There are many reasons why a forward-thinking retailer which accepts credit or debit card payment would want to ensure they are achieving maximum compliance with the Payment Card Industry Data Security Standard (PCI DSS).
Aside from the obvious legal implications, there is also something of a moral obligation in terms of ensuring that the personal information of your customers and clientele is secure at all times.
To fully understand the ramifications of poor vulnerability management however, it is worth taking a closer look at the potential consequences that might befall an organisation which fails to adhere to the PCI DSS.
According to the PCI Security Standards Council (PCI SSC), the possible negative consequences of poor PCI DSS compliance include, but are not limited to, lawsuits, insurance claims, cancelled accounts, payment card issuer fines and government fines.
There is also the reputational impact of a security breach to take into account. When an organisation is found to have put the personal data of its customers at risk, this is likely to have an effect on the way in which that enterprise is perceived by the public.
This can have the trickle-on effect of costing your company significant sales, as well as business opportunities and potential future partnerships.
Of course the difficulty of PCI DSS compliance is that it is not simply a one-off investment. Due to the changing nature of cybercrime, as well as the evolving nature of your business itself, the PCI SSC requires organisations to be in compliance with the PCI DSS at all times.
Any retailer who accepts, processes or stores payment card information must be in compliance with the PCI DSS, whether they operate out of a standard brick-and-mortar store or via the web.
It's worth noting as well that government agencies which utilise payment card data must also comply with the PCI DSS, lest they befall the consequences.
For example, technology website ZDNet recently broke the story of a business unit of the Queensland Department of Science, Information Technology, Innovation and the Arts (DSITIA) which has been failing to achieve PCI DSS compliance.
According to an article published by ZDNet on April 2, Smart Service Queensland (SSQ) "has been recording and storing Australians' credit card numbers without being compliant with the security standards that card issuers demand".
A spokesperson for the SSQ reportedly told ZDNet that calls made to the 13QGOV hotline – a phone line for which SSQ is responsible for ensuring security – are currently automatically recorded unless the caller makes a specific request otherwise.
The spokesperson noted that some of the calls made involved "transactions" and that personal and credit card details were sometimes being recorded – in conflict with PCI DSS v2.0 requirement 3.4.
Verizon principal security consultant Darren Firman told ZDNet that consumers should not let this revelation panic them, however suggested that he "would be conscious [that] I'm using a service that isn't PCI compliant".
This is just one example of the pitfalls of PCI DSS compliance that can befall an unwary business, and highlights just how valuable external third party security evaluations can be.