Orases

Posted in: Planning, Hosting, Technology, Ecommerce, Security, Compliance

This past New Year’s Day, IT teams and executives from businesses that accept credit or debit cards had more than just the fulfillment of their resolutions to worry about. For these professionals, the holiday marked the passing of PCI DSS v2.0, which are security standards that outline requirements for data management and procedures, network architecture, software design, and other factors that may protect consumer information. For companies that have met these standards, insights into the debate regarding their efficacy are not only relevant, but could shape versions that follow. For those under the impression that these rules don’t apply to their business, understanding, considering and implementing these regulations may be more critical to your business than you’re aware of.

Responses from industry experts have set to extremes. One on end, some experts are deeply averse to these requirements, and validate their (non-compliant) processes and system architecture with the predisposition that they know what’s appropriate, important and effective better than policy makers. They disparage PCI DSS for being too vague to be useful – and too excessive to be effective. Contrariwise, others consider these standards as a resolve to the many data infringements we’ve seen over the last few years. These experts commend PCI DSS for forcing companies, most prevalently within the financial and commerce sectors, to assess their security operations, for and preventing breaches that could have, but didn’t happen.

Regardless of your perspective, it’s without doubt that these regulations have burdened many with increased resource demands – and the weight of that burden is something that all businesses need to learn from. PCI DSS aren’t a far cry from the ISO standards that they derived from, and because they are analogous to government and industry regulations like SOX and HIPPA, PCI DSS is expected to expand its applications from sectors that are currently not regulated. 

Currently, financial institutions, credit card companies, and merchants risk extensive fines and restrictions if they fail to adhere to these measures – but all companies that host private data should begin adopting these measures to avoid massive blows to their operations and margins.

This may seem difficult because the definition and clarity of PCI compliance continues to evolve and to be clarified, as with any new compliance system. To clue you in on what you should expect and begin; careful assessments of your current data system/architecture process should begin and need to be contextualized with an understanding of how you handle data not only internally, but also within an online ecosystem. A third party company that ensures your compliance with PCI standards will scan your ecommerce site quarterly. Most likely, you will need a hosting/web develop company to make changes to your website/web server configurations to insure you are compliant.

Of course, comprehension is the first step for any evaluation to software/systems renovation. An ongoing list of PSS DCI changes and glossary can be found at PCI DSS website. However, to sum it all up, whenever any personal information about a cardholder is stored on a device that’s connected to the internet, all reasonable measures must be taken to protect that particular network.

Updated security standards could be mandated before you start thinking about which resolutions you’re likely to break next year (TIP: PCI DSS compliance should not be one of them), or within a few years. Regardless, while you’re at work today, you can either begin preparing your company for a smooth transition towards impending security standards, or you could wait to see just how much weight will end up on your companies shoulders.