Firstly, it’s important to note that any organization that stores, processes or transmits credit card data must be compliant with the Payment Card Industry Data Security Standards (PCI DSS), as such the security standards are mandatory for card handling organizations in Australia.
Businesses dealing with cardholder data need to be aware of their obligations regarding PCI DSS compliance. However, that doesn’t necessarily mean they know the best ways of achieving and maintaining PCI DSS compliance, and how to do so in the most efficient manner.
A business could initially hesitate over the cost involved in achieving and maintaining compliance, but what’s seldom understood is that it’s more cost effective to keep on top of PCI DSS compliance than letting it slip. In addition to which many companies in Australia underestimate the financial exposure associated with non-compliance.
A great way to do that is to have the right business partnership: we provide a range of products and services such as Level 1 PCI DSS certified cloud based services, credit card scanning & storage, tokenisation and payment services, and contact center solutions to name a few.
You’ll probably be aware that there are numerous controls and stages involved, including determining which merchant level you are, followed by answering a self-assessment questionnaire (SAQ) or the engagement of a qualified security assessor (QSA) if you businesses is classified as a Level 1 merchant.
Here’s a brief overview of what you need to do to achieve and maintain PCI DSS compliance in the most efficient manner. They are three stages:
- The first is assess – identifying cardholder data, taking an inventory of your IT assets and business processes for payment card processing, and analysing them for vulnerabilities that could expose cardholder data. Any historical credit card data which is no longer required should be eliminated to reduce the company’s financial exposure should a data breach occur.
- The second is remediate – fixing vulnerabilities and not storing or processing cardholder data unless you absolutely need it.
- The third is report – compiling required remediation validation records and submitting compliance reports to interested parties, such as your financial institution.
IPSI has helped many of Australia’s largest credit card processors to secure their credit card data and become compliant. We provide review, analysis and design consultancy services to fully managed remediation solutions.
An important process in securing PCI DSS compliance involves tokenisation. The best way to store credit card data for recurring billing is by using a cloud-based third party credit card vault and tokenisation provider.
You’ll need a provider who can perform a requirement analysis to identify what’s right for your business, including all interactions with payment card data, your particular tokenisation needs and associated payment and reporting processes.
It’s important to leverage service providers such as IPSI to help your business minimize its initial and ongoing PCI DSS costs, lead times and risks.
“An important process in securing PCI DSS compliance involves tokenisation”
You’ll also need to find the right solutions for specific business requirements as merchants use a variety of technologies to implement e-commerce functionality. If you’re a contact centre, for example, consider AgentSecure, a cloud-based service which halts credit card data from entering your enterprise as a cost effective service option.
Credit card data scans
If you have historically stored or processed card data yourself, and you are concerned about the security of existing credit card storage locations, using a scanning service will expedite the process significantly while enabling a prioritized approach to minimize financial exposure as quickly as possible.
Part of achieving and maintaining compliance is to engage independent parties. They are: the Qualified Security Assessor (QSA), technology provider (e.g. IPSI) and remediator (e.g. IPSI). They’re all central to achieving and maintaining PCI DSS compliance. IPSI is unique within the Australian market in terms of the depth and range of its PCI DSS services and solutions.
With the increase of cybercrime and fraud and its continuing rise, it can be challenging for a business to achieve PCI DSS Compliance and then maintain it. If you would like to speak with a PCI DSS consultant, please feel free to contact us to discuss your unique requirements.