Compliance of any sort tends to send CIOs shaking in their boots, and CFOs reaching for the corporate cheque book. PCI-DSS, the international payment card industry standard for security, was meant to create an environment in which customer data is kept private. And to the credit of the creators of PCI-DSS, the stated measures that must be taken are mostly common sense items that merchants and other companies should be doing regardless. But, compliance means making sure that you're doing those things, and then having the wherewithal to prove it to the governing bodies, and that's where the money comes in.
Smaller companies, retail shops, branch offices and start-ups may find themselves lacking in these precautionary measures, and even larger companies may be making incorrect assumptions as to how strong and complete their security may be. In deploying security, we may turn to cloud-based and hosted managed systems. But in considering such a security system, another concern naturally arises: Security of the cloud-based solution itself.
[ Want to learn more about PCI Compliance? Read 'An Introduction to becoming PCI DSS Compliant' White Paper, PDF ]
Achieving PCI compliance
is no small matter, and violations may result in serious fines, along with an increased potential for data theft and loss of credibility (and customers). Yet, smaller organisations and individual franchises of larger retail operations seldom have the in-house capacity to manage a full-fledged security system. The result is often an inadequate on-premise security framework that is managed inconsistently.
The stakes are high. Even a small retail shop contains several collection points of customer data, including point-of-sale terminals, credit card processing systems, loyalty card programs and much more. The costs of initial deployment and compliance can also be high, especially for a smaller organisation that may need to either hire full-time IT people or bring in third-party integrators to do the job. Too often, the status quo is simply an ad hoc system thrown together without regard to compliance.
Increasingly, the solution to the time-crunch and limited funds for capital expenditure is the cloud. Security management and monitoring, as required by PCI-DSS, can be done on an off-premise basis easily, typically through a hosted, managed solution. In such a case, the usual concerns people have over multi-tenant arrangements don't apply, since there is a direct connection to a piece of dedicated, on-premise equipment that is managed by the off-site provider on a subscription basis. A single security appliance, pre-configured and managed by the provider, provides a truly turn-key solution to the shop owner. In the case of a large network of smaller retail outlets, the corporate office may alternately choose to run their own managed service from a central location, managing all branches on the same basis—essentially creating their own private cloud.
Retailers have a lot to worry about, and theft has always been paramount. Before the age of credit cards and POS terminals, theft was addressed with a giant mirror in the corner and a baseball bat behind the counter. But today's thieves work behind the scenes, and more vigilance and expertise is required. The managed option provides the best results.