We asked independent expert Philip Morton for his view:
“The Payment Card Industry (PCI) Data Security Standard (DSS) is over ten years old. In that time, has it made any difference to consumer protection and the wider fight against financial crime? A great question – one would hope so! However, hope may not be enough. Ten years is a long time. Plenty of time for any standard to be well understood and implemented as “business as usual” within organisations falling within the scope of the regulations. But the reality is that even ten years may not be long enough. With the unrelenting and increasing activities of cyber criminals all organisations need to “up their game” and start to invest seriously in the protection of their brands and customers. The PCI DSS should be viewed as a good foundation for protecting companies which take payments by credit and debit card. Such protections should be seen as essential and not “nice to have” optional extras. It would be ridiculous for a builder to skimp on the house foundations as the future safety of the whole house rests upon them. Similarly, wise Boards of Directors recognise the vital need to secure their organisation’s IT against the wiles of cyber criminals. And not only the IT estate, but also the organisation’s people and processes need to be educated and informed about the priority of business safety and security.
The harsh reality today is that companies which do not act decisively in the face of increasing cybercrime are gambling on their company’s future prosperity and taking massive risks on behalf of their stakeholders. Brand damage, large financial penalties and loss of customers, are the consequences that await all Boards of Directors if they ignore the increasing threat of what is now a highly organised cybercrime industry. If your organisation, no matter what sector and no matter what size, handles customer cardholder data, then PCI DSS must be an ongoing Board Agenda item and must be regarded as vital to your interests.
Philip D Morton
Director, Phyonis Limited
Philip is an independent payment card security and InfoSec consultant who has worked extensively across industry, including the airline, finance and telecoms sectors. Philip was a member of the PCI Security Standards Council (SSC) Board of Advisors from 2011 to 2018.