Plan for compliance, PCI Pal CISO advises

High-profile data breaches, emerging data privacy regulations and rapid digital commerce deployments during a pandemic necessitate advanced approaches to security and compliance, stated Geoff Forsyth, chief information security officer at PCI Pal, a secure payments provider.

"Even for the most prepared, COVID-19 likely threw a wrench in payment providers' data privacy and security plans," Forsyth said in an interview with The Green Sheet. "Many were ill-equipped for the transition to remote working, especially when it came to keeping customer data secure."

Forsyth advised companies to take a strategic approach to privacy compliance that considers in-office and remote workers. Whether in-office or remote, data privacy and compliance plans should span all levels of an organization and allow enough time for a comprehensive review process, he stated.

Recommended steps

"It is important to understand how your company collects and uses data," Forsyth said. "This can be accomplished by using a data map showing where data comes in, how it is used, where it is stored, and for how long. Should a regional data privacy regulation be passed, this can help with disclosure requirements and identify potential data security risks."

Following are additional recommendations:

• Implement formal procedures:
Even if you aren't subject to any regional data privacy regulations, any company that accepts payments is required to comply with PCI security standards. Ensuring PCI compliance now or adopting a PCI compliance solution can help to simplify getting up to speed with any new data privacy regulations in the future.
• Balance national and local imperatives:
Since new privacy policies tend to vary from a national to local level, it's imperative that providers understand the differences at each level, and at what point the policies in their region will go into effect. For example, Virginia just became the latest state to adopt a comprehensive consumer data privacy law, but this won't go in effect until January 1, 2023. 
• Assign a data protection officer:
In some cases, legislation will require organizations to assign a data protection officer. Even if this isn't the case, we recommend for all businesses to implement this position to ensure that their business has a unified data protection policy across all areas of the business. 
• Keep employees informed:
Make all employees aware of upcoming changes and new responsibilities that each person will have, as well as the new systems they may need to work in. This is for employees' well-being more than anything—no one likes to know about something last minute and letting them know of any future changes will give them time to transition off the old system.

Adapt, evolve

Forsyth observed that £245.3 million worth of fines have been imposed in Europe and 160,921 personal data breaches have been recorded since May 2018, when the GDPR went into effect, according to data from DLA Piper. Despite these examples and continual reminders about GDPR, numerous companies were ill-equipped to handle the change and were fined, he noted.

While fines assessed on companies such as Google and Marriott Group gained global attention, small and midsize enterprises were also impacted by non-compliance, Forsyth noted. He recommended implementing compliance plans early, even in regions without data privacy regulations, to avoid costly lawsuits and to be prepared when a national data privacy regulation is inevitably passed.

Be especially vigilant about remote employees, those returning to the office after the shutdown and any temporary employees who may be using your systems, he added. 
 
"When it comes to implementation, the worry shouldn’t be so much about being creative as getting up-to-speed quickly and securely," Forsyth said. "Since GDPR was implemented, the top five largest fines were not related to complicated data breaches, but poor practices that an organization could have easily solved had it done a comprehensive security audit across its business."

The Green Sheet Inc. is now a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals. Click here for more information.

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.