Technical challenge or business enabler? Seizing the opportunity of PCI DSS compliance

Technical challenge or business enabler? Seizing the opportunity of PCI DSS compliance

Arnaud Crouzet

VP Security & Consulting at FIME

Views 539

Technical challenge or business enabler? Seizing the opportunity of PCI DSS compliance

15.10.2019 10:15 am

As data breaches continue to rise globally, protecting the integrity of customer data (especially in the payments world) is vital. One essential security standard helping keep such data secure is PCI DSS – an information security standard for organizations that handle cardholder data. But aligning with the standard can be complex, time consuming and costly. And, as result, many payments stakeholders are becoming complacent about compliance.

In fact, less than 18% of organizations measure their DSS controls across their entire environment more frequently than requirements specify. While doing the bare minimum means that companies avoid receiving hefty non-compliance fines, it doesn’t achieve a great deal more…

Adopting a compliance framework that complements commercial objectives alongside the latest security and privacy requirements is key to truly reap the benefits of PCI DSS. With a new approach, stakeholders can maximize their investment in compliance to achieve greater efficiencies, tap into new revenues and deliver more valuable services to customers. With this in mind, how can the business opportunities of PCI DSS be unlocked?

Scoping it out

Defining the scope – where organizations outline the infrastructure that falls under the requirements of the standard – is one of the most important phases of PCI DSS compliance. But by using it as an opportunity to scrutinize systems, it can also be a useful tool to streamline operations and ‘reduce the scope’ of compliance.

Consider insuring a house. Without any locks on the doors or windows, premiums will be high. But, by considering all entry points and securing them effectively, the risk can be reduced. Taking this one step further, by permanently blocking an unused entrance, for example, the risk posed to the house can be dramatically reduced – and, in turn, so can the insurance premiums!

Scope reduction with PCI DSS works on the same principles. With the right attitude, companies can significantly reduce the scope of their systems that fall under PCI DSS, reducing the risk, ongoing expense and time of compliance.

If it isn’t broken, make it better!

Once your payment infrastructure is in place, it can be difficult to both critically assess your own systems and challenge the different parts of the chain, such as processors and acquirers. It’s very easy to say, “It works, so why touch it?”, but this can be a costly approach longer term.

PCI DSS compliance is the perfect trigger to ask: “Why do we do it this way?”, “Can we be more secure?”, “Can we be more efficient?”, “How can we do better?”. By using the time dedicated to review systems and achieve compliance more constructively, players can spot opportunities to put in place better processes, methodologies and technologies. The resulting systems are not only smoother operationally, but deliver significant cost and time efficiencies long term.

Deliver added value

If implemented intelligently, new technologies added to achieve compliance can also supplement the delivery of new value-added services.

Take payment tokenization, for example, used to encrypt end-to-end cardholder data. While significantly reducing the scope of compliance, these tokens can also be used to identify customers across omnichannel retail environments and automate loyalty programs without (or alongside) a separate loyalty card. For brick-and-mortar retailers, this can help bridge the gap between the online and offline world while bringing greater simplicity and flexibility to the consumer.

Loyalty programs are hugely effective in increasing revenues (members on average spend $42.33 more than other shoppers), so tapping into this market helps maximize return on investment.

Looking to the future

PCI DSS is currently only applied to transactions routed by the PCI member payment schemes. But, they’re a strong benchmark for the protection of all payment systems and customer data universally.

If already applying PCI DSS for card payments, extending it to cover ‘transactions’ generally – protecting instant payments, credit transfers, P2P payments, International Banking Account Numbers (IBANs) and more – can help safeguard and secure systems for the future.

Following the PCI DSS rules blindly can be costly, complex and, in some cases, impossible. The guidelines need to be applied intelligently, using new methodologies and technologies to do things in new, better ways and, in turn, realize commercial benefits beyond compliance.

All of this can be hard to achieve alone, but with the right approach, businesses can make PCI DSS work for them.

Latest blogs

Ian Bradbury Fujitsu UK

UK Finance's UK Payment Markets Report - Comment from Fujitsu

Over the past months, businesses have had to rapidly move away from physical cash in order to provide consumers with a safer service. However, this data shows us that a gradual movement away from cash in society started long before the Read more »

James Turner Turner Little

Protecting yourself against a recession

The coronavirus outbreak has spread to businesses, leaving many around the world counting costs. Notoriously, known as the Great Lockdown, it’s been affecting the world economy since early this year. The predicted recession is considered to be the Read more »

Alan Cole JHC Financial

Every Cloud: Covid-19 and the opportunity for digital transformation

Faced with tighter regulations and changing customer needs, over the last decade Wealth Managers have not had it easy – but with the development of new technologies, many have been able to create efficiencies, reduce costs and shrink operational Read more »

Nabeel Irshad Mastercard

Two sides of the same coin: Financial and digital inclusion

The issue of how to tackle financial inclusion has long been a part of the conversation in banking and financial services circles. Regulations have ledto the UK’s biggest banks having to provide ‘basic bank accounts’ to cater for those who do not Read more »

Alex Malyshev

The Biggest Danger to Branchless Banking

With a third of the global population on lockdown and scores of bank branches closed, many are convinced that branch banking is dead, and the future is branchless. Is this really true? Branchless alternatives like Revolut, N26, Monzo, and NuBank Read more »

Related Blogs

Christian Damour FIME

What is PCI DSS?

As worldwide card fraud continues to rise, it is fundamental that the payments industry steps up to the challenge to prevent further data breaches and losses. One of the key elements of keeping data secure is PCI DSS compliance. The security Read more »

Free Newsletter Sign-up
+44 (0) 208 819 32 53 +44 (0) 173 261 71 47
Download Our Mobile App
Financial It Youtube channel