Securing card payments

Peter Tinson, UCISA’s Executive Secretary, attended the PCI DSS SIG conference this week to find out more about the standard which is intended to protect payment card data and processes. The PCI (Payment Card Industry) Data Security Standard is a global standard; compliance with the standard reduces the risk of credit card fraud and the resultant cost (both financial and reputational) to the organisation.

The scale of the problem cannot be underestimated. A Government report on the results of a survey on information security breaches revealed that over 90% of large organisations (those employing over 250 people) were affected by security breaches with an average of 113 breaches per organisation in 2012. This is perhaps indicative of the growth in cyber crime which can range from the sale of credit card numbers through to sophisticated schemes to steal on a large scale.

There was great mention of risk throughout the day. Clearly a starting point has to be that the institution needs to know where payments (or card details) are being taken and whether or not the information is stored. Once the location of information is known, an assessment can then be made of the risk (and impact) of its loss and proportional measures introduced to protect and secure it. There was general agreement that the potential loss of payment card data should be included in the institution’s risk register and so be clearly visible to the governing body.

Implementing technical measures to protect data is only part of the solution. The report on information security breaches notes that over a third of breaches were the result of inadvertent staff error. Training of staff is critical to ensure that staff are aware of their responsibilities; this needs to take place at the start of employment (including when there has been a role change within the institution) and at regular points thereafter (the suggestion was at least annually).

Whilst poorly trained staff present a risk to security breaches, so too do poor processes. One of the recommendations made at the conference was to review business processes to see whether they could be re-engineered so that it was not necessary to use card data. Obviously if card data is not being used in a process, then the risk of its loss disappears and so too does the need to comply with the DSS.

This summary only gives a brief snapshot of some of the issues being faced by institutions seeking to implement the standard. It was clear that institutions are at different stages in their adoption of the standard and that the barriers to adoption are not always technical. UCISA is looking to work with the PCI DSS SIG and with our sister organisation for Finance Directors, BUFDG, to promote best practice in this area and so reduce the risk of our institutions falling victim to fraud.

Leave a Reply

Your email address will not be published. Required fields are marked *