The PCI Europe 2012 event held in Amsterdam in November brought together from all around Europe, under the same roof, the stakeholders and decision makers responsible for payments systems security, cardholder data protection and taking care of their organization – merchants, acquiring banks and PSPs seeking to become or remain PCI compliant. Their presentations and case studies provided us with insight into how to deliver business value through reducing risk, meeting PCI DSS requirements and building a more secure global payments landscape.
The global nature of today’s e-commerce market is creating multiple international business opportunities, as well as different ways of interacting with customer, innovation in online payments and significant increase in mobile payments. But, it is also bringing an increasing number of challenges in terms of risk management and data security. Compliance is simply a ten-letter word for IT security expertise, for high business management standards and secure payment systems, in a vulnerable global payments market. Decision makers must face the challenges of mitigating business risk, which protection measures to adopt and their approach to new investment opportunities.
We attended the event with Payvision’s VP Infrastructure, Christophe Vico, who talked about creativity in reducing risk and innovation within the rigid PCI DSS framework, issues that most of security stakeholders must deal with.
He essentially advised the audience to first try to pre-empt the changes their organization must deal with. As IT experts, most of the guests know how to expect changes every 3-5 years given the normal system life cycle. So, rather than going with the flow, we need to think strategically, in order to stay in the frontlines and drive the changes that will allow us to reach the goals of increased security, decreased compliance efforts, and increased risk management quality.
Secondly, the root of the change should be tackled to identify the real risks. Issues should be approached directly, rather than addressing them with a full range of technologies. Moreover, the entire changing & thinking process should be kept as simple as possible, because the simpler the solution, the lower the risk!
Efficient creativity was the theme of Christophe’s. Tackling the root of the problem may sometimes seem hard, if not impossible, to achieve. But only by “thinking outside the box” can we come up with innovative solutions to mitigate risk and maintain PCI compliant organizations, with highly secure payment products and services.
Other speakers such as Nick Heape from VISA Europe concluded that: “compliance is not an end an itself, but a means to an end”, and Erik Petersen, Director of Security Assessment @Dell Secure Works, advised us to “make sure the processes and knowledge base are highly dynamic” in order to attain the “ER” goals – of higher, better, wiser” (Jaap Halfweeg, Customer Security Compliance Officer @KPN). And, last but not least, Stephen Cavey, Director of Corporate Development @GroundLabs, tipped us off that “crime is a professional business”, so we need to delve deeper into the real life stories and find insights into scope control and risk management.
We look forward to your comments and insights!