Richard McCammon, founder, and Craig Lehtovaara, VP of Product Innovation, sat down with Corevist to help educate B2B decision-makers on PCI compliance and what it means for them, particularly as it relates to B2B payments. The expert panel was asked the following questions:
- What trends do you see in PCI compliance for B2B? Read Part 1 of this blog series
- What’s one thing that you wish SAP manufacturers knew about PCI compliance?
- Are there any PCI compliance issues which you feel are “hot” in the B2B market that you want to address?
Here’s our insight to question 2.
What’s one thing that you wish SAP manufacturers knew about PCI compliance?
Even though every audit, whether self-assessed or performed by an external audit team, is a snapshot in time, PCI compliance is an on-going process. The standard dictates that an audit must be completed once a year, but more importantly, companies must adopt a vigilant philosophy every day between one audit and another. Every person that handles payment card details or works on equipment in PCI scope must be aware of the risks and make every effort to be sure that the work she/he does not compromise cardholder data or sensitive card data. New employees must be trained. Internal audits and scans should be done regularly and not just at the end of the year to meet the audit requirements. Even though a company may have a Compliance Officer, security is everyone’s responsibility every day of every year.
If there is one thing that I wish B2B manufacturers knew about PCI compliance, it’s that PCI scope reduction is not equivalent to PCI absolution.
I’ve had the opportunity to watch PCI DSS evolve from the original specification to its current incarnation (Version 3.2). In my many years at Delego participating in large-scale B2B payment integrations with SAP ERP systems, I’ve seen misconceptions and misguided specification interpretations that run the gamut from innocuous to potentially catastrophic.
One of the most persistent misconceptions that I have observed, particularly in the SMB space, is the unfortunate idea that a merchant can offload their PCI DSS obligations simply by using PCI DSS compliant service providers. PCI scope reduction by using Payment Service Providers can be a very effective way to reduce compliance costs and implement best-in-class security solutions to protect your cardholder data. It is not, however, a way to offload the responsibility of understanding your assets, training your employees, and maintaining an effective data security program.
To use the old “weakest-link-in-the-chain” analogy, PCI scope reduction does not diminish or absolve, an organization’s obligations to implement a comprehensive security program at every level, and, in every channel.
In today’s world of horrendously expensive data breaches, the security of a company’s B2B channel is every bit as mission critical as their B2C channel. While PCI may be a daunting undertaking for a company, particularly for large omnichannel integrated SAP ERP merchants, it is imperative that B2B manufacturers fastidiously maintain their security program and take ownership of their link in the chain.
Follow our blog and stay tuned for Part 3. We’ll discuss what we consider to be hot issues in PCI compliance in the B2B market.