Technical challenge or business enabler? Seizing the opportunity of PCI DSS compliance

Technical challenge or business enabler? Seizing the opportunity of PCI DSS compliance

Arnaud Crouzet

VP Security & Consulting at FIME

Views 657

Technical challenge or business enabler? Seizing the opportunity of PCI DSS compliance

15.10.2019 10:15 am

As data breaches continue to rise globally, protecting the integrity of customer data (especially in the payments world) is vital. One essential security standard helping keep such data secure is PCI DSS – an information security standard for organizations that handle cardholder data. But aligning with the standard can be complex, time consuming and costly. And, as result, many payments stakeholders are becoming complacent about compliance.

In fact, less than 18% of organizations measure their DSS controls across their entire environment more frequently than requirements specify. While doing the bare minimum means that companies avoid receiving hefty non-compliance fines, it doesn’t achieve a great deal more…

Adopting a compliance framework that complements commercial objectives alongside the latest security and privacy requirements is key to truly reap the benefits of PCI DSS. With a new approach, stakeholders can maximize their investment in compliance to achieve greater efficiencies, tap into new revenues and deliver more valuable services to customers. With this in mind, how can the business opportunities of PCI DSS be unlocked?

Scoping it out

Defining the scope – where organizations outline the infrastructure that falls under the requirements of the standard – is one of the most important phases of PCI DSS compliance. But by using it as an opportunity to scrutinize systems, it can also be a useful tool to streamline operations and ‘reduce the scope’ of compliance.

Consider insuring a house. Without any locks on the doors or windows, premiums will be high. But, by considering all entry points and securing them effectively, the risk can be reduced. Taking this one step further, by permanently blocking an unused entrance, for example, the risk posed to the house can be dramatically reduced – and, in turn, so can the insurance premiums!

Scope reduction with PCI DSS works on the same principles. With the right attitude, companies can significantly reduce the scope of their systems that fall under PCI DSS, reducing the risk, ongoing expense and time of compliance.

If it isn’t broken, make it better!

Once your payment infrastructure is in place, it can be difficult to both critically assess your own systems and challenge the different parts of the chain, such as processors and acquirers. It’s very easy to say, “It works, so why touch it?”, but this can be a costly approach longer term.

PCI DSS compliance is the perfect trigger to ask: “Why do we do it this way?”, “Can we be more secure?”, “Can we be more efficient?”, “How can we do better?”. By using the time dedicated to review systems and achieve compliance more constructively, players can spot opportunities to put in place better processes, methodologies and technologies. The resulting systems are not only smoother operationally, but deliver significant cost and time efficiencies long term.

Deliver added value

If implemented intelligently, new technologies added to achieve compliance can also supplement the delivery of new value-added services.

Take payment tokenization, for example, used to encrypt end-to-end cardholder data. While significantly reducing the scope of compliance, these tokens can also be used to identify customers across omnichannel retail environments and automate loyalty programs without (or alongside) a separate loyalty card. For brick-and-mortar retailers, this can help bridge the gap between the online and offline world while bringing greater simplicity and flexibility to the consumer.

Loyalty programs are hugely effective in increasing revenues (members on average spend $42.33 more than other shoppers), so tapping into this market helps maximize return on investment.

Looking to the future

PCI DSS is currently only applied to transactions routed by the PCI member payment schemes. But, they’re a strong benchmark for the protection of all payment systems and customer data universally.

If already applying PCI DSS for card payments, extending it to cover ‘transactions’ generally – protecting instant payments, credit transfers, P2P payments, International Banking Account Numbers (IBANs) and more – can help safeguard and secure systems for the future.

Following the PCI DSS rules blindly can be costly, complex and, in some cases, impossible. The guidelines need to be applied intelligently, using new methodologies and technologies to do things in new, better ways and, in turn, realize commercial benefits beyond compliance.

All of this can be hard to achieve alone, but with the right approach, businesses can make PCI DSS work for them.

Latest blogs

Nish Kotecha Finboot and Bryan Foss, NED, Visiting Professor at Bristol Business School and member of the FRC Audit & Assurance Council

How Listed Companies Can Use Blockchain to Prevent Auditing and Reporting Malpractice and Avoid Scandal

Not too long ago, there was very little to link Wirecard, the disgraced payments platform in Aschheim, Germany, with Boohoo, the fast-fashion online retailer in Leicester, England, but both have recently been embroiled in high-profile scandals. Read more »

Leon Muis Yolt Technology Services

The Time for Financial Services to Become Truly Digital is Now

The financial services industry looks set to change dramatically over the next couple of years in response to COVID-19. The pandemic has certainly highlighted some inefficiencies and weak spots in current processes for many businesses, such as those Read more »

Granville Turner Turner Little

The Lockdown Money Revolution

Many Brits have found that lockdown has been beneficial for their money, having cut back on personal spending and managing to put away some extra cash. According to eToro, Brits with unspent discretionary income are set to accumulate £75.5bn in Read more »

Sandra Higgins Sysnet Global Solutions

Are You ‘Prescribing’ the Right Security Solution to Your Merchants?

When it comes to leading a healthy lifestyle, eating the right food, taking regular exercise, and maintaining a positive mindset are key. However, despite these best intentions and practices, you still might not get all the nutrients your body needs Read more »

Robert Flowers DivideBuy

It Doesn’t Have to Be the End – How Retailers Can Grow in Light of COVID-19

It’s no news that the retail industry has been flipped on its head by the COVID-19 pandemic. Due to the lockdown, most in-store operations have been shut down, and nationwide furloughs, reduced pay and steady streams of income at risk have fuelled a Read more »

Related Blogs

Christian Damour FIME

What is PCI DSS?

As worldwide card fraud continues to rise, it is fundamental that the payments industry steps up to the challenge to prevent further data breaches and losses. One of the key elements of keeping data secure is PCI DSS compliance. The security Read more »

Magazine
ALL
Free Newsletter Sign-up
+44 (0) 208 819 32 53 +44 (0) 173 261 71 47
Download Our Mobile App
Financial It Youtube channel