Introduction
Regulation and supervision are very important for any institution to meet its obligations, both financially and otherwise. The terms regulation and supervision can be used interchangeably though there is a minor variation in their definition. Supervision has to do with monitoring and enforcement while regulation involves rule-making (EU report, 2008-2009). They should also be clear and easily understood by all. Supervision is ensuring that these rules are adhered to and if any institution that is governed by these rules fails to adhere to them then there are consequences that are accrue.
Executive Summary
The Payment Card Industry Data Security Standard (PCI DSS) applies to any company that carries out transactions for customers who have debit cards or credit cards. The standard is supervised by a body of companies that includes MasterCard, among others (Grebmer, 2008). This standard has a code of conduct and penalties that accrue for companies if it is not adhered to, to ensure proper safeguarding of cardholders’ accounts and also ensure information about their transactions is secure.
This report looks at drivers that govern the regulation and supervision of PCI DSS and some of the factors that inhibit compliance. Despite there being inhibitors to PCI DSS compliance there are quite a number of benefits that accrue from compliance and these have been discussed. Though compliance is not mandatory, there are consequences that an organization might face for non-compliance. These have also been discussed. Organizations are therefore forced to comply despite it not being mandatory, simply because of these consequences. This report therefore shows the different stages of compliance and answers the question of the options Andrews has with the bank.
Since PCI DSS compliance is not an easy task it is usually advisable to employ a company who act as experts to ensure that the process of compliance is not a daunting task. The advantages of appointing a company to advice on PCI DSS compliance have also been discussed. This report is therefore a brief summary of the drivers and inhibitors governing the rules and the implementation process of the Payment Card Industry Data Security Standard.
Drivers That Supervise the Regulation of PCI DSS
The PCI Security Standards Council is involved with the implementation of a system that ensures that interests of customers who are card holders are properly taken care of. There are various materials and tools that are used and these ensure that there is proper communication to cardholders to enable them assess security risks and also give them in information on any issues concerning the security of their cards (SSC, 2011. Security Standards). The main standard is the PCI DSS which offers the necessary guidelines and actionable framework to guide in coming up with a comprehensive security system which includes detection and reaction to any security issues. The council also ensures that all members are properly trained and are well informed on any security issues so as to enable them not lose money through fraudulent activities. They could also provide in-house training if this is required (SSC, 2011. Getting Started).
There are some twelve guidelines that the council specifies. These guidelines ensures that the payment methods are safe and not prone to risk (SSC 2011, Getting Started). For there to be compliance as far as the standard is concerned, three steps have to be followed. The steps have been discussed below.
Assess
This is the first step and it includes taking stock of all IT assets and the systems used for card processing and ensuring that they are risk free and that cardholder information is not at risk. This includes performing an audit trail on the processes that are undertaken from the beginning to the end of the transaction process. These also include assessing the hardware and software used to ensure there are no loopholes that could pose a security threat.
All items used including PIN numbers should pass the PCI compliance validation for them to be acceptable. It is also at this point that the self-assessment questionnaires (SAQs) and Qualified Assessors can be used to help in proper compliance. It is also important to note that PCI compliance also includes third parties that are part of the process flow. It is therefore important to ensure that these too are compliant. Their non-compliance could pose a threat and this might be risky because a company may end up being accused of non-compliance even if the non-compliance is not necessarily from within the company.
Remediate
This is the second step and involves the fixing of any vulnerability in IT equipment and also in how an organization safeguards cardholder data. This can be done by frequently performing scans of the network with tools that can detect anomalies, self-assessment questionnaires can also be used to ensure that an organization meets the compliance criteria. The vulnerabilities are then prioritized in order of seriousness and necessary changes are made to the systems and processes to ensure total safety. Experts could be involved at this point to ensure that all the important details are captured.
Report
All businesses regardless of the size must submit this report for them to be considered compliant. The number of times per year of submitting the report changes in accordance with the business size. Businesses with high transaction flows are required to submit quarterly reports while those with small flows may be asked to give a yearly report. However this varies depending on the circumstances.
Inhibitors of PCI Compliance
PCI compliance may seem like a simple task but it is far from being simple. It is a systematic strategy to ensure compliance. It is a continuous process that involves taking care of privacy of data and ensuring that the systems can be trusted over a wide range of business areas. Encryption is also a very complex process and the constant requirement of its maintenance and all the processes involved can make compliance a very complicated process. The technology involved is also quite complex and therefore making it difficult to implement and especially for organizations with a small flow of transactions.
The finances involved are also high and this may cause some strain as far as compliance is concerned. The financial strain could be due to the change in systems that may be necessary before compliance or just buying the IT infrastructure to ensure compliance. The project that is rolled out also requires resources such as human resources and especially the experts who may ask for quite a huge sum of money for their services. The time the company will use to roll out the project and involvement of senior management may cost the company valuable time, and time is money.
Benefits of Compliance
Many small organizations might find it very difficult and confusing to be PCI compliant. They might not see the real importance at a glance but being PCI compliant can have a very positive impact to any business. Some of the benefits of compliance are discussed below.
One of the benefits of compliance is that an organization is assured that their systems are secure and this is also is perceived positively by the customer. This is because customers’ level of trust with an organization increases if they are sure that sensitive information regarding their cards is secured and this also ensures that the transactions the customers undertake are safe. This could lead could lead to a larger customer base in future because of repeat business from current customers and they could also refer others because of the level of trust that they have built.
Compliance also ensures an organization has a good reputation with partners who one needs to do business. By staying compliant it means that an organization is ahead of the pack as far as security issues are concerned and there are therefore minimal chances of compromise as far as card data is concerned (SSC, 2011.Why Comply?)
