There was a time (as recently as the early 2000s) when stealing credit card data was much easier, largely because there were few coherent guidelines for protecting customer data. The Payment Card Industry (PCI) Security Standard Council has since developed a set of standards to protect cardholder data and decrease risk.
PCI compliance consists of the following high-level objectives:
Since you’re reading this, it’s likely that your business accepts credit card payments either online, in-person (including over the phone), or both. As a chief technology officer at an agency that specializes in marketing for businesses like yours, I’ve compiled a list of questions I am frequently asked and what I hope are constructive answers.
Our company is X. Doesn’t PCI only apply to Y?
Simply put, if your company accepts, stores, or transmits cardholder data, regardless of number of transactions, PCI applies to you. It’s also important to note here that PCI compliance pertains to your organization, not just individual lines of business. For example, if you do 99% of your business in a brick and mortar store but accept credit cards online for the other 1%, your web applications must also meet the PCI standards.
Furthermore, if your company does not process or store credit card numbers but does store customers’ personal information, the PCI guidelines can apply 100% to protecting that data. I’ve had customers use PCI compliance as a benchmark for securing their customer data, even if they weren’t “on the hook” to be PCI compliant.
I’m in marketing/communications. Why should I care about PCI?
Just spend an hour in a TSA line at the airport or contort your brain filling out one of those CAPTCHAs online, and you’ll see that security pretty much trumps everything. This is especially true when it comes to customer data. Even if one of your vendors loses your customer’s data, your company’s name could be listed right along with them in the press. This is not intended to scare you but to prepare you for the inevitable. You’ll have to deal with security eventually, especially if you, or your vendors, have customer or cardholder data.
As a marketer you’re always looking for that next great agency to wow you. I suggest finding one that is committed to information security. When selecting a marketing or development agency, you’re most likely in no position to test every agency’s knowledge of the latest encryption standards or the safest network configurations. Instead, your best bet is to look for certifications like CISSP or PCI. PCI provides you with a definitive standard for evaluating an organization’s commitment to security.
We have an info-sec team. Isn’t PCI their responsibility?
I get this one a lot. Traditional thought dictates that compliance (and security as a whole) is a function of IT or, in a larger organization, the information security team. This meant that decisions around what systems to use fell almost entirely with those teams. Back in the old days, IT procured, installed, secured, and maintained POS terminals and that was the end of the integration. Since then, most enterprises have added online purchasing, phone ordering, automatic payments, mobile payments, and the like. This means a much larger role for the business folks who aren’t part of the IT or info-sec group. Chances are, many of these functions are outsourced, but that doesn’t absolve you from your responsibility to be PCI compliant (more on that later).
This trend toward a more integrated approach to security across the enterprise shows no sign of abating. So if you have an eCommerce initiative that needs to be complete by year’s end, it’s a good idea to learn all you can about PCI compliance and actively participate in the vendor selection process. After all, is it up to your IT team to decide who best to represent your brand to your customers?
With so many regulations in the PCI Data Security Standards (PCI DSS), I don’t think we’ll ever be compliant. Is there any way to limit the burden?
The breadth of PCI DSS can seem overwhelming, but your company may not have to take on a majority of the burden. The best way to limit risk and control cost (as well as avoid locking down your whole company) is to limit the scope of what your business stores. Three simple rules can save you time, money, and painful organizational change:
A well-defined strategy can make the task of achieving and maintaining PCI compliance a lot less daunting than it seems when you first look over the PCI DSS. Mitigating risk, controlling scope, and choosing the right vendors can make all the difference.