PCI Compliance is now compulsory for all transactions online. The Payment Card Industry Data Security Standard (PCI DSS) is a worldwide information standard defined by the Payment Card Industry Security Standards Council. The standard was created to help organizations that process card payments prevent credit card fraud through increased controls around data and its exposure to compromise. The standard applies to all organizations which hold, process, or exchange cardholder information from any card branded with the logo of one of the card brands.
We believe this is not just about cardholder data, but that the PCI DSS standard can be applied to all the policies, procedures and data storage of sensitive customer information. That was why we took the step several years ago to achieve Enterprise Wide PCI Compliance to Tier 1 level. This was a costly and long process, and it is not a one off, we are audited once a year by an external company Security Metrics to ensure that this standard is maintained, as well as being an active participant of the PCI Security Council. To try and raise consumer awareness, we have also brought out a PCI Compliance logo, which is present on Venda sites like TK Maxx down the bottom left hand corner and through checkout with a simple pop-up explaining what this means.
The importance of PCI compliance is consumer trust. A recent article in Retail Week highlighted the fact that although retailers know that it needs to be done there is still much confusion in the retail world on the subject, citing that there was no clarity; confusion about what full compliance looks like; what is required to be fully compliant; and confusion about which data needs to be compliant.
For PCI Compliance, there are sometimes complex policies and procedures required; it can be costly and expensive to do internally; hard work can be undone very quickly by not keeping your eye on the ball; building the right set of skills internally takes focus away from other areas; technology is moving at a fast pace; and continuous update to defenses required as fraudsters level of sophistication increasing.
Tier 1 PCI compliance requires an external audit, but the lower levels are self-assessed. Concerned about the prospect of penalties for non-compliance or refusal by banks to process payments, retailers are rushing to do the self assessment, and I think this is where the confusion arises. Third parties who have done auditing many times before can help with the set-up of the policies and procedures required, as well as the mechanisms for safe storage of sensitive data, and I would recommend anyone to get advice on this. I refer back to another article on security in the cloud where I ask the question: are you in the business of delivering an excellent product and customer experience to my customers across the value chain, or are you in the business of security?
Authored by James Cronin, Director and Chief Architect