Last week Adrian Leppard, City of London Police Commissioner, wrote an article that discussed how an increasing number of criminals were targeting businesses that failed to encrypt customer data to a high enough standard. He commented that the financial loss and reputational damage inflicted on a company from a data breach will always outstrip the investment cost of putting in place the correct security systems and policies. This is a very valid point.
There are many sector specific security standards in the marketplace, with the Payment Card Industry Data Security Standard (PCI DSS) being one of the best known. This mandatory regulation was put in place by prominent industry players such as American Express, Visa and MasterCard Worldwide, to establish a common framework for data security compliance.
By becoming PCI compliant, your business adheres to the PCI DSS requirements for security management, policies, procedures, network architecture, software design and other critical protective measures. In operational terms, it means you are playing your role in ensuring your customers' payment card data is kept safe throughout every transaction, and that they – and you – can have confidence that they're protected against the pain and cost of data breaches.
Unfortunately, too many companies have a rather lax approach to compliance, seeing it as another bureaucratic tick box rather than a business imperative. This seems a rather strange attitude to take when you consider that non-compliance means you are not only jeopardising the security of your customer data but are also gambling with your reputation and brand. All companies that handle customer data should conduct regular data discovery exercises to ensure that unprotected cardholder data is found and correctly secured.
Another consideration is that criminals are always using new methods to obtain data, which is why data standards constantly evolve: PCI DSS is currently in version 2.0. Security vendors should therefore pay close attention to evolving standards to ensure the solutions they offer are relevant and mitigate client risk.
Police Commissioner Leppard made the point that what is needed is not just a change of process, but a change in attitude; only reacting when things go wrong is not the mark of a strong business. In essence, having the foresight to implement a flexible security strategy is one of the first steps you should take if customer retention is important to your business model.
By Richard Turner
No comments:
Post a Comment