Within PCI DSS Version 4.0 it is clear that roles and responsibilities for protecting cardholder data need to be documented, assigned and understood. (Requirement 3.1)
Looking deeper into the issue, PCI isn’t the only security standard which references an individual or group taking responsibility for data. GDPR outlines the need for a Data Protection Officer (DPO), which again, highlights the expectation that organisations’ roles and responsibilities are clearly documented, assigned and managed.
The main thing to consider here is that your organisation must have someone whose job it is to manage cardholder data. Where you can provide a point of difference over your competition is by understanding the value of having somebody responsible for cardholder data and viewing it as more than just a compliance box ticking exercise.
By shifting thinking from “we have to do it because we’re mandated to” toward one that understands the intent behind the regulation and why a cardholder tsar can benefit organisations and customers, your business can provide a greater, more secure service that increases trust among customers.
And it all sits behind one central tenant: know your customer, know your data and use that to gain insight into the information you hold, the risk you carry and how to manage it.
How your business can benefit
By making one person or group responsible for cardholder data, you make it easier for ownership to develop. A strategy such as that will also provide them with a clear mandate to implement effective cardholder data systems and processes. It will be their job to come up with safe, secure ways to handle data, and that will only be beneficial in the long run.
This method of securing your cardholder data will also create consistency in how you approach the challenge of handling data and will make all supporting activity regarding it consistent, repeatable and effective. That way, if you have staff leave or change roles, the next data tsar can slip into a seamless operation.
Furthermore, it will help to maintain and enhance the trust of your stakeholders and send a clear signal that you’re taking their data seriously – which can create a marketable point of difference, especially in industries where it may not be common, such as charities.
Trust = revenue
Charities rely on trust, it’s what keeps donors donating, but as soon as trust is lost those donations will go elsewhere.
A good example of a charity that got it right is the Fred Hollows Foundation NZ, which is a leading charitable organisation that seeks to end avoidable blindness and vision impairment in the Pacific. The charity undertakes quarterly card scanning and analysis to identify issues, limit risk and support PCI compliance. This is a great example of an organisation that seeks to own its PCI compliance and understands the importance of doing so.
Think about it. Who is your internal data Tsar or owner? If you don’t have one, you could be opening your organisation to risk, loss of customer trust and messy clean-up jobs. It’s better to act now to establish processes and procedures that work for you then live to regret it.