PCI DSS compliance isn’t for you? (It can be)

The rules may not apply to you. But you should still apply the rules.

Wait. What?

True, that sounds like a head-scratching quote from New York Yankees legend Yogi Berra. But it is actually a very sensible suggestion for today’s businesses, particularly where the Payment Card Industry Data Security Standard (PCI DSS) is concerned. Ensuring the data you collect, update, share and store remains safe is mission-critical – even if you aren’t mandated to meet its standards.

PCI DSS, while intended for organizations that handle cardholder information, introduces principles almost any company can adopt. Regardless of size and sector, countless companies keep confidential data in their possession. This often includes personally identifiable information (PII) such as Social Security numbers and credit card account data, or sensitive internal documents.

Consider this: The National Small Business Association (NSBA) 2013 Small Business Technology Survey shows that the majority of respondents conducted these finance-related activities online:

• 85% buy supplies
• 83% manage bank accounts
• 72% pay bills or use electronic bill pay

Nearly half of respondents said they manage payroll online (44%) as well. And, 69% said they accept credit and debit cards as payment methods for their services. Point being, strong security that ensures the information you are collecting, accessing and protecting is vital.

On the topic of cybersecurity, the survey noted that close to half of the respondents reported being victims of a cyberattack:

“These attacks result in significant losses of time and service interruptions, and typically cost these firms thousands of dollars.

“Given this high level of concern, coupled with the time and financial drain cyberattacks pose for small firms, it is no wonder the majority would support legislation strengthening the penalties for those convicted of online theft.”

In the meantime, practicing the basic principles of PCI DSS can help in this ongoing mission to keep confidential information, well, confidential.

Enforcing PCI DSS standards enables you to build a more secure network. And by doing so, you create the opportunity to separate yourself from the competition. Where others may lack the appropriate security standards, your company is voluntarily taking the necessary measures.

It’s also important to realize that confidential data may be saved on employees’ mobile devices, which may have different security restrictions than the corporate server. Furthermore, the ease with which documents can be stored in the cloud (e.g., Dropbox) and accessed virtually anywhere raises a red flag regarding compliance.

Establishing rules for where data can be stored – and then conducting a network audit to ensure that data is properly protected – can help you answer two important questions:

• Where does your data reside?
• How is your data secured?

Those questions should be easy to answer. Remember, your goal is to reduce your risk profile. But it takes work. Implementing PCI DSS guidelines, even when it isn’t a requirement, is a sound strategy.

Think of it this way: Simply hoping critical information – not to mention your reputation – stays safe is a gamble that doesn’t offer great odds. Are you willing to bet your business’ livelihood on it?

Learn more about PCI DSS regulations in this GFI white paper.