Adhering to Payment Card Industry (PCI) standards is crucial for any business dealing with payment card information on a daily basis. And with cash quickly becoming obsolete in light of COVID-19, more businesses than ever need to be taking PCI compliance seriously. Andrew Linn of Security Risk Management Ltd explains.
In 2020 we’re all familiar with using debit cards and credit cards. For many businesses, the transition to card and contactless payments has become a convenient and necessary aspect of day-to-day trading.
The PCI Data Security Standard (DSS) is a crucial piece in the security puzzle, designed to hold businesses to account and ensure that consumers can trust their merchants when they spend money. This set of standards has been specifically created to ensure that businesses which process, store or transmit payment card information are held to the highest possible standards of cybersecurity in order to protect that card data.
Let’s take a closer look at how PCI DSS compliance has changed in 2020.
PCI compliance in 2020
Among the many challenges that this year has thrown at the world, those organisations that accept payment via payment cards have had much to consider. For many businesses, 2020 has seen a significant increase in payment card transactions – both as cash has fallen by the wayside but also as e-commerce has flourished and people have been more willing to get everything from food to furniture ordered direct to their home.
Of course, many businesses that had previously accepted card details in an office environment over the phone have been forced to consider how the same process could be safely carried out with staff members working remotely. In large part, call centres and other similar organisations have done a good job of transitioning safely and smoothly to remote work – but from a PCI DSS perspective, it is particularly challenging for workforces to maintain high standards in this regard, particularly over a long period of time.
With the latest round of restrictions just announced in the UK, now is a crucial time for call centres and the like to ensure that standards are not slipping, particularly where PCI compliance is concerned.
The hospitality and food service sector also underwent a significant period of upheaval during lockdown as butchers, bakeries, restaurants and cafes rolled out delivery services. For small, family-run businesses, in particular, PCI DSS and data protection could easily seem like an afterthought – something that would be looked at later once survival is ensured. However, the fact remains that there is no room for error when it comes to data protection. Obligations must be met no matter how disrupted the world of commerce may be.
Making PCI compliance part of a resilient future
At SRM we have worked closely with our PCI DSS merchants and service provider clients throughout the pandemic, continuing to deliver consultancy and support businesses seeking or looking to maintain PCI DSS compliance through the challenges of lockdown.
Working closely with PCI Security Standards Council, Card Brands and Acquiring Banks, we’ve successfully assessed clients across a range of industries over recent months. As different parts of the country find themselves in and out of lockdown restrictions we continue to offer businesses the flexibility to demonstrate adherence to PCI DSS requirements through remote assessments.
Among the key aspects of our work at this time is supporting organisations to incorporate PCI compliance into their Business Continuity Planning (BCP) and Disaster Recovery Planning. It’s crucial at this time that businesses are able to not only evidence compliance to a PCI Qualified Security Assessor (QSA) at a given point in time, but also to show that compliance has been maintained throughout the period between assessments.
For this reason, focusing on simply keeping a business running during challenging times is not enough for merchants. A business continuity plan must accommodate not only survival but a level of “business as usual” that caters for high information security standards at all times.
Just a few of the questions we pose when helping organisations to maintain and achieve PCI compliance are:
- Will PCI DSS scope change as the result of activating a BCP?
- If the working model changes will PCI DSS compliance be retained?
- Will ongoing requirements such as penetration tests and vulnerability scanning be met?
- Can we continue to install security updates competently with a remote-based workforce?
- Is a new approach to change management and user awareness training needed?
- Are compensating controls needed? How will they be validated and maintained?
SRM support from a PCI DSS QSA
Failing to adhere to these requirements not only puts your business at greater risk of a data breach, it also invites the possibility of heavy fines and penalties from the PCI Security Standards Council.
With the help of a Qualified Security Assessor (QSA), you can both assess your current security standards and work to improve your risk posture in order to you achieve and maintain compliance – even in the most difficult of commercial circumstances.
Is it time to reassess your PCI DSS compliance? Get in touch with the SRM team today on 03450 212151 or contact us here.