Get a Mentor: Some thoughts for your consideration: There is nothing new about the idea of mentoring. It is as old as you would like
Innovation as a social process for effective engagement with customers: What are the roots of innovation as a social process and what is the relevance of the
Is buying a distressed company a bargain or burden?: Every now and then an opportunity comes along that looks very hard to resist. If you’re a
Radio in Africa – Dead?: Remember the wonderful story about the African gentlemen who learnt to speak English listening to the BBC’s
Increased connectivity places SA Consumers at greater risk of financial scams: The price war among local broadband providers, and the surge in volumes of mobile devices in South
Advanced video streaming offers benefits across industry sectors for improved communication: With the exponential growth of connectivity, the explosion of smartphones, tablets and other devices, and the massive
SA SMEs urged to review credit payment practises to maintain competitive edge: A number of small and medium enterprises (SMEs) in South Africa are struggling to grow in the
CSI: Red Herring or Social Imperative?: Anyone with their finger on the pulse of marketing would know that we are moving towards a
Networking activities crucial to SME development and growth: Building relationships with the right individuals is key to the success of a business, due to the
2013 Tax Tips: The new tax season has begun. It is time to get your tax inputs in order.   If you
A+ A A-

Reduce scope to ease the pain of PCI compliance

Rate this item
(0 votes)
Reduce scope to ease the pain of PCI compliance

Businesses that process credit card transactions are under increasing pressure to comply with global Payment Card Industry (PCI) security standards – and if our experience at PayGate is anything to go by, the journey is likely to be a painful one. Anybody considering it should prepare themselves for at least two years of intense effort.

We are proud of our PCI compliance certification, and in our business as a payment services provider it’s essential to our ability to survive and thrive in the future. But along the way we have had to rethink and redefine the entire way our business is managed, from our IT infrastructure all the way through to our recruitment practices.

 

Based on what we’ve learned, if I had one piece of advice to give to anyone embarking on this journey, it would be this: Reduce the scope of the exercise as much as possible.

 

The need for PCI compliance applies to anyone who transmits, processes or stores full credit card details. So the first thing to do is take a good hard look at how you are using credit card information, and ask yourself if it’s really absolutely necessary to your business.

 

For example, for various historical reasons many systems still use credit card numbers as account numbers. This made sense in the old days – it was a convenient and easy way to identify your customer across multiple systems and different departments, from finance to marketing. But nowadays, when every system is being constantly probed for weaknesses by hackers and organised criminals across the globe, it’s a disaster waiting to happen.

 

There are only two choices in this situation: Either subject your entire organisation to PCI compliance – which I don’t recommend – or prune right back to one central card process that you can secure. This will have knock-on consequences for your CRM systems – but the costs will be much, much lower than PCI compliance.

 

Your goal should be that your systems should handle credit card information only when it’s absolutely necessary and unavoidable. If you can replace a stored card number with a secure token or alias, for example, do it. Tokenisation is a powerful security tool that we’re urging more and more of our customers to use.

 

In fact, if processing card payments is not your core business, there is a strong argument to outsource it to a third party completely. I believe in the next two to five years we’ll see many more companies, including point of sale (POS) system providers, turning over the complex and difficult business of processing card transactions to specialist providers.

 

If you absolutely can’t get away from the  need to process, store or transmit card details within your own systems, the first step is to isolate the storage of credit card numbers to one or two systems for which you can provide maximum security. Throw everything you have at it: Not just the usual firewalls and antivirus protection, but also data encryption, intrusion detection and file integrity management. Then have an outside security expert – an “ethical hacker” – test your system for vulnerabilities before you start working on your PCI certification.  The insight you gain will be well worth it.

Last modified on Thursday, 20 June 2013 13:02
Read 166 times
Published in Security
Tagged under
  • PCI compliance
  • credit card payment
  • credit card information
  • security
  • Point of Sale
  • hacking
Peter Harvey

Founder and Managing Director of PayGate and with more than 26 years in IT and payment processing, Peter is a master when it comes to architecting solutions to clients' exact requirements. He is a truly integral member of the PayGate team and works tirelessly to ensure their continuing culture of integrity and quality.

Website: www.paygate.co.za

Latest from Peter Harvey

Related items

  • To leverage the BYOD trend and protect the business, corporates need mobile device management software
  • Security trends: guarding the physical and the virtual environment
  • Think outside the credit card box to increase e-commerce sales
  • An end-to-end approach is critical to securing cloud computing
  • Are you naked on the Internet?
More in this category: « An end-to-end approach is critical to securing cloud computing 10 things you can do this year to guarantee you lose your valuable data »
Login to post comments
back to top

The SA Leader Magazine

Cover sml

In the September issue

Icanns Amanzon problem

The most significant risk in the future

Protection of Personal Information Bill to have significant impact on direct marketing industry

Get a Mentor: Some thoughts for your consideration

Subscribe

News Headlines

Prev Next
Copyright © 2013 gdmc (Geoffrey Dean Marketing Corporation cc). All rights reserved. Material may not be published or reproduced in any form without prior written permission. Use of this site constitutes acceptance of our Terms & Conditions and Privacy Policy. External links are provided for reference purposes. SALeader.co.za is not responsible for the content of external Internet sites.

Login or Subscribe