Lack of online payment card compliance puts region’s businesses at threat of attack
Securious, the region’s leading cyber security compliance specialist, has seen a dramatic twelve months of growth in which businesses in the South West have become increasingly aware of their vulnerability to cyber attacks. Despite this, Securious warns that commercial operations could be blind-sided by payment card fraud due to the incorrect implementation of 3rd party Payment Card solutions.
“We’ve seen a growth in attacks on websites with databases holding customer information and payment details,” says Pete Woodward, Director at Securious. “For us, this is one of the biggest areas of threat for businesses in our region, and credit card breaches are steadily on the rise.
“Far too many businesses are unaware that it is mandatory to comply with the Payment Card Industry Data Security Standard (PCI DSS) if they accept credit card payments. This is a huge blind-spot and it is putting businesses in the South West at risk of attack.
“Many organisations are under the misguided belief that using PCI compliant payment providers such as Sagepay, Stripe or Worldpay confers PCI compliance on their business. Ticketmaster fell foul of this only last year. In their case the use of a third party caused their customer data breach leading to the loss of names, addresses, email addresses, phone numbers, payment details and Ticketmaster login details.
“Businesses failing to comply with PCI DSS are at risk of large fines, and the very real prospect of an inability to trade, should payment providers terminate their service due to non-compliance, or more seriously, experience a card breach.
“However, all this can be avoided by putting processes in place to protect customers’ card details and data, preventing the potential for legal action, heavy payment card issuer and government fines, reputation damage and loss of sales. As such, our goal for this year is to ensure that any business that trades online, is aware of their compliance duties. In this case forewarned is very definitely forearmed.”
Over the past year Securious has bloomed by 71% from a team of 7, to a team of 12, following a 68% increase in its customer-base. Having moved three times in the past two years to accommodate staff numbers, Securious is already planning its next move to even larger offices.
Based at the Science Park Centre in Exeter, Securious – the first company in the South West to qualify as a certification body for the Government’s Cyber Essentials programme – is the only Qualified Security Assessor Company (QSAC) in Devon, Cornwall and Somerset, that is permitted to validate Payment Card Industry Data Security Standard (PCI DSS) compliance. PCI DSS was established to help businesses process card payments securely and reduce payment card fraud by protecting card holder data.
Unlike other businesses in the sector, Securious limits itself to identifying weaknesses and providing guidance to create robust solutions. The business doesn’t sell IT services, which means its advice is impartial, independent and in the best interest of the business.
Roz Woodward, Director at Securious, believes that this guidance led approach is the key to the businesses’ success: “We are very unusual in the sector in as much as we don’t try to sell IT solutions. Instead, we focus on putting the right processes in place. We help businesses to identify their cyber security weaknesses, guiding them to robust solutions through structured frameworks, enabling them to gain certification that ensures and evidences a continued commitment to cyber security.”
One of Securious’ largest growth areas has been helping businesses to achieve Cyber Essentials Plus. As a certification body, Securious has guided dozens of businesses to implement measures that have enabled them to achieve accreditation, thereby reducing the likelihood of becoming victims of cyber crime.
The growth in accreditation follows Securious’ findings that fewer than 5% of the region’s largest businesses had achieved Cyber Essentials before last May, the minimum level of cyber security compliance set out by the Government.
Roz added: “GDPR certainly helped to focus the minds of businesses in the South West as organisations started to realise that Cyber security certification is far more than a box-ticking exercise.
“Suddenly there was a realisation that Government departments, local authorities, large companies and organisations all require evidence of cyber security accreditation and compliance for contracts. Businesses recognised that by failing to adopt Cyber Essentials or ISO 27001:2013, they were putting themselves at a significant commercial disadvantage.
“Moreover, Businesses have become more aware of how damaging a data breach can be, not only for their customers, but also for the integrity and long-term commercial viability of any business that fails to put proper cyber security and data protection in place. Now, each time a story breaks on high profile breaches, such as the attack on BA, which resulted in financial and personal data being stolen, we get an uplift in enquiries.”
This increase in awareness of breaches has also led to a growth in demand for Securious’ penetration testing service, which enables businesses to stress-test their cyber security measures and highlight any weaknesses in their defences, under the strict rules of engagement within a safe environment.
Securious provides end-to-end security consultancy solutions, for the Payment Card Industry Data Security Standard (PCI DSS) and the International Standard for Information Security – ISO 27001:2013. As part of its PCI QSA service, Securious provides advice to businesses storing, transmitting, or processing credit card payments through common channels, such as retail outlets, online, or over the phone. Together with penetration testing and Cyber Essentials compliance, Securious provides a complete cyber security service to organisations of all sizes.
Businesses interested in the Government’s Cyber Essentials programme or PCI DSS can contact Securious for details of the accreditation process. www.securious.co.uk / 01392 247110.