PCI DSS Compliance Drives Conversions for Holiday ShoppingPublished December 5, 2017 by Karen Walsh • 3 min read
Customers shop with your business for the holidays because they trust you. Thus, you must earn their trust to be successful, and you can earn their trust by understanding how PCI DSS compliance drives conversions.
What is PCI DSS Compliance?
PCI DSS lists specific steps to protect cardholder data. Whether shopping online or at a point-of-service system, your customers are trusting you with information that can lead to identity theft.
PCI DSS compliance protects cardholder data so your customers can confidently purchase goods and services knowing that their identities will be protected.
How PCI DSS Compliance Can Avoid a Breach
Over the last few years breaches at well-known stores have made the news. The Home Depot and TJX breaches put over 100 million consumer records at risk, rocking the consumer world.
In the Home Depot case, malware entered through the point-of-sales systems. Meanwhile, TJX’s noncompliance with 9 out of 12 PCI DSS requirements led to its downfall.
Immediately after its breach, Home Depot shares were down 2.7%.
How PCI DSS Compliance Drives Conversions
Customers don’t look up your PCI DSS audits, but they do pay attention when your name ends up in the news.
Unless your company controls a target market, you want to drive conversions. More than 90% of total retail sales come from traditional sales, but e-commerce expanded 8-12% in the first quarter of 2017, compared with 2.8% for brick-and-mortar.
In 2016, only 11% of consumers used cash. Electronic payments, and the cardholder data accompanying them, are the main source. Staying competitive requires protecting customer information.
How PCI DSS Compliance Drives Conversions Using Approved Vendors
Using Square, accepting PayPal, or offering security verification at the time of sale allows customers to trust you because they trust your service provider.
Does Having an Approved Vendor Make Me PCI DSS Compliant?
PCI DSS compliance drives conversions because people trust brand names, but you can’t just trust the first answer that comes to you. Like when you do a math problem, you need to check your work. In this case, your “work” is your vendor management.
Goal 5 of PCI DSS (“Regularly Monitor and Test Networks”) encompasses the ongoing monitoring of your vendors in Requirement 10 (“Track and monitor all access to network resources and cardholder data”) and Requirement 11 (“Regularly test security systems and processes”). Controlling your cardholder data environment to increase conversions requires focusing on Requirements 10.8 and 11.3.
Requirement 10.8 states,
Service providers must implement a process for timely detection and reporting of failures of critical security control systems. (Note: Requirement 10.8 is a best practice until 31 January 2018, after which it becomes a requirement.)
Requirement 11.3 states,
Develop and implement a methodology for penetration testing that includes external and internal penetration testing at least annually and after any significant upgrade or modification. If segmentation is used to reduce PCI DSS scope, perform penetration tests at least annually to verify the segmentation methods are operational and effective. Service providers using segmentation must confirm PCI DSS scope by performing penetration testing on segmentation controls at least every six months and after making changes to these controls. (Note: The additional requirement for service providers is a best practice until 31 January 2018, after which it becomes a requirement.)
Monitoring vendor risk strengthens your PCI DSS compliance.
Why Automating PCI DSS Compliance Increases Profitability
Tracking vendor risk burdens your IT department.
Auditors know that people read their emails but then relegate those messages to the never-ending inbox queue. This means employees spend hours scrolling through their own emails to find responses or to set up calendar reminders for sending out more information requests.
ZenGRC’s SaaS platform allows your IT team to allocate more time to systems monitoring, thereby ensuring that PCI DSS compliance drives conversions.
Many organizations face the largest risk from their vendors because subcontractors are out of your control. Of the 76 sub-requirements within the 12 primary requirements, 2 specifically address vendor management.
Automating PCI DSS compliance limits the time spent tracking down vendors, but it also lets you map firewall and anti-virus controls across the different standards.
Moreover, ZenGRC creates a single source of truth for auditors when responding to Requirements 1.5, 2.4, 2.5, 3.5, 3.6, 3.7, 4.2, 5.4, 6.1, 6.7, 7.3, 8.1, 8.4, 8.8, 9.2, 9.10, 10.1, 10.2, 10.3, 10.5, 10.7, 10.8, 10.9, 11.1, 11.2, 11.3, 11.6, 12.1, 12.2, 12.3, 12.4, 12.5, 12.6, 12.8, 12.9, 12.10, and 12.11.
37 of 79 PCI DSS sub-requirements are more easily tracked using a SaaS platform. Cutting down your IT department’s work by almost 50% allows them to be 50% more effective at protecting your business and your customers.
Automation streamlines your program to save time, add value, and invisibly drive conversions to make your company more profitable overall.