Accreditations are an important part of business, regardless of industry or sector. Whether you’re operating a hotel, running a bank, or managing a data security company, there’s always a set of rules and regulations to follow, as well as official stamps of approval that must be obtained to reassure and help earn the trust of your customers. And if the recent fallout in London between Transport for London (TfL) and Uber is anything to go by, it’s clear that in the world of technology, it’s more important than ever. As a CEO of a tech company, and having recently achieved our ISO 27001 accreditation for another year running, it got me thinking about the seriousness and importance of business accreditations. When it comes to taking payments for goods and services, accreditation is more of a necessity than an option. Companies need to be able to demonstrate to their customers that they can be trusted to keep their payment card data safe.
The Payment Card Industry Data Security Standard (PCI DSS) is considered the cornerstone of accreditation for anyone who accepts payments, be that face-to-face, mobile, online or over the phone. Other standards, including ISO 27001:2013, FCA regulations and, of course, the incoming EU General Data Protection Regulations (GDPR), all come with strict guidelines and harsh penalties for those failing to comply. Adhering to these regulations demonstrates that your company has undergone the rigorous work of securing all IT systems that process, handle or store sensitive customer information, such as payment card details, dates of birth or addresses.
You cannot be complacent when it comes to putting the right data security processes in place to protect both yourself and your customers. Here are the key reasons why earning industry accreditations is a crucial part of doing business:
Your customers need to know they can trust you
Accreditation is essential for customer trust. In the data security industry, our customers are under a significant burden to prove they are compliant with PCI DSS. Part of this means demonstrating that their service providers are also adhering to all the requirements, which means that, for us, it’s all about practicing what you preach.
Proving and demonstrating compliance with ISO 27001:2013, PCI DSS and Visa standards validates credibility, reliability and commitment to customers. Achieving the most pertinent and prominent certifications shows that you are going above and beyond the minimum requirements to ensure that any data you touch or hold is done so securely.
While certification in public relations understandably may not call for the same rigorous standards that come with protecting customer data, PR giant Bell Pottinger recently learnt the hard way how important accreditation is to a successful business. The PR trade body, the PRCA, revoked the agency’s membership after an independent study into a PR campaign in South Africa. This led many of the company’s clients, including HSBC and TalkTalk, to state publicly that they will no longer work with the company. Bell Pottinger has subsequently gone into administration.
You need to be able to trust your partners
Very few companies today work in isolation. In our sector, organisations that are involved in the processing of even a single payment require a minimum level of accreditation. A security weakness in just one supplier could be the chink in the armour that causes a data breach. Selecting a partner is much more complex than just asking if they have the relevant accreditation – you need to make sure that all their partners are also taking data protection seriously.
Take Verizon for example. 14 million customers had their personal account data exposed as part of a data breach, which was traced back to Nice Systems; a third-party supplier of data analytics. At the end of the day, the public will always hold the company they do business with accountable, and the consequences will fall firmly at the feet of the big brand name.
“There’s a high cost to a bad reputation”
Accreditation is all about trust. It’s important for not only your customers to trust you, but for governing bodies to know that you will adhere to the rules of the game – and that you will maintain this standard of quality year-on-year. No company can stand outside the law.
In data security, this means adhering to a whole host of regulations. From PCI DSS, to EU GDPR, to the FCA’s guidelines, this sector is a minefield of compliance. And businesses cannot afford to fall foul of the governing bodies that enforce these accreditation processes; for example, the GDPR will leave you with a fine of 4% of annual turnover, or €20 million.
Disruptive technology company Uber has recently realised the price of falling foul of regulative bodies. Transport for London has revoked its licence to practice in London due to a “lack of corporate responsibility” and not behaving in a “fit and proper” manner. Essentially, the company flouted a number of requirements, including reporting serious criminal offences, obtaining medical certificates and thorough driver background checks, believing that its size and influence was sufficient to maintain its position. The chief executive, Dara Khosrowshahi has acknowledged after the fallout that “the truth is there is a high cost to a bad reputation”.
So, while a bad reputation can lose you customers, it can also lead to losing your licence to practice, whether that be as a taxi company, a bank or a PR firm. Validation through accreditation can mean the difference between success and failure for businesses.
Without the support of your customers, potential partners and governing bodies in your industry, your business is not sustainable. Get accredited – or face the consequences.
Tim Critchley, CEO of Semafone
Image Credit: NakoPhotography / Shutterstock