There are also indirect benefits of compliance. One of them is that, as improvements are made in the standard then it will be easier for a compliant organization to upgrade as opposed to one that is not compliant. This is because the non-compliant organization will have to start from scratch and this may be a daunting task. Compliance will also ensure that the IT infrastructure is efficient as one cannot be PCI compliant if their infrastructure is wanting (SSC, 2011.Data security Standards)
Consequences of Non-Compliance
Non-compliance could have very negative effects and one of them is customer dissatisfaction because of the compromised data (SSC, 2011.Security Standards). This negative effect could also be with the partners concerned and this could have some very bad word of mouth which could lead to loss of business, bad relationship in the community the company is serving and in the case of a public company, the share prices could be depressed. Non-compliance could also have major financial implications like insurance claims, payment of fines and lawsuits. This could lead to a depressed financial position for a company.
Andrews Options with the Bank
From the discussion above it can be clearly seen that as much as compliance might not necessarily be mandatory, it is in the interest of any organization that deals with cardholders’ to comply with the standard. This is more so because of the perception from the customers and partners. Companies that are not compliant are perceived to be risk prone and therefore a breeding ground for fraudulent activities. This perception could cost a company its reputation and even money due to fines that are imposed (Seagren,E. 2007). It is therefore important that Andrew complies with the standard to ensure that it is perceived as a secure company and one that clients can rely on for their transactions. The repeat business is also good for the growth of Andrews.
Benefits of appointing a company to Advice on PCI DSS compliance
Most organizations find themselves trying so hard to be PCI compliant and end up using so much money to get them to be PCI compliant (Network World, 2011, pg.1). Getting advice from companies that are already compliant helps companies get compliant in a more efficient way. The financial investment needed for a company to be compliant can be quite high if the process is not followed properly. Involving experts from the on-set may help in cutting down these costs and therefore having savings. These savings can be used in other projects that might bring in more income instead of using a huge amount in compliance.
Most organizations want to get compliant before even trying to understand the gaps that are in their organization. Every organization must seek to understand the level at which they are at before they even think of compliance otherwise PCI compliance might end up being very disastrous. It is therefore important to appoint a company to advise on compliance issues to ensure that there is a smooth process. One of the issues that a company needs advice on will be on the IT infrastructure involved. These include both hardware and software components that need to be in place to ensure compliance. This can only be done by experts who can be a company that advises on compliance issues. This infrastructure is at times very specialized and available resources may not be enough to ensure compliance.
For PCI compliance to be successful there needs to be interaction across the organization (Network World, 2011,pg.3). This means that different departments in the organization need to work toward a common goal and this can only be done effectively by expert advice to ensure that the interaction takes place in an efficient and acceptable manner. There also needs to be a PCI project manager to ensure that the compliance process operates smoothly. This manager needs to be appointed by a qualified company for there to be an efficient PCI compliance process.
A decision could be made to outsource the PCI compliance resources, including staff and infrastructure, especially if the current system is not able to handle the process of compliance. Advice on whether to outsource or not may require expert advice and there may therefore need to be a company to advice on this important step. There also needs to be a remediation project plan that assesses critically the gaps in the pre-assessment reports. This will help in ensuring that the PCI compliance project plan is implemented in the right manner. This too will need expert advice.
The PCI compliance project also needs to be implemented in the right way and therefore an expert company needs to be involved to ensure that the implementation process is conducted in a proper manner so that all the requirements for compliance are met. Requirements are usually many and if not all of them are followed the company may not be compliant. The details of the whole process can only be done by an expert (Chuvakin, A., Williams, B.,2009).
From the discussion above it is clear that there are very many advantages of appointing a company to act as an advisor on PCI DSS compliance. This is so because of the many expert areas that are involved prior to compliance and even after compliance. Post compliance supervision and monitoring is important to ensure that the system is meeting its objectives and more so the people handling the systems are coping, otherwise there will be no benefits for complying. If there are any issues, then they should be assessed and corrected before it is too late.
Supervision and monitoring are very important and also require experts. This is so as to ensure people do not go back to where they were because they are experiencing problems in the implementation of the new system.
Conclusion
PCI DSS compliance is not an easy task especially for a small company like Andrews Pick & Mix because of the process involved before compliance and also the monitoring involved after compliance. However, there are so many advantages that accrue as a result of compliance and therefore it is important to comply. The financial implications for a small company can also be quite high and in stabilize the resources of such companies and therefore it might be quite an inhibitor.
However, the benefits outweigh the costs. The costs could further be minimized by ensuring the services of an expert are sought well in advance to ensure efficiency in the whole compliance process. It is therefore advisable for Andrews to comply and therefore have these benefits accrue to them as opposed to not complying and be perceived as a high risk organization.
Reference List
Chuvakin, A., Williams, B., 2009. PCI Compliance, Understand and Implement Effective PCI Data Security Standard Compliance.UK: Elsevier Science.
European Union Committee, 2008-2009. The Future of EU Financial Regualation and Supervision. Great Britain Parliament: House of Lords.
Grebmer,A.,2008. Information and IT Risk Mangement in a Nutshell. Germany: Books on Demand.
Network World, 2011. A guide to practical PCI compliance.UK: Network World. Web.
Seagren, E.,2007. Securing your network for free. UK:Syngren.
Security Standard Council., 2011. PCI SSC Data Security Standards Overview. UK: PCI Security Standards Council, LLC. Web.
Security Standard Council., 2011. Getting Started. UK: PCI Security Standards Council, LLC. Web.
Security Standard Council., 2011. Why Comply with PCI standards. UK: PCI Security Standards Council, LLC. Web.