security based on PCI-DSS.
A law California passed unanimously in the State Assembly and State Senate but was vetoed by Governor Arnold Schwarzenegger. The bill was driven through large consumer support and is expected to be raised as an issue again. Texas also had legislation in process, but it, too, was rejected.
While merchants in these states are off the hook for now, expect this issue to continue to surface at state and federal levels as concerns over consumer security rise.
Merchants should view PCI-DSS compliance and re-compliance as a priority to protect the brand, raise consumer confidence, and control long-term costs. Successful Web marketers are integrating PCI compliance into an ongoing business plan.
What's more, savvy online merchants are being proactive in making data security an issue critical to growth, competitive advantage, and financial stability.
Tiffany Riley is senior vice president of marketing at MarketLive (www.mmlive.com), a Petaluma, CA-based provider of e-commerce technology and services.
 | 5 steps for PCI compliance | | |
| |||
| |||
| |||
Payment Card Industry Data Security Standards are here to stay: These standards will only grow in relevance and importance. PCI compliance is a complex topic with many nuances, requiring attention and focus. Companies can follow these simple steps to truly make consumer data security policies and PCI compliance less of a fad diet and more of a way of life.
- Assign an organizational owner. It does not matter where this person resides organizationally, but someone in your company needs to worry about customer data security and the latest PCI standards and compliance requirements.
- Get educated. Learn all about today's standards and how those standards might be changing based on your business and your customer data strategies. Compliance will mean different strategies for different vendors. There is no one-size-fits-all program.
- Educate your company across all functions. The organizational owner will need to help educate everyone involved in customer data and security strategies — IT, marketing, merchandising, finance, and anyone involved with customer data. Additionally, and even more important, ensure C-Level executives are educated on the compliance and the brand related benefits of continually investing in PCI-DSS compliance.
- Create, maintain, and update a documented security business strategy and PCI compliance program within your organization, complete with metrics.
- Budget each year for ongoing enhancements to online and offline stores, hardware, software, and network environments, whether these environments are self-maintained or are managed by a service provider.
— TR
Want to use this article? Click here for options!
© 2012 Penton Media Inc.
Acceptable Use Policy blog comments powered by Disqus
