SMEs that avoid PCI DSS compliance more vulnerable

Media Release

SMEs that avoid PCI DSS compliance more vulnerable to data security attacks

Billing solutions company shares its PCI DSS experience as it secures Level 1 compliance for second year running

AUCKLAND, 24 October2012 – New Zealand’s leading billing solutions company Debitsuccess says that small to medium enterprises in this country that do not take into account the requirements of the Payment Card Industry Data Security Standard (PCI DSS) are leaving themselves open to data security attacks.

PCI DSS is a globally recognised information security standard for organisations that store, process or transmit cardholder information. The standard was created in 2004 with the collaboration of five major international credit card companies to improve controls around cardholder data for the purposes of reducing credit card fraud.

Mr Tamuka Nyawo, Group Compliance Manager for Debitsuccess, says the company – which is today hosting an information event about PCI DSS in association with the American Chamber of Commerce – is looking to inform more SMEs about their responsibilities around the PCI DSS because of the lessons it has learned through gaining Level 1 compliance with the standard for the second year running,

“Many smaller businesses need to be able to process credit card data. Consequentially they tend to store this credit card data unnecessarily. At the same time they may not be in a position to ensure the security of this data by undertaking the compliance process themselves due to the costs and complexity involved,” says Mr Nyawo.

“However, as more such Kiwi merchants move their operations into the e-commerce arena, compliance with PCI DSS becomes increasingly vital if they want to protect their customer data and their business.”

Mr Nyawo says Level 4 businesses – those that process less than 20,000 credit card transactions per year – are considered prime targets for hackers because at the moment they are permitted to perform self-assessments.

“Because the businesses that fall into the Levels 2 - 4 categories have no external assessor, they are naturally more vulnerable.

“Although Debitsuccess does not currently process the number of credit and debit card transactions that would mandate an external assessment to accredit the company as being Level 1 PCI DSS compliant, we have done so toprotect the organisations with whom we work,” says Mr Nyawo.

“Debitsuccess handles billing for more than 1,200 businesses, making us one of the largest full service direct debit initiators in Australasia, so we take our data security very seriously.”

Mr Nyawosays while there is a significant amount of work undertaken prior to the assessment, compliance is an ongoing process involving constant vigilance and not just at the time of the assessment.

“As well as reinforcing staff awareness of the importance of PCI DSS compliance for thebusiness, we have also initiated monthly tests of our systems to ensure that they are watertight in terms of compliance with the Level 1 accreditation.”

Roger Greyling – an experienced security consultant with Security-Assessment.com (a Dimension Data company) – was the Qualified Security Assessor (QSA) that undertook the external Report on Compliance (RoC) carried out at Debitsuccess in 2012. He says that Debitsuccess is a leading example of a company that is fulfilling its PCI DSS obligations.

“After initial due diligence, Debitsuccess decided to seek Level 1 compliance under the new ‘version 2.0’ Standard, which was not a compulsory requirement at the time. It is now one of just a few companies in New Zealand to meet the latest version 2.0 requirements.”

For more information about Debitsuccess, visit www.debitsuccess.co.nz

- ENDS -

© Scoop Media