Companies processing credit card data must keep customer information secure and in line with the PCI Data Security Standard. While this requirement seems straightforward, retail expert Randy Davidson recently stated in a podcast that some companies mistakenly believe new technology has taken some of the urgency out of attaining PCI compliance.
Davidson specified that while there are many new technologies helping companies keep payment information safe, PCI compliance is neither optional nor avoidable and will remain important in future.
Requirement still important
"[Personal identification number use] doesn't change the PCI requirement, and although they're coupled together in some capacity, PCI compliance deals with the storage of credit card data or how it's handled from an infrastructure security perspective. The chip and PIN technology adds just that additional level of security at the time of processing," said Davidson.
Davidson has found in his time watching retail company operations that many sellers are unaware of how deeply PCI standards must be integrated into systems. Many retailers, by Davidson's reckoning, believe that if they defend their point-of-sale software, customer data will be safe. He counters that PCI compliance is not limited to software systems such as point of sale or databases and includes a number of behaviors and controls that companies must adopt to make sure important customer information is not tampered with.
Another misconception that Davidson has encountered is retailers' desires to move data off-site to avoid enacting PCI-approved protection. He stated that a move to hosted or cloud storage does not absolve companies of their security requirements. Companies are responsible for keeping data protected and private from point of sale and maintaining that coverage as long as the data resides where their systems can access it.
The avoidance of PCI compliance, especially among small to medium-sized businesses, has been widely noted by retail industry watchers. According to Fox Business, security insider Kathleen Ervin has noticed that many SMB owners are not aware that PCI standards exist, and that some who are aware have fallen out of compliance anyway.
Ervin told the source that the "golden rule" for companies dealing with customer data is to keep shopper data the way they would want their own data kept. From there, businesses can dive into PCI compliance. Firms that shirk their PCI duties are putting important customer information at risk. In the case of a data loss event, the consequences could be severe.