Many organisations have developed an appreciation that PCI Security should never have been perceived as a technical issue, but a core part of their business strategy, however not all currently share this view, writes Ciske van Oosten

First things first, if you haven’t already taken a business approach to PCI Security then take a step back and rethink!

PCI Security is all about business. Business success requires the ability of an organisation to adapt at the speed of change. It is about improving the capability to properly manage the business risks associated with cardholder data – to help maintain business profitability. Ultimately, it is about helping organisations to continue to exist.

Sound business practice requires the on-going protection of business investments, and increasing the earning potential of every asset a business uses. The acceptance of payment cards remains a very valuable business asset. When it is well managed and protected, payment card acceptance continues to offer a good return on investment to organisations; however problems occur when it is not.

The PCI Security Landscape in 2014

The general awareness of the PCI Security compliance requirements is quite high across industry verticals. Most organisations know that they are required to demonstrate adequate protection of cardholder data, in accordance with the relevant PCI Data Security Standard (PCI DSS), and they recognise this is a long-term compliance program that will remain a significant part of business for many years to come.

How well do you really know your competitors?

Access the most comprehensive Company Profiles on the market, powered by GlobalData. Save hours of research. Gain competitive edge.

View profiles in store

Company Profile – free sample

Thank you!

Your download email will arrive shortly

Not ready to buy yet? Download a free sample

We are confident about the unique quality of our Company Profiles. However, we want you to make the most beneficial decision for your business, so we offer a free sample that you can download by submitting the below form

By GlobalData

Submit

UK USA Afghanistan Åland Islands Albania Algeria American Samoa Andorra Angola Anguilla Antarctica Antigua and Barbuda Argentina Armenia Aruba Australia Austria Azerbaijan Bahamas Bahrain Bangladesh Barbados Belarus Belgium Belize Benin Bermuda Bhutan Bolivia Bonaire, Sint Eustatius and Saba Bosnia and Herzegovina Botswana Bouvet Island Brazil British Indian Ocean Territory Brunei Darussalam Bulgaria Burkina Faso Burundi Cambodia Cameroon Canada Cape Verde Cayman Islands Central African Republic Chad Chile China Christmas Island Cocos Islands Colombia Comoros Congo Democratic Republic of the Congo Cook Islands Costa Rica Côte d"Ivoire Croatia Cuba Curaçao Cyprus Czech Republic Denmark Djibouti Dominica Dominican Republic Ecuador Egypt El Salvador Equatorial Guinea Eritrea Estonia Ethiopia Falkland Islands Faroe Islands Fiji Finland France French Guiana French Polynesia French Southern Territories Gabon Gambia Georgia Germany Ghana Gibraltar Greece Greenland Grenada Guadeloupe Guam Guatemala Guernsey Guinea Guinea-Bissau Guyana Haiti Heard Island and McDonald Islands Holy See Honduras Hong Kong Hungary Iceland India Indonesia Iran Iraq Ireland Isle of Man Israel Italy Jamaica Japan Jersey Jordan Kazakhstan Kenya Kiribati North Korea South Korea Kuwait Kyrgyzstan Lao Latvia Lebanon Lesotho Liberia Libyan Arab Jamahiriya Liechtenstein Lithuania Luxembourg Macao Macedonia, The Former Yugoslav Republic of Madagascar Malawi Malaysia Maldives Mali Malta Marshall Islands Martinique Mauritania Mauritius Mayotte Mexico Micronesia Moldova Monaco Mongolia Montenegro Montserrat Morocco Mozambique Myanmar Namibia Nauru Nepal Netherlands New Caledonia New Zealand Nicaragua Niger Nigeria Niue Norfolk Island Northern Mariana Islands Norway Oman Pakistan Palau Palestinian Territory Panama Papua New Guinea Paraguay Peru Philippines Pitcairn Poland Portugal Puerto Rico Qatar Réunion Romania Russian Federation Rwanda Saint Helena, Ascension and Tristan da Cunha Saint Kitts and Nevis Saint Lucia Saint Pierre and Miquelon Saint Vincent and The Grenadines Samoa San Marino Sao Tome and Principe Saudi Arabia Senegal Serbia Seychelles Sierra Leone Singapore Slovakia Slovenia Solomon Islands Somalia South Africa South Georgia and The South Sandwich Islands Spain Sri Lanka Sudan Suriname Svalbard and Jan Mayen Swaziland Sweden Switzerland Syrian Arab Republic Taiwan Tajikistan Tanzania Thailand Timor-Leste Togo Tokelau Tonga Trinidad and Tobago Tunisia Turkey Turkmenistan Turks and Caicos Islands Tuvalu Uganda Ukraine United Arab Emirates US Minor Outlying Islands Uruguay Uzbekistan Vanuatu Venezuela Vietnam British Virgin Islands US Virgin Islands Wallis and Futuna Western Sahara Yemen Zambia Zimbabwe Kosovo

