Background

Why PCI DSS Reminds Us That Information Security Means Much More Than Compliance

Posted by Chris Scott

The overarching importance of information security formed the core theme for this year’s PCI London summit. With the new PCI DSS standards v3.1 effective at the turn of the year, much of the conversation was expected to centre on the thorny topic of compliance.

Yet many of the speakers at PCI London saw the latest incarnation of the Payment Card Industry Data Security Standard (PCI DSS) as an opportunity to protect any type of sensitive information as opposed to being a tick-box exercise in compliance. This was the stance taken by Visa Europe’s head of payment system security and keynote speaker, John Elliott, who emphasised the need for firms to focus on being secure, not just compliant.

In the past, many businesses have taken the view that PCI DSS compliance is a necessary evil, and one that can be outsourced. The new standards however, demand a much higher level of due diligence, because they put the responsibility of compliance for all 12 key areas on the business itself – irrespective of whether it is working with a third-party specialist.

Moreover, there is a marked difference in working with a Visa-approved ‘Managed Service Provider’ (MSP) versus a Visa-approved Hosting Partner that carries significant consequences for the business. Not withstanding the reputational and brand damage incurred by a breach, there is the threat of fines of up to £100 per card affected. This is why it pays to partner with an expert who sees PCI compliance as a way of achieving operational best practice for security.

Avoiding outsource pitfalls

The Bunker’s CTO Philip Bindley and Compliance Lead Christopher Scott took to the stage at PCI London to explain why only MSPs on the Visa Merchant Agent List are capable of delivering full compliance. He warned businesses to be careful of what they are getting – especially as some service providers claim to address PCI DSS v3.1 compliance, but fail to provide for all 12 key areas.

At The Bunker, we recognise how important it is for businesses to protect the confidentiality, availability and integrity of their information. Our PCI DSS compliance solution addresses all three critical elements of security – people, process, and physical – to provide a pre-validated and dedicated cloud infrastructure meeting all 12 PCI DSS requirements.

Built on IBM and Egenera software technologies, The Bunker’s solution combines all of the services necessary – such as log management, event management and change control processes – to not only assure compliance, but provide a source of business advantage through increased efficiency and the economies of scale delivered by our ultra secure cloud infrastructure.