PCI DSS Certification – why it matters and what you need to know by Darren Sullivan, COO, Ultracomms
The Payment Card Industry Data Security Standard (PCI DSS) requires that organisations which process credit card data must achieve and be able to demonstrate compliance across 12 highly defined areas of cardholder data management and privacy. Established for some years, this is a worldwide standard and doesn’t just apply to large enterprises, but also SMEs who do not always make headline news when a security breach occurs.
Failure to achieve compliance can lead to more than just fine. An organisation that handles payment card transactions and has suffered a suspected breach can be investigated by a PCI Forensic Investigator (PFI), leading to a detailed assessment of the organisation’s network and processes. The organisation will incur the full financial liability for that investigation. Such a breach can easily cost a minimum of several hundred thousand pounds in remediation work, fines, consequential liabilities and even result in financial institutions terminating their relationships with the company that allowed the breach to occur – and that’s without the cost of reputation loss and damage to the brand.
The benefits of working with PCI DSS certified service providers include giving end customers the confidence that their financial information is being protected; employees the reassurance that they are not being inadvertently exposed to customer data; and organisations the ability to demonstrate that they care about customer experience and compliance.
Going through the PCI DSS certification process can be costly, challenging, and time-consuming, but there are significant benefits too. As an organisation that is going through the process of PCI DSS Level 1 certification, Ultracomms, provides a quick insight into what companies should know.
1. Compliance and certification are not the same thing – what a lot of people don’t realise is that there is a difference between certification and compliance. While many organisations claim to be compliant, to be certified by the Payment Card Industry Security Council requires an organisation’s technology, network, and internal processes to be audited by an independent Qualified Security Assessor (QSA), and a Report on Compliance (RoC) document issued.
2. Certification doesn’t happen overnight – with the correct processes and technology in place, it is possible to achieve PCI DSS compliance in as little as 6-8 weeks, but given that there may be variables and unknown factors, it is advisable to plan for a longer timeframe. Fortunately, there is plenty of well documented guidance, including the required steps towards PCI compliance (see Box A).
3. Testing of systems and network security – this has to be carried out by a third party, so it is important to allow sufficient time for this and to select a provider in the early stages of the process, rather than trying to find a suitable testing organisation at the last minute. Enlist the services of an accredited QSA at the outset, and ask that firm to provide proof of its own certification.
4. The right technology can help – advances in technology can simplify the process of PCI DSS compliance. DTMF (dual-tone multi-frequency) clamping technology completely masks the customer’s payment information from entering the contact centre and makes screen and call recording safe for organisations. In practice, this means that sensitive card details never actually enter the system, nor can the person handling the call hear or see those details, yet they can remain on the call (rather than passing a call off externally or running the risks associated with the traditional ‘pause and resume’ systems).
5. Certification can be expensive, but costs vary – achieving full certification can run into a six figure sum. However, by choosing to work with a service provider that has already achieved PCI DSS level 1 certification (such as Ultracomms), it’s possible for an organisation to gain its own certification for a fraction of the cost and in a much shorter time-frame, using the Self-Assessment Questionnaire (SAQ) process (as long as no previous breaches have been committed).
6. Don’t forget to factor yearly reassessment into PCI DSS strategies – once achieved, PCI DSS certification requires ongoing maintenance,an annual inspection and the provision of evidence by the organisation for evaluation by the third party tester before certification is re-confirmed.
Achieving PCI DSS certification is not a straight forward process, but the benefits far outweigh the effort involved, with the end result – far greater security for consumers, organisations, and their employees.
Darren Sullivan is COO at Ultracomms.