With PCI DSS 3.2 now in place plus the forthcoming introduction of GDPR legislation next month, businesses are finding their focus is being forced to shift ever more towards the security of customer data. For many businesses, the road to compliance can appear daunting and costly. So what is the best way to tackle these changes in data security expectations? Is adding to what you’ve already got enough or are you better off going back to basics and starting from scratch?
What are the PCI DSS requirements for my business?
Any business that accepts card payments, be it in person, over the phone or online, is required to meet PCI DSS guidelines at a level that is relevant to their business, based on the volume of card payments that are processed annually. The relevant level and, for those for whom self -assessment applies, the correct Self- Assessment Questionnaire (SAQ), should be the starting point for you to address what is required for your PCI DSS compliance and help you to define the changes that need to be made to your card payment system and processes.
How robust is your existing system?
If you’re failing to meet the criteria for compliance then stripping your system and heading back to basics could be the most effective means of addressing the issue of protecting your customer data and card payments from a data breach. If you’re currently missing the mark when it comes to PCI compliance then chances are you’re probably not meeting required general data protection procedures either. Luckily going through the process of becoming PCI compliant will take you closer to achieving GDPR obligations too.
It’s a good idea to regularly undertake vulnerability scans and penetration testing of your computers, systems and networks to highlight weaknesses that hackers could potentially exploit. If your system has been kept up to date then introducing increased security measures such as multifactor authentication (a new requirement for PCI DSS v3.2) and end-to-end encryption shouldn’t be an issue.
See PCI DSS compliance and GDPR as an opportunity rather than a burden
The introduction of new regulations gives businesses the chance to re-evaluate existing systems and procedures not just to comply with revised guidelines but to look at the payment process as a whole. How do you currently accept payments and what data do you store, process and transmit? Is there a different approach that could be more efficient AND provide a better experience for your customers?
There is no doubt that data security guidelines are here to stay and will develop further in future so bringing your system in line with this new legislation now will make it easier for you to adapt. And as new requirements stipulate that you show evidence of continuous compliance then you need to find a permanent solution, rather than one that simply gets you through PCI DSS assessment. Whatever your approach, to sit back and do nothing is most definitely a no-no. Quite rightly, it is expected that your business takes the issue of protecting customer data seriously, making it a daily priority and not a checklist to achieve compliance.
At PCI Telecom, we create bespoke card processing systems for over-the-phone and online payments that are accredited to a PCI DSS Level 1 standard. Our systems can be installed from scratch or designed to interface with your existing database and accounting functions. Find out more about our Solutions here.