PCI DSS
A Structured and sustainable approach to compliance management.
OVERVIEW
What Is PCI-DSS?
The Payment Card Industry Data Security Standard (PCI- DSS) is a mandatory security standard for adoption by organisations that handle credit cards. Dealing with PCI- DSS compliance is a challenge for most organisations that take credit cards, as is identifying when an organisation has done enough to successfully achieve compliance. CSG have been helping organisations with their PCI DSS compliance requirements for many years. Depending on your requirements, CSG will define a customised approach to help you with your compliance requirements, taking into account the specific budgetary and time requirements that you may have.
BENEFITS
Why Become PCI-DSS Compliant?
Protects Customers
Data privacy concerns among consumers have never been higher, and for good reason. Just about everyone has been affected by a data breach at some point now, with nearly half of all Americans having their records exposed during the Equifax data breach alone. Protecting your customers’ data is not only the right thing to do, it’s a sound business decision as well. When customers feel their data is safe with you, they’ll reward you with their loyalty and can even serve as some of your best advocates by referring their friends and family.
Improves Brand Reputation
With technology breaking down traditional barriers to entry and continually equalizing the playing field among competitors, one of the strongest assets that any brand has to rely on today is their brand. Avoiding a data breach is paramount to maintaining an untarnished brand reputation and to keeping your customers’ trust. While it can be difficult, if not impossible, to quantify, an investment in security is equivalent to an investment in your brand. As the number of data breaches among large companies climb higher, consumers will vote with their wallets and do business with the brands that they trust instead, which will hopefully be yours.
Imparts a Mindset of Security
For organizations that are just beginning to address security, the PCI DSS provides an excellent place to start. The twelve requirements serve as a robust and comprehensive framework for which to examine existing security procedures, and the self-assessment exercises that each merchant must complete are a fantastic way to reflect on how improvements can be made. For larger organizations that fall into merchant level 1, the Annual Report on Compliance (AOC) that a Qualified Security Assessor (QSA) must complete acts as an important third-party check on security controls and can also further reveal any vulnerabilities that internal teams may overlook.
Serves as a Globally Accepted Standard
A small and often overlooked benefit is that the PCI DSS is one of the only truly globally accepted security frameworks. Although not officially mandated by any governmental bodies, because the big five card brands operate around the world, organizations operating internationally do not have to worry about different security standards for card processing per country. This can alleviate at least one headache, as legislation varies widely around the world. For example, even within the United States itself, all 50 states have their own unique versions of data breach notification laws.
Provides a Starting Point for Other Regulations
Governments around the world are waking up to the large-scale security threats facing companies and individuals and have begun enacting legislation to address them. The main tenets of the PCI DSS, namely requiring organizations to take measures to limit the amount of sensitive information stored, provide a great starting place to comply with other regulations. The EU GDPR requires that companies only store data that is necessary only for as long as it is needed, which will probably continue to be a common thread that pops up in other legislation in other regions as well.
Peace of Mind
Finally, knowing that your company has taken the proper security measures and achieved PCI DSS compliance can go a long way in helping you gain some peace of mind.
APPROACH
Our PCI-DSS approach
To assist with compliance, we typically take a phased approach splitting the engagement into manageable workstreams. We spend time understanding the characteristics, capabilities, gaps and improvement opportunities for your cyber security posture, as well as how it can impact your ultimate compliance with PCI DSS.
Our phased approach.
Phase 1
Cyber security risk/threat modelling and evaluation
Phase 2
Targeted maturity levels identification
Phase 3
Assessment of current security strategy, together with cyber security program adjustment and re-sequencing.
Phase 4
Issuing the final report and presenting to management