PCI compliance means operational change, not a one-off technology implementation

The landscape of the retail industry is changing, writes Ross Brewer, vice president and managing director, EMEA, LogLogic.

Following a series of major security breaches to personal data, the issue of securing operational information has become key, particularly in the context of corporate reputation and operational excellence.

Payment Card Industry’ (PCI) compliance, which addresses the protection of stored cardholder data, is a recent phenomenon with the PCI Standard being launched in 2004. Prior to this, individual card brands managed their own security standards governing the processing and handling of cardholder data.

The standard provides a process for retailers to identify at what stage in the purchasing process a cardholder’s data risks being compromised. In a nutshell, it operates to validate and secure the entire chain of payment card processing.
On the face of it, the standard appears straightforward, with a short downloadable manual for retailers. However, those who research thoroughly will note that it is made up of a myriad of security audit procedures affecting many areas of the business, both technical and otherwise.

One of the main problems we at LogLogic find, is that when companies take on PCI compliance as a goal, there is a tendency to focus too heavily on technology. Many believe that if they implement one piece of software or hardware then this will offer the entire solution to PCI. Instead, retailers must embrace the notion and reality that PCI compliance is an ongoing process – requirements need to be met on a daily, weekly, and annual basis. Business processes therefore need to change, and resources for a one-off project are not enough. If companies do not have the relevant support, then they need to address this to meet the way their business needs to be operated on an ongoing basis. Becoming PCI compliant means making changes to the operation of a business, it’s not just about implementing new technology.

And, improving security levels will in turn lead to a positive impact being made upon the business, when companies such as Visa begin to address incenti ves, or lower charges for interchange rates. The more support PCI compliance has from across the business, from IT to board level, the more successful it will be.

Now is the time for retailers – at all levels – to embrace PCI compliance. Failure to do so may not result in legal action, but it will lead to potentially putting their customers’ data at risk, and the channel needs to convey this message.