So I’ll admit I’m relatively new to the PCI Compliance arena. That said, I’ve been working with technology and financial companies for the last 15 years and while I’ve seen topics come & go; PCI Compliance is here to stay. I’ve noticed some commonalities from the folks I’ve spoken with recently and I wanted to share some of my favorites.
1) PCI Compliance is not a revenue generator
Well, kind of. While the vast majority of companies I speak with realize they need to be compliant (and secure), many have a difficult time justifying the steps necessary to become compliant. Fact is that if you’re not compliant, the fines and penalties (among other drawbacks) you receive could prove to be disastrous.
2) I think we’re compliant
I hear this most often – and when I do, my mind keeps wanting me to ask,” You think – or – You know?” I’m sure I don’t need to go into the difference, but with the sheer number of breaches going on, I know which answer would help me sleep better at night knowing the card holder data I am responsible for is in an environment that is not only compliant, but secure.
3) I filled out my SAQ, so I assume I’m compliant
In actuality, you filled out your SAQ so you’ve claimed you’re compliant. You’ve just attested to your acquirer that you’ve met all of the standards, and you’ll be expected to be able to provide evidence to prove it when prompted.
4) I have So-and-So handling that, so we’re all set
Oh, why didn’t you just say so? Truth is that even though you think you’re doing what is necessary to be compliant, This Article on Breaches goes to show you that what you really need is to KNOW. In the article, the restaurant companies that had been breached (because of poor judgment on behalf of a vendor) all thought they were compliant, but ended up facing many hardships. In still another case of a restaurant being breached in MI, a company had to close both of its locations. My guess is, they too thought they were “all set”.
Takeaway:
If you think you’re compliant – you may want to think again, and get that validated with PCI Compliance Services so you know you’re compliant. Call your QSA, go online, call your security partner, heck – call me! In the end, we’re all consumers just as we’re stewards of our customers’ card data. While the card brands have done their best to make sure we protect card data through the PCI Security Standards Council, it really is up to us to ensure it. Sometimes achieving compliance is lengthy, messy, and a thorn in our side. Sometimes it goes absolutely smoothly. One thing for sure is while compliance may not specifically generate revenue, lack of compliance is a sure way to spend it. Between fines, forensics costs, and irreparable damage to the trust you’ve spent years building up in your brand – not to mention how it affects your customers – compliance suddenly seems to be a very wise investment. When we go to the store or online to make purchases, the very last thing we want to think about is whether or not our favorite shopping site is taking proper care of our own sensitive data. We just assume that they are, right?