“If a brand name is damaged, then confidence is destroyed and consumers lose trust,” Lara Fiorani, a communications manager for Visa Europe, told the Combating Cybercrime in Betting and Gaming conference in London on 22 January 2008.
“If your company suffers a large data breach that becomes public knowledge, you have to ask yourself, would you still be trading after reputation damage, and would your shareholders still trust you?” she asked attendees.
In 2007, many companies and government departments were subject to embarrassment when large-scale data breaches made the headlines. “The media are really starting to question industry compliance and progress in information security,” said Fiorani, “and it’s time that it be taken seriously.”
PCI-DSS, developed by the major credit card companies, is a security standard providing guidelines to help organisations that process card payments prevent credit card fraud, hacking, and other security vulnerabilities. A company processing, storing, or transmitting payment card data must be moving towards PCI-DSS compliance, or it risks losing its ability to process credit card payments.
“Compliance is now mandatory for everyone handling Visa cards,” said Fiorani, “and validation is required to ensure compliance. Validation means more than just box-ticking, it’s about reducing your risks – mainly, the risk of de-valuing your brand.” Although compliance can be costly, she said it worth investing in PCI, given the potential price: “The average cost of a data breach is €10 million (£7.4m, $14.8m), making the financial cost of compromise too hard to bear.”
The deadline for companies to be PCI-DSS compliant, and the compliance requirements, depends on how many transactions they make, with December 2008 the deadline for merchants with between 1m and 6m transactions a year. Fiorani said that all companies should now be showing that they are at least committed to becoming compliant, and that the majority of UK merchants were. “An increasing number of vendors are now compliant – having realised that PCI is an investment in risk reduction,” she said.
“Compliance has huge security benefits,” Fiorani continued, backed by the statistic that 84% of customers want to shop where merchants are security market leaders. “A secure merchant secures consumer trust” she said. Fiorani added that 75% of consumers say they would not shop at a store that had suffered a data breach.
“We need to reduce our information footprint,” Fiorani told attendees. “More than two-thirds of companies are storing data after transactions, and that needs to change. Merchants need to remove magnetic stripe and card verification data as soon as a payment is made. Storing it can only cause problems.”
Jim Noakes, head of transactional services for bookmaker Gala Coral, and chair of the session, summarised the worth of PCI-DSS compliance. “PCI is a way of keeping the external and internal bad guys out. A wide, open ‘spring clean’ is very important,” he concluded.