PCI compliance: carrot and stick

Its time for the financial service industry to draw a line in the sand when it comes to credit card and mission-critical data security. Specifically, it’s time to make non-compliance with the Payment Card Industry Data Security Standard (PCI) simply unacceptable for all players in this industry.

For those who have been in a time warp, PCI is the major credit card associations’ global requirements for industry-wide consumer data protection. It aligns Visa's and MasterCard’s data protection programs, streamlining requirements, compliance criteria and validation processes. It was created to provide merchants and processors with a single set of standards to secure cardholder data.

So what’s the hold-up? Why has PCI compliance been so low?

To be sure, the technical and business requirements are demanding and complex. PCI defines a security framework with six specific areas that apply to all PCI members, merchants and service providers that store, process or transmit cardholder data – a large and diverse group. It requires that cardholder data and sensitive information have strong encryption when transmitted across public networks, be they wired or wireless. Practices for tracking and monitoring all access to network resources and cardholder data are also required.

So while complying with PCI may be difficult, the alternative – failing to secure cardholder data – is far worse and impacts the entire organization. A significant bottom line hit, ongoing litigation, damage to corporate reputation, loss of shareholder value, and potential job losses are just some of the results of recent, well-publicized cardholder data breaches.

With an eye to the future, this industry needs to take a stand. The logical place to begin is by committing both your own operation and your vendors to enterprise-wide, end-to-end data security. Specifically, encrypting transmission of all files, terminal connections (especially to and from the mainframe) and application traffic over TCP/IP networks can eliminate the possibility of eavesdropping on cardholder data in transit.

Since increasing your data security measures is far from trivial, a solution is available today to help your enterprise easily transition into a world of security and compliance. SSH Communications Security has developed SSH Tectia, deployed and relied upon by seven of the world’s 10 largest financial institutions and by a rapidly growing number of the world’s largest retailers. SSH Tectia protects data-in-transit throughout the enterprise and allows centralized deployment, maintenance, monitoring and auditing capabilities. By deploying SSH Tectia for secure remote access, secure file transfers and secure data-in-transit, the retail industry and banks can implement strong end-to-end communications security to help achieve compliance with PCI while creating a required audit trail for internal and external compliance auditing.

Getting your vendors to approach PCI compliance with equal gusto may take further action; the kind I believe everyone in this industry understands extremely well. You might need to wave the ‘security carrot’ in front of them to encourage compliance, and that carrot could come in the form of a financial incentive. For example, retailers and financial institutions not in compliance by a set date will not receive the most favorable interchange rates, or might be subject to a fee per transaction, which would serve as insurance in the event of a future breach.

PCI compliance isn’t just a matter of good intentions. It’s about smart business practices that will ultimately make every player in this business stronger and more profitable.