Opinion: Ignore your customers' privacy at your peril

As the evolution towards a cashless society continues to gain pace, every organisation is becoming reliant upon credit and debit cards. There is awareness of the importance of compliance to the payment card industry data security standard.

Robert Kidd

It is designed to ensure companies protect sensitive cardholder account data from theft and fraud. Visa is becoming more stringent about companies adhering to this standard known as PCI DSS; it set a deadline of the beginning of this month for compliance.

Businesses with systems that do not comply could be fined by the card-clearing provider $US500,000 ($A572,000) an incident. A worst-case scenario could even include the suspension or revocation of a company's right to accept or process credit card transactions.

But the possibility of a data breach is a greater concern. When a company suffers from unauthorised access to customer card information, the results can be disastrous. Not only can a breach negatively impact brand perception, but it can also cause irreparable damage to customer confidence.

There are too many examples of companies that have suffered directly as a result of unsecure data. Most recently, Radisson Hotel and Resorts, the international hotel chain, experienced a serious  breach that compromised customer data, including credit card information. The company is now looking to "implement additional security measures designed to prevent a recurrence of such an attack".

Many companies are spending months to collect key audit trail information to demonstrate that they are following the right processes, resources that few can afford.

The problem is that system changes can very quickly take an organisation out of its compliant state and create security vulnerabilities. Without continuous system monitoring, it is impossible for an organisation to keep track of its compliance status between audits.

There are IT tools that make it easy for businesses to assess, audit, assure and automate the processes involved in achieving compliance. 

Automation has to be introduced into the process to drive down cost and risk. It is only by creating a continuous compliance process that leverages real time monitoring to highlight changes that could take the infrastructure into a non compliant state that any organisation will be able to effectively achieve compliance in the long term.

Validating compliance can be simplified through two basic steps. The first is to measure where the gaps are between what the business is doing against the standard.

The organisation can then install system-infrastructure monitoring with change auditing to ensure compliance is sustained. Changes are assessed against those logged in the change-management database and the compliance requirements and IT staff alerted to unauthorised changes. This raises an alert if the organisation slips and ensures security weaknesses are flagged before a customer-data compromise occurs.

By provisioning an audit trail of every system event, from unauthorised access attempts onwards, companies can easily prove their compliance during audits and lessen the amount of preparation and resources involved.

Organisations cannot afford to be intermittently compliant; the risks of breaches are too great and the costs of manual audits too high.

Data breaches are a real and serious threat to companies with unsecure data. However, continuous compliance with policies such as the PCI DSS can help companies protect their sensitive card holder information.

Without automation through continuous monitoring and reporting, the compliance process is both resource intensive and potentially valueless: why spend months achieving PCI DSS compliance only to slip out of compliance due to a system change within weeks?

It is possible to simplify and automate the compliance process, but failure to continually monitor for non compliance will add cost, resources and, critically, significant business risk.