Dan Salmons, Managing Director, PayPoint Mobile and Online, says organisations need to adopt PCI DSS more deeply

"Polish on, polish off", "brush up, brush down". Thus begins Daniel LaRusso’s training in the martial arts in classic 1980s kid’s movie The Karate Kid. Instead of learning kicks and throws in the dojo, Daniel found himself redecorating his teacher’s house, and even then, Miyagi-San makes him do each job in a very specific way – but not necessarily the easiest way.

Daniel ends his first day of training angry and disappointed, but then the Japanese sage delivers his real lesson. All of a sudden the tedious movements he’s had to use all day become powerful defensive manoeuvres. And, of course, the movie ends with Daniel defeating his nemesis.

This is a bit like what digital security means for any organisation processing card payments. The rule book we must all follow, PCI DSS, lays down in great detail exactly what organisations must demonstrate to achieve compliance. But doing what you need to achieve compliance won’t make your customers secure – just like knowing all the moves won’t necessarily make you great at karate.

Payment security is hugely important today, as the market for stolen cards is vast and lucrative. It was recently revealed that 183 million accounts were compromised in Q3 of 2014 and credit-card hacking has been found to be America’s top crime worry. As the owners of the 56 million credit cards that were compromised from Home Depot found to their cost, card details are hot property at the moment – with each card worth an estimated £8. For criminal gangs trading in thousands, if not millions of stolen accounts, that’s a very profitable line of business.

Yet a large number of payment providers see the compliance process as a necessary evil of doing business – a bit like fire-drills and employer liability insurance – and less of a business opportunity to keep and win new clients. Indeed, there are plenty of ways organisations can meet the spirit of the standards without actually baking them in to every part of their operations. For example, many organisations only allow auditors to examine data and conduct penetration tests on ‘sandbox’ systems, unconnected to the provider’s online systems. That’ll get them the tick in the box, but will it be a hallmark of total security? There’s no way of knowing until it’s too late.

How well do you really know your competitors?

Access the most comprehensive Company Profiles on the market, powered by GlobalData. Save hours of research. Gain competitive edge.

Company Profile – free sample

Thank you!

Your download email will arrive shortly

Not ready to buy yet? Download a free sample

We are confident about the unique quality of our Company Profiles. However, we want you to make the most beneficial decision for your business, so we offer a free sample that you can download by submitting the below form

By GlobalData

Tick here to opt out of curated industry news, reports, and event updates from Electronic Payments International.

Visit our Privacy Policy for more information about our services, how we may use, process and share your personal data, including information of your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.

As Miyagi-San taught Daniel LaRusso, truly defending yourself requires you to think far more fundamentally about what you do and how you do it. The hard part is to practice it day in and day out. But if organisations are using a service that’s ‘compliant by design’, they are far better placed to defend their customers’ data robustly. For us, this means embedding PCI DSS-friendly processes into the code base of our core applications – rather than rushing to compile paper trails by hand when audit time comes. It means giving auditors access to live data on our production systems, which in turn requires a culture of sustained compliance and continuous improvement that all employees need to embrace. It also means we plan our businesses around audits – allowing plenty of time for preparations. It’s for these reasons we marked 10 years of Level 1 PCI DSS compliance in August last year.

Finally, compliance by design demands that executives run their business with security uppermost in their minds and as a business opportunity – not the other way around. PCI DSS audits generally require many business functions, especially finance, IT and operations, to go into lockdown for several weeks a year. Rolling out new products and integrating new customers simply takes much longer during audits – if they happen at all. But with products that are compliant by design, the thousands of merchants and millions of consumers for whom we process payments each year have true peace of mind.

It’s worth reminding ourselves why PCI DSS exists: because consumers demand and expect protection! Research we commissioned in May 2014 found that security is more important among consumers than convenience when deciding how they pay. Moreover, over half of UK consumers (55%) viewed the security of payment methods as the most important factor in deciding how we pay – while only a quarter (26%) believed convenience to be the most important deciding factor.

This is why simply doing the basics isn’t enough. In spite of its length, PCI DSS should really be seen as merely the status quo, not the benchmark. Organisations need to go beyond the ‘box ticking’ to secure their customers’ card data. It only takes one breach to risk the ire of customers whose card details are compromised, and their faith in your ability to protect them may never be restored.

For this reason, it’s absolutely crucial to get the security side right. Though compliance by design may at times feel like waxing the auditor’s car or painting their fence every day in a tedious fashion, it means your customers can rely on your "powerful defensive manoeuvres" to keep their data safe.