Companies that have already had to contend with the security regulations of Visa’s CISP, MasterCard’s SDP, American Express’ DSOP and Discover’s DISC, before they were bundled together as PCI DSS, may have witnessed widespread rolling of the eyes among managers at the unveiling of Payment Application Best Practices (PABP). Just what they need
– another spoonful of alphabet soup to further complicate their lives.
Ready or not, however, implementation of PABP began as of January 1 of this year, which means IT executives and senior managers are faced with the task of selling the need to take action to their management teams.
While "It’s the law" may be compelling enough by itself to induce the necessary measures, those making the case for PABP should also focus on the sound business reasons behind the mandates. Strong security measures, especially those that may have an impact on customers, are vital to the preservation of a company’s good reputation and to maintaining client loyalty. As with PCI DSS, adherence to PABP would be the right move even if the legislation did not exist.
PABP validation assures merchants and their customers that their point-of-sale systems are not storing prohibited credit card information, which includes full magnetic stripe, card validation code or value (CAV2, CID, CVC2, CVV2), or PIN block data. Encryption alone is not enough
– data storage beyond what is absolutely necessary (the cardholder’s name, primary account number expiration date and service code) has been a primary cause of costly breaches.
PABP should not signify a company’s introduction to sound security policy. The measures recommended by PABP are actions that should already be considered a priority, especially as they impact the handling of credit card information, personal orders, client histories and any other information that can potentially be compromised.
Hackers target merchants with vulnerable payment applications. As their methods grow more sophisticated every year, it simply doesn’t make sense for any company to store sensitive customer information, or to not provide secure password features, or to make certain that wireless transmissions are not protected. PABP can play a vital role in maintaining consumer trust and the integrity of payment transactions.
But if your management team still isn’t convinced to take a closer look at their point-of-sale system via a PABP audit, add three more letters to their alphabet soup
– TJX, as in TJX Companies, Inc. According to the U.S. Securities and Exchange Commission, more than 45 million credit and debit card numbers were stolen from a TJX system over a period of 18 months. In addition, personal data provided in connection with the return of merchandise by more than 450,000 individuals was also stolen.
Since then, the company has been in the process of contacting those individuals affected by the breach. Those who believe the efforts necessary to comply with PABP will be a distraction from doing business should stop and consider the level of inconvenience necessary to call thousands of customers (many of whom probably won’t be customers for long) and tell them what happened to their stored credit card data.
Compliance with PABP is about more than obeying the law; it’s about smart business practices, and protecting the importance of your brand, as well as the customer’s confidence in that brand. PABP implementation is an investment in your company that will pay dividends throughout the business cycle.