Call us now on 0161 209 5111, or email: securetest@nccgroup.com

All News

Top tips for PCI DSS compliance from NCC Group

June 24, 2009

PCI DSS compliance is a big issue for retailers, every day of the year. Every organisation that stores, processes or transmits cardholder data is required to be compliant with the PCI data security standard, but it can often be a daunting process.

Roger Rawlinson, Managing Director of Assurance at NCC Group plc, comments on the difficulties facing businesses looking to gain compliance with the standard.

“When you make the decision to become PCI compliant you are giving your customers peace of mind that their payment card transactions will be secure. But PCI compliance isn’t a once a year audit that ticks a box. It can mean a complete overhaul of your security procedures and often learning how to do things in a completely different way.

“But this is all small detail compared with the losses your business might face. Beyond huge fines, your brand, customer loyalty and corporate reputation are at risk. It doesn’t need to be difficult. It’s not a case of going above and beyond the regulations, it’s learning how to work within them to minimise the scope for data loss and breaches.”

Once you have achieved compliance with the standard, retailers need to maintain it. NCC Group plc have provided some tips for retailers on how they can gain, and keep compliant.

Top Tips for PCI Compliance

  • Do you need to keep credit card data? If not, securely dispose of it! Where you need to retain it - secure, segregate, protect and monitor it.
  • Identify where you store, process and transmit cardholder data – there are tools available to ascertain the spread of data in your organisation.
  • Reduce the size of the environment where cardholder data is held – use segregation to minimise this footprint.
  • Who has access to what in your business? Where can they access it from? Is it necessary and justified?
  • Engage with Third Party Providers early – check their credentials and their processes. Run a third party compliance programme.  Remember you can be guilty by association.
  • Talk to your acquiring bank and share your progress with them, remember they can provide practical advice in keeping compliant.
  • It’s not all about the technology – ensure your policies and procedures take cardholder data in to account. Awareness training at all levels is vital to on-going compliance.
  • PCI DSS isn’t about just ticking a box, it isn’t a once-a-year audit – it isn’t even ‘best practice’. It needs to be standard practice throughout your business and everything you do.

Latest News