In light of the Coronavirus pandemic, this years’ summer Olympic games are not quite the same as we’ve seen previously. Smaller crowds, teams and countries forming isolated bubbles and, of course, being held a year later than scheduled. The organisation’s need to achieve and maintain such high standards of security to safeguard those involved cannot be understated and is no small accomplishment.
This got us thinking of the parallels between this year’s Olympics and PCI compliance – what lessons can we learn from Tokyo 2020 in how to overcome difficult hurdles?
Businesses who fail to protect their customer’s data leave them at a greater risk of falling victim to cyber-attacks and data breaches, which can prove costly. In 2021, a data breach costs on average $ 4.24m per organisation. But it’s not just the financial costs to consider. There is also the damage to brand reputation and consumer trust. Our own research shows that consumers around the world will avoid businesses in the event of a data breach, with significant numbers saying they would never return.
Around 86% of data breaches are for financial gain, meaning that payment information such as credit card details is a prime target for cyber criminals. It may come as a surprise to learn that the latest Verizon report found that only 27.9% of organisations were able to maintain full compliance with the PCI DSS in 2020. As is the case with this year’s Olympics, the time, effort, and resources needed to achieve the desired results are extensive. But as we’ve already seen, failure to do so is extremely damaging financially and to reputation and consumer trust.
But also like this year’s Olympics, organisations can achieve year-round PCI compliance through careful planning and collaboration. It only takes five steps:
Blue: Conduct a Formal Risk and Vulnerability Assessment
PCI DSS Requirement 12.2 requires that all organisations annually perform a formal risk assessment that identifies vulnerabilities, threats, and risks to their organisation, especially their Cardholder Data Environment (CDE). This requirement helps organisations identify, prioritise, and manage information security risks that could possibly lead to a data breach.
Yellow: Segment Your Company’s Network
To determine the scope of PCI compliance, organisations should segment their data network into separate sections to isolate card data from all other computing processes. This can reduce scope and the risk of breaches.
Black: Store Only What You Need
PCI DSS Requirement 3 covers the protection of cardholder data. For example, PCI DSS requirement 3.1 requires organisations to keep cardholder data (CHD) storage to a minimum. Your organisation can reduce scope of PCI compliance by reducing where this data is stored, along with the potential severity of a data breach.
Green: Assign a Specific Team / Team Member to Focus on PCI Compliance
Who you work with will be decided by where cardholder data is stored and how complex your CDE is. There could be some cross department collaboration, so assigning roles and responsibilities gives a centralised ‘go-to’ within your organisation. This in turn means you will be more likely to be successful in maintaining security and achieving compliance. Moreover, it satisfies much of requirement 12 of the PCI DSS.
Red: Educate and Train All Employees
Requirement 12.6 of the PCI DSS is to implement a formal security awareness program to make all personnel aware of the cardholder data security policy and procedures. In other words, train your team. It’s important to teach employees the rules of compliance to heighten awareness and reduce the risk of breaches by making them aware of what is expected and how to mitigate risk.