Few small companies are complying with credit card processing best practices as laid out in the Payment Card Industry Data Security Standard (PCI), which could open them to costly litigation down the road.
Just 28 percent of small businesses report being PCI compliant, compared to 75 percent of large ones, according to a recent Ponemon Institute study. But actual small company compliance is probably lower, say some analysts. Many small organizations can self-certify, as opposed to bringing in a third-party tester. Many may be just “checking the boxes” without proper work or thought, says John Kindervag, a Forrester Research senior analyst.
Cost of compliance is the main impediment, according to the Ponemon study. Compliant companies pay, on average, 35 percent of their IT security budgets on PCI. Complexity ranks as the second factor in noncompliance, says the study.
But not complying may be more costly in the long run because companies that suffer breaches may get hit with lawsuits. To avoid that unhappy ending, IT departments need to show senior executives that compliance is worth funding, both for legal reasons and to further business objectives.
For such an approach, analysts recommend ensuring that someone is charged with spearheading PCI. “Sometimes it’s important to give people a stake in business efforts,” says Stephen Walker, a managing director at Colborn Morrison, a Richmond, Virginia-based business strategy and consulting firm. This person could be responsible for drawing up a PCI strategy and for oversight.
It’s important to approach upper management with a business-oriented mind-set, Walker says.
Security managers should also communicate some of the costs of noncompliance. So far, fines have mainly been levied against large firms, but this will likely change, say some analysts. If a data breach occurs, noncompliance could significantly increase litigation risks.
PCI can have marketing benefits, says Walker, appealing to consumers who care about data protection. Compliance could also affect how a company is perceived by other firms. In a potential merger situation, for instance, it could raise a company’s value.
For companies without a mature security program, “I always recommend using PCI as a baseline,” Walker says. Though the regulation focuses on financial data, it can also protect other sensitive information such as Social Security numbers, he says. PCI can help companies streamline security and regulatory compliance.