GDPR has focused the minds of senior executives on the need to secure information. But how confident can we be that there have been real changes? Given that we only hear about very large GDPR breaches or those with a sensational aspect, it’s hard to know. But there are other indicators of an organisation’s approach to information security.
The Payment Card Industry Data Security Standard (PCI DSS) provides a pretty good bellwether. It’s a set of security standards designed to ensure all companies that accept, process, store or transmit credit card information maintain a secure environment.
We can view an organisation’s approach to PCI DSS compliance as a proxy for its general approach to information security. If an organisation struggles to achieve and maintain PCI DSS compliance, it’s unlikely that it’s meeting its obligations under GDPR or safeguarding the other important data it holds.
Why is PCI DSS such a meaningful proxy?
There are five reasons PCI DSS makes a good indicator of general data privacy practices:
- It relates to a clear set of information that, as well being financial data, is also personal data. It should be easier for an organisation to secure a specific, clearly defined set of data than to secure everything. So, if the credit card data isn’t well secured then it’s unlikely other, less well-defined data is fully secure.
- There’s a clear set of requirements to meet to secure the data. An organisation doesn’t have to work out what to do, it’s already defined in the PCI DSS. However, if an organisation can’t follow clear guidance on the controls that apply to this specific data, the likelihood that it has effective controls across other data sets is low.
- Organisations have a legal obligation to be PCI DSS compliant. An organisation’s requirement to meet PCI DSS is part of the contract with its banking acquirer and the acquirer will put pressure on the organisation to achieve compliance. If, despite this, an organisation hasn’t achieved PCI DSS compliance, it’s unlikely to have implemented effective security elsewhere across the business.
- It makes information security part of business as usual. There are control requirements for daily, monthly, quarterly or annual action. Compliance is therefore a good indicator of the extent to which an organisation makes security a part of its culture.
- It doesn’t make unusual demands on organisations. It’s made up of the same sorts of controls as other standards such as ISO 27001 and NIST CSF.
Despite being relatively simple to follow, assessors constantly find that organisations aren’t PCI DSS compliant. Although assessors will cite specific control failures, our experience is that the real causes are often about an organisation’s wider approach to information security.
Why do organisations really fail at PCI DSS compliance?
Some of the common underlying reasons for failure include:
- Delegating responsibility for compliance to a junior level
Often, the key contact for an assessor is a relatively junior staff member, usually in IT or compliance. Regardless of their competence, this person has no authority to make changes or commit budget. So, even when they accept the need for a control, it can take a long time to happen.
- Seeing compliance as a matter for IT
It’s an unhelpful cliché that security is everyone’s problem, but it’s true that you can’t leave it to IT. Risk assessment, policy, awareness training and other factors all need commitment from beyond IT.
- A lack of awareness of where the data is
It’s common for assessors to find repositories of card data, or even entire business processes, that no-one charged with information security was aware of.
- An over-reliance on suppliers
Most organisations outsource significant elements of their IT functions and there’s a tendency to assume these third-parties have implemented sound security controls. But such confidence may not be justified. For example, some service suppliers offer PCI compliant and non-compliant options. In other words, they’re acknowledging that some of their services may fail to meet fundamental security controls.
What’s the opportunity?
By overcoming such common challenges and becoming PCI DSS compliant, organisations can improve their overall data security posture, boosting their reputation and winning new customers. For example, we helped a company develop a new telephone-based payment platform by creating a system that prevented card data from ever entering the call centre environment and clearly defining the responsibilities of third-parties. With senior leaders from across the organisation engaged from the outset, it was easy to communicate the right solutions to staff, building a culture of security. As a result, the company achieved PCI DSS Level One certification well within the allotted time and on budget, securing new customers for its new service.
So, it’s crucial for those at the top to review PCI DSS compliance, gaining valuable insights from industry experts. And when you do, you can apply the lessons from PCI DSS compliance to other sensitive data your organisation holds.