If your company does business transactions online, you could be one of the unlucky online retailers who helped lose more than $4 billion to transaction fraud, according to payment management company (Cyber Source). The number of e-commerce fraud incidents may be down, but a large chunk of change is still stolen by thieves despite the best efforts of merchants to become compliant with Payment Card Industry (PCI) Data Security Standard (DSS).
A singular focus on PCI DSS may be part of the problem. Often, I hear the comment, "I just need to get through this PCI DSS audit and get my stamp of approval." PCI DSS are mandated regulations. Regulations provide good guidance for security but does it truly address the specific needs for your business? Companies that achieve certification often breathe a sigh of relief until despite these efforts something happens. Indeed, network scans, encryption and web application code checks are a good start, but there’s a long list of things organizations ought to be doing.
As Practical Ecommerce contributor Armando Roggio notes, and as we’ve noted in conversations with some of our customers when helping them with their PCI compliance efforts, the regulations ought to be seen as more of a starting point than the end goal:
Roggio: “Although no fully-compliant merchant has been known to ever lose customer data to a hacker, compliance is not a once-a-year, or even once-a-quarter, check up. Compliance is something that has to be maintained all of the time. When brick-and-mortar retailer TJX, which operates brands like T.J. Maxx, Marshalls, and HomeSense, was compromised in 2006, it had been PCI-certified, but was not in complete compliance when the incidents occurred. A small breakdown in policies can give a thief just the opportunity he or she needs to pilfer customer data.”
Contributed by Karen Chiang, PCIS Program Manager
WEBINAR INVITATION! If you want to learn more about how PCI DSS relates to your company’s data security, register for our Case for Security webinar on PCI DSS and the Basics of Data Security Compliance on Wednesday, June 24 at 8:30 am. Hope you can make it!
Comments (0)Vaclav Vincalek June 19th, 2009 12:00:00 PM