Mention PCI compliance standards, and the typical business owner will probably spout off about how they are an expensive burden that offer little in return. However, PCI compliance can provide value in the form of savings and protecting business interests.
Case in point: An owner of two small magazine stores was surprised to discover that hackers had installed software on his registers and stolen credit card information. After an investigation, at the owner’s expense, he was out over $20,000 — half his annual profit.
“His experience highlights a growing threat to small businesses. Hackers are expanding their sights beyond multinationals to include any business that stores data in electronic form. Small companies, which are making the leap to computerized systems and digital records, have now become hackers’ main target,” according to a Wall Street Journal article.
In a sense, adhering to PCI compliance standards is becoming something like an insurance policy — one that protects businesses while eliminating unforeseen expenses. Driving that value is the fact that the payment card industry has come down hard on both retailers and other organizations that store or have access to credit and debit card information by imposing heavy penalties for violating PCI compliance standards.
That translates to SMBs focusing more on security and incorporating regular and automated systems management to maintain compliance and prevent hacking.
Luckily, standards exist, ones that make it that much easier to meet PCI compliance. Take, for example, PCI DSS — now in version two — which spells out what is needed to secure the data associated with payment card-based transactions.
PCI DSS shows it takes more than just encryption and secure data storage to meet PCI compliance. Businesses need to incorporate management mechanisms, actively manage their systems and perform audits. PCI DSS includes 12 requirements for building and maintaining a secure network, protecting cardholder data, maintaining a vulnerability management program, implementing strong access control measures, regularly monitoring and testing networks, and maintaining an information security policy.
It is those standards that show where additional value can be wrung out of PCI compliance. After all, improvements in security and operations always lead to measurable results.
Frank Ohlhorst is an award-winning technology journalist, professional speaker and IT business consultant with more than 25 years of experience in the technology arena. He has written for several leading technology and business publications, and was also executive technology editor at eWEEK and director at CRN Test Center.