Our latest news & articles

Information security beyond PCI DSS

March 11, 2020 at 8:30 AM

In the modern economy, data equals money. Google, Amazon, Facebook, Apple and others have built whole businesses on monetising data.

Payment card data is a very particular case of where data definitely equals money. Criminals sell stolen card data on underground carding forums. They use it to create fake cards to withdraw money from ATMs, or buy things to sell on for a profit.

The payment card industry introduced data security standards (PCI DSS) more than a dozen years ago. This has helped embed a security culture around sensitive card data. These learnings can be scaled companywide. We offer advice on how.


1. Assess and evaluate your assets

When data equals money, all businesses are sitting on a potential goldmine. Almost every business holds information about customers, staff or partners, for example customer lists, payroll data and supplier bank details.

A data discovery exercise will help a business assess and evaluate its assets. What data does a business hold? Where is it? And who has access to it? This is always revealing.

For example, the HR department that created a payroll spreadsheet with sensitive employee and financial information every month and stored them on a shared drive going back years. Or the retailer who disposed of old card receipts, showing full account numbers, expiration dates etc., in black plastic sacks outside their shop.


2. Identify your threats

Once you have identified your data assets, assess what is of value to your business. Is it critical systems, market advantage, profit and loss data or customer data? Then assess what is of value to others, for example to your customers or criminals trying to make illicit use of data.

If a threat remains unidentified, there is no opportunity to do anything to prevent or mitigate it. What’s more, errors at the identification stage could detrimentally impact the process that follows, potentially causing bigger risks later on.


3. Assess likelihood and impact

Not all risks are created equal. Nor will they all materialise or have the same impact. Once you have identified all your threats, assess their likelihood and impact. Agree the scales by which to measure this. Bear in mind that the amount of risk that the business wishes to seek, accept and hold may differ by department.


4. Determine risk management options

Risk will always exist. The objective is not to eradicate it altogether, there will always be several options for managing risk. This may vary by department, over time, with corporate culture and how your business implements risk management controls in practice.


5. Monitor your risk

At its most effective, risk management approaches change to remain aligned with your business objectives. Therefore, ongoing monitoring is essential to managing risk and making the necessary adjustments. Look on it also as a second, third and ongoing chance to check that you assessed the risk correctly in the first place.


For more information or a consultation, e-mail or complete your details on the contact form below.

New call-to-action

Tags: Security

Contact Us