Industry * Academia & Education Aerospace, Defense & Security Agriculture Asset Management Automotive Banking & Payments Chemicals Construction Consumer Foodservice Government, trade bodies and NGOs Health & Fitness Hospitals & Healthcare HR, Staffing & Recruitment Insurance Investment Banking Legal Services Management Consulting Marketing & Advertising Media & Publishing Medical Devices Mining Oil & Gas Packaging Pharmaceuticals Power & Utilities Private Equity Real Estate Retail Sport Technology Telecom Transportation & Logistics Travel, Tourism & Hospitality Venture Capital

Tick here to opt out of curated industry news, reports, and event updates from Electronic Payments International.

Submit and download

Visit our Privacy Policy for more information about our services, how we may use, process and share your personal data, including information of your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.

With a majority of merchants and service providers in several regions already compliant with PCI DSS or well-underway towards compliance certification, most organisations have learned (some the hard way) that PCI Security programs can be truly complex. The scope of PCI Security should never be underestimated; neither should the immediate and long-term impact it has on the underlying business.

Yet, despite significant advances over recent years in understanding the impact of PCI Security – in particular in terms of the resources required for a sustainable compliance program – many organisations still find it challenging.

Where do the challenges lie?

Fundamentally, the knowledge and know-how required to achieve effective data protection and the ability to maintain compliance in a cost-efficient manner, is simply not available in many organisations.

We have now entered another new year, 2014, and it is a staggering nine years since the release of the original version of the PCI Data Security Standard by the Payment Card Industry Security Standards Council, DSS version 1.0, back in December 2004.

PCI DSS is on a three year lifecycle. Currently organisations are required to comply with PCI DSS 2.0, but with the recent launch of version 3.0 (effective from 1st January, 2014), organisations will be urged to make payment security part of their business-as-usual activities. It will introduce more flexibility, and an increased focus on education, awareness and security as a shared responsibility. The new standard will pose new challenges for organisations centred on the requirement of specific penetration testing for the perimeter and greater responsibilities in relation to the use of third parties.

The threat landscape is constantly changing and this, combined with the exponential growth of data within organisations, comes not only with greater challenges but also increased responsibility. Many organisations view data as power. However, in reality, the more personal data they store, the more they are exposed to potential data breaches and vulnerabilities.

Risk to cardholder data is evolving, and risk management practices need to adapt to keep up to date with advances made in the payment card industry – in particular when considering the rapid entry of mobile payment technology.

What does the future hold?

In 2014, PCI Security programs are expected to remain a complex business issue for many organisations; even after achieving initial compliance certification. The ability to maintain compliance in a cost-effective manner depends on the maturity of an organisation in managing a compliance program.

Compliance Officers are expected to report on the Total Cost of Ownership (TCO) of their compliance programs. However, more importantly, research conducted by Verizon in the latter part of 2013, found that, although some organisations do calculate the TCO of their compliance programs, very few of them take the next step: to calculate the Return on Investment (ROI) of their compliance programs.

This lack of financial and compliance performance insight places Compliance Officers at a major disadvantage. This complete transparency is required in order to obtain the full support from the business for their compliance strategies. And more importantly, complete visibility and clarity is crucial in order to determine how the new changes in the compliance industry, such as updates to the PCI Data Security Standard, evolving threats to sensitive data, or innovation in payment card industry technology will ultimately impact on the business success of their organisation.

Ciske van Oosten is Global Business Development director at Verizon PCI Security Services

Sign up for our daily news round-up!

Give your business an edge with our leading industry insights.

Sign up