Why PCI and P2PE compliance should be on your radar

In order to help businesses process secure card payments and minimise card fraud, the Payment Card Industry Data Security Standard, often abbreviated to PCI DSS, is a worldwide standard of tight controls surrounding the storage, transmission and processing of cardholder data. Due to the sensitive nature of the data being processed, it is essential that retailers properly implement PCI DSS.

Why PCI DSS compliance is important

Retailers that are not DSS compliant cannot guarantee the security of customers’ data, and risk the possibility of being liable for Card Scheme fines, fraud losses against those cards, and operational costs associated with replacing the accounts. This is not to mention the potential brand damage that retailers could face from customers whose data has been compromised. Full PCI DSS compliance considerably reduces the likelihood of failing a PCI audit. Many retailers also choose to apply Point-to-Point Encryption (P2PE) to their businesses to reduce the DSS target and scope of any investigation.

There are a number of reasons why this remains a critical topic for retailers in 2016 and we’ll look into a few of these now.

Demand continues to rise

There is currently a surge of demand for P2PE, with various sectors enquiring about the benefits that new, compliant systems could bring to their businesses. Organisations as varied as newsagents, airside retailers, builders’ merchants, and building societies are looking to increase the security of their processes. The requirements of these businesses are varied, from upgrading PEDs to the deployment of new PED equipment, and there is an ongoing adoption of P2PE across a diverse marketplace.

Samsung Pay and Google’s Android Pay add to the pressure

Prompted by the successful rollout of Apple Pay in 2015, lead competitors Google and Samsung confirmed that their own rival mobile payment services were on the way. With these dates on the calendar, an influx of demand from across all sectors is expected, as are enquiries from Payment Service Providers (PSPs) who will be looking for service providers to support their national and international fleets.

PCI DSS v3.2

DSS v3.2 has been brought forward from the usual autumn/winter release to accommodate SSL/early TLS migration dates, and is projected to be the last update for the foreseeable future, giving a particular focus to the threat landscape and to identifying breach trends. PCI Security Standards Council’s Chief Technology Officer Troy Leach advised that the technology has reached a ‘mature standard’, in need of far less regular updating than was previously required.

Pressure to comply continues to grow

Despite DSS technology being mature, it is not a one-time fix – full compliance is the sole responsibility of the company. Verizon, an organisation that publishes annual compliance reports, revealed that 80 per cent of businesses assessed were not fully compliant, and that many of these cases were down to inadequate operation and maintenance of the systems. Ilia Kolochenko of High Tech Bridge Cybersecurity warns that 99 per cent of compliance breaches are caused by improper enforcement of PCI regulations.

Bad press associated with cybercrime is on the rise

PCI DSS compliance is in everybody’s best interest. Designed to ensure two-way security for both businesses and customers, a compliant system protects both the information and assets of customers, but also the company networks, which can otherwise be left exposed to cybercriminals.

Security breaches tend to initiate a chain reaction: customers lose money and security, and so will expect compensation; the company loses business due to interrupted systems and poor customer feedback; company individuals are penalised by regulators for allowing compromises to occur. In fact, Verizon also reported that 69 per cent of customers would not deal with a company whose systems had been breached. This figure emphasises the prospective financial losses companies face as a result of non-compliance.

Demand continues to diversify

Adoption of P2PE is branching out from traditional high-street retailers to all businesses that take payments from all business sectors.

With the considerable numbers of businesses failing compliance assessments, the FTC is addressing the matter with increased vigilance. By doing away with regularly scheduled assessment, companies are being stripped of the opportunity to mask any issues before their next assessment is due. This turnabout in approach proves how seriously compliance is being taken by the regulators. If you are dealing with customer payments and handling personal data and it’s not high on your priority list, then it really should be!

Andy Duck is Business Development Manager at Barron McCann

Image Credit: Shutterstock/donskarpo