As a small to medium sized business owner you need to juggle cash flow, credit control, human resources, sales and IT management with fewer resources and a smaller budget than most of the large corporate organisations. If you accept credit card payments, you know you probably have to be PCI DSS v3.0 compliant but lack of time and knowledge has meant that you don’t completely understand the security standard or how it applies to your company.
Two solutions to the problems of lack of time and knowledge are to outsource the required skills to an expert trustworthy consultant who can give advice tailored to your company’s PCI requirements; or take the time to do a short course so that you can so you can confidently scope, assess and advise on your own unique business environment.
This will ensure you will understand the fundamentals of the PCI DSS security standard and why compliance is necessary (or not!) to your company and the security of your customers.
To help you out, we’ve put together some essential tips for those just starting out on the PCI DSS trail.
BOARD AND MANAGEMENT “BUY-IN”
Your first essential move is to ensure that your Board of Directors understand and agree with the PCI DSS Standard and what it represents. Having someone who can influence the whole company in the ethos of PCI DSS is important, as it can be crucial in determining the right budget and amount of resources that need to be allocated to securing compliance.
The responsible Board member can then direct other management and staff towards the required action and can report regularly to their colleagues on the state of current defences or deficiencies.
The skills for correct card data handling needs to be embedded in company processes and culture to ensure your company adheres to the necessary standard.
EFFECTIVE TRAINING
A better understanding and deeper knowledge allows you and your company to make informed decisions about managing compliance, which will reduce costs and administration. Empowering your staff with key skills mean they will prevent their reliance on poor third party advice.
An understanding of the industry, the terminology, the flow of transaction data through the various stakeholders, and the relationships between the various stakeholders is essential. Training also allows you to dive deeper into compliance drivers – breaches resulting in data compromise leading to fraud.
Typical pitfalls on the path to achieving compliance can be avoided and a program versus project-based approach to maintaining an ongoing compliant posture can be maintained.
2-sec run various PCI DSS training courses which are unique opportunities to hear a QSA (Qualified Security Assessor) Auditor’s perspective on scoping, gap analysis, remediation and assessment issues.
Relevant staff and managers can easily gain an understanding of the PCI DSS standard and its relation to other PCI standards such as PTS DSS and PA DSS and the means of validating PCI DSS Compliance.
If the training budget is an issue, the Government have recently launched the Innovation voucher which provides up to £5,000 for undertaking IT training by accredited consultancies. Click here to read more about the vouchers and how they can be applied to your company.
TRUSTWORTHY, CUTTING EDGE ADVICE BY EXPERT CONSULTANTS.
Many of the PCI DSS concepts are difficult to understand and apply to your company without training or in depth knowledge. If your company does not have the time, resources or budget to undertake training, now is the time for your responsible Board member to seek professional clear and honest advice from specialist in the PCI DSS field.
It is very common for some businesses to be prescribed a “blanket” approach to PCI DSS when they do not need to comply with the more advanced aspects of the Standard.
Instead, at 2-sec we ensure that we will thoroughly understand your business processes and the flow of transaction data, to ensure your company is given tailored and up to date advice on the best way to ensure compliance to the standard.
Tim Holman, CEO of 2-sec, is the leading expert on PCI DSS in Europe with 20 years professional experience. Tim has successfully delivered PCI DSS Certification programmes for some of the UK’s major brands and has helped hundreds of companies with compliance over the past 8 years as a QSA / PA-QSA. Tim is an expert in PCI DSS v3.0 and can give bespoke advice on how to achieve the standard of PCI DSS compliance required.
PERPETUAL VIGILANCE
This title sounds a bit dramatic, but when you consider how much valuable information your company handles from day to day, you begin to realise why cyber-criminals may be interested in exploiting vulnerabilities in your data handling processes.
In our experience most successful cyber-attacks arise through failure to adhere to simple principles of defence. Ideally you need to see that all employees adopt and understand the PCI DSS requirements and why an attitude of perpetual vigilance is important to make sure that their part of the company’s operation and information handling trail is secure against hacking.
The 2-sec team has extensive experience in advising companies and their staff on the essentials of cyber security and card data handling, and how to embed PCI DSS compliance into a company’s business processes.
For more information or professional and tailored advice on any aspect of achieving PCI DSS compliance, please contact Tim Holman, CEO of 2-sec on tim.holman@2-sec.com
Our next Conference on 12th February 2015 is “PCI DSS v3.0…the Lowdown”. This leading event features talks from 2-sec's top consultants as well as Jeremy King, International Director of the PCI Security Standard Council.
Please click here for more information and how to book.