PCI-DSS compliance

With fraud and cybercrime proliferating, PCI-DSS compliance is an issue businesses of every size need to address.

The Payment Card Industry Data Security Standard (PCI-DSS) has been in place for some time, but until recently, only major enterprises tended to aim for full compliance. With fraud proliferating and PCI-DSS compliance becoming easier and more cost effective, compliance has become important for businesses of every size. Effectively - if you accept card payments, you should aim to be compliant.

PCI-DSS is designed to protect payment card transactions. Designed by the key stakeholders in the card payment ecosystem, it covers numerous areas, ranging from installing and maintaining a firewall configuration, monitoring access to network resources, and even includes testing Web applications, all in order to protect cardholder data. Over the past five years, the PCI-DSS framework has evolved from being guidelines without enforceable sanctions to a ‘must-have’ certification for those in the business of manipulating, storing or transmitting cardholder data.

Some years ago, PCI-DSS compliance involved complex dealings with multiple vendors, at significant cost. In fact, the single most cost prohibitive factor was dealing with multiple vendors. There was an understandable reluctance among businesses to become compliant unless they were absolutely forced to do so.

However, consolidation and multivendor technology means PCI compliance can now be achieved faster, and at a dramatically lower cost.

With the barriers to PCI-DSS compliance lowered, businesses of every size can now move towards compliance and safeguard their electronic transactions.

Rampant fraud

And safeguarding transactions has become critically important amid the massive growth in fraud, cybercrime and other threats. In addition, mobile money transfers have added a new level of risk to making transactions. Transactions have moved from point of sale to mobile, and thanks to the ability to transfer money between mobile devices and conduct internet banking via mobile, confidential banking information is now available everywhere. Rogue users can log in from anywhere in the world. The transactional environment is much bigger now, with many more users, much more activity and greater risk.

This situation won’t change in the foreseeable future. So every business that accepts card payments needs to take effective steps to secure these transactions.

The PCI-DSS requirements may seem onerous, but they are highly comprehensive and are designed to serve as an effective barrier. Those who are PCI-DSS compliant are, in effect, far less vulnerable to fraud and cybercrime.

In South Africa, awareness of the importance of fully securing card transactions is growing fast. In Nigeria, there is now a rush to achieve compliance as the cashless society takes off in the country. Elsewhere in Africa, we are only now starting to see organisations heeding PCI-DSS compliance.

Becoming compliant

Everyone wants to be as secure as possible – only the most naïve would think otherwise. But many businesses hold back on compliance, fearing they do not have enough cash to throw at the problem. However, achieving PCI-DSS compliance need not involve an ‘all or nothing’ approach. In South Africa, some organisations have elected to comply with only certain aspects of the PCI-DSS; while others are at different stages of achieving compliance. The criteria for compliance are continually updated as new threats emerge, so full compliance is always a work in progress.

With 12 important requirements in the PCI-DSS table at the moment, the Chief Security Officer might decide to tick off only the most critical blocks that are most relevant to his line of business, due to budget or resource constraints. Few but the biggest financial and retail enterprises are able to tick all the blocks, but most are trying to get to this point.

Supporting the move to a more secure transaction environment, technology vendors are cutting process and many outsource providers and reseller companies deliver PCI-DSS as a managed service or even as a full on-site service. Information and training is widely available online to educate businesses and support them as they move to comply.

By Perry Hutton, Regional Director for Africa at Fortinet