PCI Council Says Compliance Necessary For Secure B2B Payments

As companies get increasingly nervous about data security on B2B transactions, the PCI Council is offering some guidance about the need for merchants to better train employees and increase awareness about security protocols.

Providing resources to make companies compliant and implementing security training with structured employees education programs are two critical moves in preventing data breaches when it comes to B2B payments, according to PCI recommendations. The need for such measures, as proven by the massive Home Depot breach, was made example of in a recent article from BankSecurityInfo.com that details the need for merchants to adopt stronger payment card security standards. The PCI council also stressed that businesses that are not compliant themselves with security measures, or lack training methods, also leave them vulnerable to security risks from companies they do business with — such as trading partners, suppliers, distributors or contractors.

“Awareness is a critical piece of any sound information security program, and organizations often prioritize awareness below technology controls, such as security hardware and software, seeing awareness as less important or ineffective,” Tom Willis, director of Ontrack Advisory payments firm, said in the article. “This is unfortunate. Information systems are set up and used by people; and since information systems are complex, human errors and omissions are a given. That becomes a natural source of vulnerabilities.”

“I’m sure some people will complain that the guidance is just another burden piled onto an already unmanageable workload,” Will said. “But there needs to be room in every security program for awareness building.”

The PCI Security Standards Council provided three key areas — developed by retailers, banks and technology providers — that merchants need to implement in order to achieve better security practices: assemble a security awareness team to develop, deliver and maintain a security awareness program, develop appropriate security awareness content for an organization and create a security awareness checklist to monitor and maintain progress of the training program.By developing internal programs themselves, it can help shield the business from being as susceptible to B2B payment security issues that major merchants are anxious to prevent. Among its guidance included why PCI compliance is necessary and why merchants should have company-wide information security awareness and dedicated programs to monitor its effectiveness.

“Whether it’s, POODLE, Shellshock or the latest variant of malware, businesses and employees are exposed to threats every day that can put sensitive information at risk,” PCI SSC Chief Technology Officer Troy Leach said in a summary of its 28-page document of its recommendations. “PCI Standards emphasize the importance of people, process and technology when it comes to protecting payment information. This guidance can help businesses focus on the ‘people’ part of the equation and build a greater culture of security awareness and vigilance across their organizations.”

Preventing data security risks starts with employee education, the council said, and will allow merchants to be better equipped to detect and mitigate data security risks, which are two key PCI compliance requirements. Still, research from the council shows the employee education when it coms to B2B transaction is a component is often widely overlooked. Stressing the importance of security, providing detailed explanations to employees and keep a list of best practices will all help merchants achieve better data security for their business, customers, and businesses they trade or contract work through.

“Issuing a more descriptive interpretation of what steps are recommended to achieve security should be helpful to many in the payments world,” Shirley Inscoe, a financial security analyst for consultancy Aite said in the BankSecurityInfo.com article. “At the same time, it is important for the readers to understand that these are examples used for clarification purposes, and that this new document is not meant to be all-encompassing. Fraud schemes change too rapidly for any documentation to be relied upon to cover every potential scenario.”

In the end, it’s up to businesses to implement compliance and uphold security standard, Al Pascual, director of fraud and security at Javelin Strategy & Research, said in the article. It should be looked at as a necessary practice instead of a burden, he stressed.

“Ultimately, whether or not the updated guidance will have a material impact on the security of a card-accepting business depends on the security posture of that business more than anything else,” he said. “For businesses that see PCI as a burden, being compliant is a once-a-year exercise at most,” Pascual says. “They will enjoy some benefit from the guidance, but odds are that they are likely going to be out-of-compliance most, if not all, of the time and are the most likely to be breached.”

The PCI standard guidance also includes further information as to how organizations can add in security awareness program efforts, how it can be incorporated into their training program framework and a simple checklist of how a security program is being implemented and managed.  The full document supplement, titled “The Best Practices for Implementing a Security Awareness Program” is available on the PCI SSC website.