PCI standards must be adopted
BY AUDRA MAHLONG , JOURNALIST
[ Johannesburg, 26 November 2008 ] – Symantec has called on South African businesses to widely adopt the Payment Card Industry (PCI) Data Security Standard as a way of improving card security.
Compliance is an essential part of risk management, says Errol Rhoden, IT governance, risk and compliance solutions manager for Symantec emerging region.
“The reality is that companies lose out if they don’t prioritise governance and compliance. The financial implications are huge, with companies which don’t comply with standards receiving tremendous fines. There are also general financial losses which should be considered.”
Currently, organisations which deal with credit card payments have to show compliance with the standard, while finding solutions to challenges such as data breaches and the growing impact of cyber crime.
“The underground criminal activity is growing and becoming more effective. There are also activities, such as corporate warfare, where there are attempts to damage companies’ reputations by other companies or individuals,” explains Rhoden.
He believes the data security standard needs to be willingly adopted by companies to ensure it works effectively, saying: “The standards which guide companies on governance policies need to be accepted by industry. It is a business standard and not a government standard. So it cannot be forced on anyone. Companies need to see the benefits of adopting this.”
Firms that adopt the standard and fail to comply will face fines, to be determined and enforced by banks or similar bodies.
“The South African situation is different as regulations are different, and this has impacted on the slow adoption of the standard. Something like the fact that banks are not required to send notifications to customers if there is a security breach in their account, will definitely be impacted by the standards.”
The standard will be adopted in SA in February 2009, with plans to ensure all industries involved in card payments are fully compliant in September 2010.