Many organisations today accept payments via a payment card technology (e.g. credit or debit card). With payment card data breaches becoming more prevalent every week, there is a very real risk that a breach could happen to a business of any size. To reduce this risk, ALL companies that process, store or transmit credit card information must comply with the Payment Card Industry – Data Security Standard (PCI-DSS)*.
As our client’s business and number of payment transactions grew, their payment gateway provider requested evidence of PCI-DSS compliance at the highest level and requested they complete the Self-Assessment Questionnaire D (SAQ D). Terra Firma was engaged to assist our client in completing the assessment and determining the requirements to ensure they were compliant with SAQ D.
Terra Firma reviewed the client’s existing practices and assessed how the client handled their payment transactions, including how the payment information was received, processed and stored. The review also assessed the existing IT infrastructure and its ability to comply with the SAQ D requirements. The results of this review were:
- Confirmation that the way payments were currently being handled required the SAQ D compliance,
- The existing systems and processes would not achieve SAQ D compliance, and
- That a significant and costly program of work would be required to bring systems and processes up to SAQ D level.
During this analysis, it was determined that achieving SAQ D compliance wasn’t necessary and the recommendation was made to attain a more relevant level of compliance, SAQ A. Achieving SAQ A compliance was both faster and significantly cheaper to implement and maintain than moving up to SAQ D and as there were no direct business impacts it was a logical choice for the client.
This required the design of a program to change the way payments and personal information were handled and stored. Terra Firma was engaged to implement the SAQ A program which affected both the systems and processes within the organisation. New processes for handling payments were implemented, systems updated and cleansed, and staff trained to perform the new processes as well as understand why they had been changed.
Through the delivery of this program, our client achieved PCI-DSS compliance three months earlier than expected. Not only did this provide peace of mind for the client, it also enabled them to continue to take online payments and eliminated their risk of being exposed to fines for potential non-compliance with the standard.
In addition, the client has effectively saved hundreds of thousands of dollars by implementing a program of work more appropriate to their business than the one that was first believed to be necessary.
*About PCI-DSS compliance: PCI-DSS compliance is required to ensure that businesses follow best practices for protecting their customers’ payment card information; where they are not compliant, heavy penalties and the removal of service by the payment gateway provider apply.