In order to help businesses process secure card payments and minimise card fraud, the Payment Card Industry Data Security Standard, often abbreviated to PCI DSS, is a worldwide standard of tight controls surrounding the storage, transmission and processing of cardholder data handled.
Due to the sensitive nature of the data being processed, it is regarded as a high priority for retailers to adopt PCI DSS. Non-PCI DSS compliant retailers cannot guarantee the security of customers’ data, and risk the possibility of being liable for Card Scheme fines, fraud losses against those cards, and operational costs associated with replacing the accounts, not to mention reputational damages.
Point-to-Point Encryption (P2PE) encrypts card data at the PIN Entry Device (PED) before it is transmitted, therefore considerably reducing the DSS target for evaluation. Hence many retailers are choosing to apply P2PE to their businesses and refine the DSS implementation process.
> See also: Beyond compliance: Why we need to move past tick-box security
Given that this continues to be a critical topic for retailers in 2016, it is important to understand exactly why PCI DSS compliance is so important for your business.
Demand continues to rise
In recognition of the importance of PCI DSS compliance, the latter part of 2015 witnessed a surge of interest in P2PE, with increasing demand from all retail sectors, from newsagents and airside retailers to builders’ merchants, all eager to ensure they stay compliant and maintain smooth, risk-free operations.
These demands required a variety of remedies, from refreshed PEDs to implementation of brand new equipment.
Google’s Android Pay and Samsung Pay add to the pressure
Following closely behind the successful 2015 launch of Apple Pay, both Google’s Android Pay and Samsung Pay are on their way, and this new level of payment convenience leads us to project a further influx of interest and orders from all types of retailers, as well as Payment Service Providers (PSPs), who will be seeking a service provider capable of the deployment and support of their national and international P2PE PED fleets.
PCI DSS v3.2
To work around the SSL/early TLS migration scheduled for later this year, the latest update of PCI DSS technology – version 3.2 – is due to be released imminently, and is expected to function as a final version for the foreseeable future. Paying particular attention to identifying trends of compromise and the threat landscape, Version 3.2 will further ensure the security of sensitive information.
Speaking of the design and release of this latest version, PCI Security Standards Council’s Chief Technology Officer Troy Leach identified PCI DSS as a ‘mature standard’ that now requires far less reworking than previously.
Pressure to comply continues to grow
Retuned PCI DSS technology is not the end of the story, though. Laid down as a minimum to be adhered to, full compliance is the sole responsibility of the business.
According to Verizon, publisher of annual compliance reports, around 80% of companies failed their interim PCI compliance assessments last year, and the majority of cases were caused by inadequate operation and maintenance of security systems Ilia Kolochenko from High-Tech Bridge Cybersecurity advises that 99% of compliance breaches are caused by improper enforcement of DSS regulations within businesses.
Bad press associated with cybercrime on the rise
PCI DSS compliance is in everybody’s best interest. It is not just the customers’ sensitive data and financial situations at stake if regulations are not adhered to; company networks are often left exposed by poor system maintenance, allowing for attackers and cybercriminals to access the systems.
A chain reaction can be observed in such circumstances. Customers lose money and security, sharing their negative experience with others and expecting compensation for their losses. Regulatory boards will also be looking for reparations for the damages caused by the company’s negligence.
> See also: PCI DSS: What's the right compliance path for your business?
It is a serious, multi-layered issue to consider. And bear in mind, Verizon also reported that 69% of customers would be dissuaded from working with a company who had experienced security breaches.
Demand continues to diversify
Somewhat surprisingly, P2PE is no longer an issue only for traditional retailers, but has been expanding further afield, as demand is observed from many different sectors. These sectors will have individual requirements of their own to be considered, so 2016 looks set to see much diversification, to give businesses that vital step up in operating securely.
Due to the considerable majorities failing compliance assessments, the Federal Trade Commission has been knuckling down on compliance. Noticing the pointlessness of businesses being notified in advance of upcoming assessments, and the time it allows to cover or rectify any problems they know will be detected, the FTC has begun proactive monitoring and assessment of DSS compliance.
This 180 on the FTC’s part demonstrates how seriously security is taken, and how seriously businesses should be taking it.
Sourced from Andy Duck, business development manager, Barron McCann