PCI Compliance: Time for Banking Institutions to Pay Attention
Well, PCI (aka, the Payment Card Industry Data Security Standard) equals compliance, compliance equals opportunity, opportunity equals revenue, and revenue is good -- particularly when working for a professional services firm.
Except of course that the right answer has to be honest in order for it to ring true, and the truth is that for our clients PCI isn't a blip on their radar and shouldn't be for the foreseeable future. It's an industry standard that provides clear rules on how to manage credit card data. Community banks and credit unions do not issue credit cards directly, and they do not conduct credit card transactions. Whatever related activity they participate in is typically outsourced to a third-party vendor. And I explain that to them.
Whereas PCI addresses credit card data, you could just as easily substitute customer or member data instead and see instantly how it's a good idea.
I also advise them to keep an eye on where the PCI standard is going. Right now the primary focus is on institutions that issue and manage card data or on businesses that process credit card transactions. But eventually the standard is going to mature to the point where it will include any party, business or institution that either directly or indirectly participates in the issuance or handling of credit card data. That also includes debit cards and so that will involve community banks and credit unions. And because there are employees working at these institutions that have access to customer/member debit card data for administrative purposes, they will eventually find themselves in-scope.
Do I know this for certain? No, but it's more than an educated guess. Standards mature and adjust, regulations mature and adjust and, not coincidentally, hackers and criminals mature and adjust. Wherever there is opportunity for identify theft, there's a reason to try and put rules and controls in place to prevent it from happening. Eventually that will trend right into the smallest of financial institutions.
But is that really going to be a bad thing? Take a look at what the PCI DSS standard requires of an organization. The "Digital Dozen," as the control framework is commonly called, is really just a series of common sense security measures that all businesses should be following anyway. Whereas PCI addresses credit card data, you could just as easily substitute customer or member data instead and see instantly how it's a good idea.
While you may not need to establish and prove compliance in the here and now, it's likely to change. When it does, do you really want to admit your infrastructure doesn't already support it?