By Paul Prior, Senior Vice President Client Engagement
In light of the upcoming US presidential election, it occurred to me that it would be fun (and worthwhile) to reflect on a previous campaign message from a different Clinton in the context of our business. In 1992, James Carville was the campaign strategist for Bill Clinton who famously hung a sign in Clinton’s campaign headquarters that was designed to keep the campaign focused on their core messages. It apparently read:
- Change vs. more of the same
- The economy, stupid
- Don’t forget health care
Change vs more of the same
We have previously looked at some alternatives to using perpetual non-compliance fees as a mechanism to drive engagement and compliance. Part of the reason for publishing that article was that we believed the continuous banging the drum about industry compliance and persistent charging of fees for non-compliance is in effect, “more of the same”. Sysnet have been providing PCI DSS compliance management programs to some of the worlds’ leading acquirers for the best part of the last decade and as such, we are huge advocates of the PCI DSS, its objectives and its implementation. That said, perhaps it is time for change.
The change I am referring to here, relates primarily to how we communicate the core message, from one demanding compliance to one which concerns data security. In earlier iterations of many of our compliance programs, significant emphasis was placed on communicating the importance of implementing PCI DSS as a matter of mandatory industry compliance. Now, most of our clients are evangelising the importance of PCI DSS in the broader context of data security as a method to protect both customer data and business operations.
The security, stupid
This change, referred to above represents a subtle but important shift in not only messaging but also the overarching objectives of data security and compliance management programs in the payments industry. One reason for this is that many acquirers and payment facilitators now have very sophisticated security technologies built into even their most basic products and propositions. There has, since the inception of the PCI DSS, been broad recognition that the security of the whole card payments ecosystem is innately more secure if we remove the data (or access to it) from as many places in the chain as possible. In fact, everyone in the payments industry benefits from the adoption of technology that descopes the merchant processing environment and provides for a higher level of data security as an inherent part of the transaction process. The obvious examples here are point-to-point encryption solutions in card-present environments, and tokenisation in the card-not-present space. Many of our clients are recognizing this and leveraging compliance programs to introduce their customers to solutions that decrease compliance requirements and increase data security making it easier to transact more securely and less onerous to achieve compliance.
Don’t forget healthcare
In the context of the PCI DSS compliance landscape “healthcare” is analogous to the maintenance of good security practices as they relate to the fundamentals included in the standard for example, password management, patch management, vulnerability management, anti-malware protection, etc. As we have seen in this industry for several years, it is not uncommon for a once compliant organisation to fall out of compliance due to a lack of consistency or ongoing operational processes to maintain a compliant security posture. Sysnet are firmly of the view that it is imperative to remind your customers that the maintenance of a secure and compliant environment is an ongoing process. In addition, we need to investigate and facilitate ways to not only make it easier on your customers to achieve and maintain their data security and compliance but to also add real value to your propositions as they relate to data security.
Carville’s pithy campaign strategy reminder has passed into legend far beyond the realms of the US political landscape to the point where it could almost be considered cliché, but a cliché only becomes a cliché because it is true.