Has PCI set a precedent for PoPI compliance?
JOHANNESBURG – Typically, any organisation that has a Payment Card Industry (PCI) requirement will automatically have a Protection of Personal Information (PoPI) requirement as well, for the simple reason that credit card data is personal information.
Given the ever-increasing rate of card fraud and identity theft, if businesses want to attract and retain customers, they’ll need to show those customers that they’re taking the right steps to minimise the risk of doing business with them.
That means prioritising PCI Data Security Standard (DSS) compliance – which is required of any organisation that processes, transmits or stores cardholder data – and then moving on to PoPI compliance.
Businesses will have an easier time doing it in this order, for the simple reason that the PCI requirements are clearly defined, explaining exactly what is required of an organisation in order to become and stay compliant.
Fortunately, achieving compliance isn’t as onerous as it may first appear, and once all of the processes and procedures are in place for PCI DSS compliance, it becomes a simple matter of adjusting scope instead of beginning the compliance procedure anew to meet PoPI’s requirements.
Everything becomes a lot clearer when viewing PoPI through the lens of the PCI standard, by updating the definition of “cardholder data” to include any personal or sensitive information, as defined in the PoPI Act and PCI compliance becomes the blueprint for PoPI compliance.
Compliance is here to stay
Why then are so many businesses non-compliant, if they have an obligation? Possibly because they have not yet faced up to the reality of cybercrime statistics.
Here, it’s not a case of “if it happens”, but rather “when”, as card fraud by means of credit or debit cards being skimmed or cloned, or information copied through malware on payment sites is one of the biggest banking-related crimes in South Africa.
It’s time for all organisations to accept that their compliance requirement is only getting more urgent, and to do something about it before it becomes a bigger problem than it needs to be.
For merchants, service providers, banks and payment gateway providers, the exact requirements may differ – but the benefits are the same.
PCI DSS compliance, and the now associated PoPI compliance, provides and evidences a minimum level of trust and protection in the digital payment world. When one considers that compliance is intended to benefit of every single individual and commercial entity ultimately, staying non-compliant no longer makes any sense - business or otherwise.
Simeon Tassev, managing director and QSA at Galix Networking.