Debitsuccess leads the way for PCI DSS in NZ financial services industry
Financial services company Debitsuccess has been accredited with the highest PCI DSS compliance rating (Level 1) for the third year running, maintaining its standing as a New Zealand industry leader in data security for financial transactions.
The Payment Card Industry Data Security Standard (PCI DSS) is a globally recognised commercial compliance standard for organisations that store, process or transmit credit cardholder information.
Created in 2004, the standard was the brainchild of five major international credit card companies to reduce credit card fraud.
Roger Greyling, lead Qualified Security Assessor (QSA) for Security-Assessment.com – which conducted the compliance assessment for Debitsuccess – says that the direct debit billing provider demonstrated a rarely seen level of maturity with regards to financial information security.
“Sometimes organisations achieve compliance by satisfying a checklist, but are unable to maintain this as the structures and processes required to continually adapt have not been adequately implemented," Greylibng says.
"So, for Debitsuccess to attain Level 1 PCI DSS compliance for three years in a row is clearly an immense achievement.”
Tamuka Nyawo, Group Compliance Manager for Debitsuccess, adds that the company’s efforts to achieve Level 1 PCI DSS compliance are a clear demonstration of its ongoing commitment to the security of cardholder data.
“This achievement not only underscores the significance we place on security measures, but also of the level of security maturity and awareness within our organisation, which illustrates to our customers that we take our responsibility as a trusted credit card and direct debit billing provider seriously.”
Greyling says that only a handful of merchants and service providers in New Zealand can claim to be Level 1 compliant.
“If securing data is not a core function of your business, complying with the PCI DSS can be a daunting experience and this is exacerbated by the fact that the intent of the controls are still not well understood,” says Greyling.
One of the easiest ways to comply with the PCI DSS, according to Greyling, is to outsource business functions that store, process or transmit cardholder data to organisations specialising in providing these services.
“This is a trend prevalent in New Zealand at the moment, which I believe is a positive thing, as it places the responsibility for securing sensitive information with specialists who are well equipped,” he adds.
The PCI DSS is maintained on a three-year cycle which allows time for interested stakeholders to provide feedback, so the standard can be adapted.
Greyling says that while Version Three of the standard is being released in November 2013, it will only be strictly enforced from January 2015 to allow merchants and service providers time to adjust to the new requirements.
“One of the challenges that IT managers have to contend with in attaining compliance for their business is the proliferation of management tools," he adds.
"IT teams often face difficulty keeping abreast of new tools and their features and ensuring that value is gained from their implementation.
“Each tool claims to simplify a particular process, but there are numerous processes which need to be managed, such as vulnerability scanning, patch management, file integrity monitoring, log aggregation, cardholder data discovery and antivirus measures, just to name a few.”
Greyling concludes that while the new version of the PCI DSS includes new requirements along with numerous modifications, clarifications and more stringent evidence guidelines, he doesn’t believe that any organisation that has already achieved compliance under Version Two will struggle to comply with Version Three.
“Some of the new requirements include controls for point-of-sale (POS) terminal security, more robust requirements for penetration testing and validating segmentation and considerations for addressing cardholder data in memory.”