2018 has already been a big year for regulatory compliance. The GDPR deadline day has come and gone – and in the noise that surrounded GDPR readiness, you may not have noticed that earlier in the year (February), the PCI DSS (Payment Card Industry’s Data Security Standard) version 3.2 came into effect.
PCI compliance has been a requirement, in one way or another, since 2004. And yet, according to the Verizon 2017 Data Breach Investigations Report, almost half of businesses (48.4%) were still failing to meet the standards for PCI compliance last year. The same report showed that of all the breaches investigated, no organisations were found to be fully compliant – and also that there’s a clear link between a company being PCI compliant and its ability to defend itself effectively against data security breaches.
There continue to be a number of high-profile breaches in which hackers gain access to and obtain data via a company’s online payments system. In January of this year, for instance, a security breach affected 40,000 OnePlus customers after a malicious script was used to exploit a loophole in the mobile phone company’s online payments system. Compromising customer data in this way will have undoubtedly resulted in reputational damage for OnePlus, and any other organisation who has been targeted in the same way.
By their very nature, online credit card payments will always be target for fraud. And it’s exactly these kinds of breaches that the PCI regulation aims to tackle, creating and ensuring a secure environment for processing payments online. While updates to the regulation, such as the one that came into force in February this year, aim to tackle the changing nature of the rising threat of cyber crime and the fact that it’s a constantly moving target, especially as cyber hackers get more sophisticated.
With SMEs continuing to be more likely than any other business to be the target of an attack, PCI compliance should be a priority. And yet it seems that many businesses are still complacent about it. Either that, or they find it too confusing.What does the updated PCI DSS mean for your SME?
As ever, working out whether PCI compliance applies to your business is easy – because if you accept, process, store or transmit credit card information in any way: it does.
It doesn’t matter whether you’re an SME or a large enterprise, if you’re taking cardholder not present (CNP) payments, you need to make sure you’re PCI compliant. Though it’s true that different requirements apply depending on the number of payments you process. For most SMEs, PCI compliance will just be a matter of a yearly self-assessment form, which may explain some of the complacency. Keeping compliance front of mind at all times isn’t always easy in SMEs, who are usually without dedicated IT resource.
The latest updates to the PCI DSS were introduced in 2016, with a grace period giving businesses until February this year to implement the necessary changes. Full updates to version 3.2 of the regulation (and how it differs to previous versions) can be viewed on the PCI website, but it included, amongst others, the following requirements:
– Implementing multi-factor authentication for non-console admin access
– Detecting and responding to failures of critical security control systems
– Establishing a formal compliance program
– Performing quarterly compliance reviews
It will be interesting to see what the compliance figures say this year. Will businesses’ GDPR efforts have a knock-on effect on PCI compliance, helping to improve data security measures across the board?
It remains to be seen, but SMEs in particular should be careful not to let PCI compliance fall by the wayside (which the current figures suggest that many are). Not only because they are an easier target than bigger companies for cyber criminals, but also because the fines or damage associated with non-compliance and/or data breaches could actually threaten their ability to continue as a viable business.
After all, thinking of PCI compliance as a tick-box exercise won’t protect SMEs against data breaches in the long run. Nor against the financial and reputational harm they have the potential to bring with them.