-
McDonalds faced a big task a few years ago in upgrading its payment systems and limiting the exposure of customer data. Here's how they did it, bringing systems up to the Payment Card Industry standard at the same time they brought in McCafe.
October 3
British Airways' data security efforts would have never gotten off the ground if they were focused purely on complying with payment industry rules.
Like any other company that handles payment card data, British Airways had to update its technology to comply with the Payment Card Industry data security standard. The company quickly determined it had to go beyond what the PCI standard requires.
"If you're just focusing on [PCI compliance], you're going to be out of this business," Philip Morton, information security and compliance manager, said in a presentation at the PCI Security Standards Council's annual community meeting last month.
Some analysts advise adopting advanced data encryption and tokenization to reduce the costs of complying because the technology takes the data out of the scope of PCI audits. But such a narrow approach would limit other data protection opportunities, Morton said.
British Airways devised a broad security strategy that would cover all its payment card data protection needs as well as other operations and be flexible enough to adapt to future changes, he said.
It can sometimes be difficult to get the authority and funds to tackle data security. "Getting top management's attention [to PCI issues] is tricky," Morton said.
Despite the urgency to protect card data, organizations seeking PCI compliance must avoid rushing to implement new technology and processes, Morton said.
"Don't panic, and don't let vendors pressure you," he said.
As an overarching guideline, companies should make sure every executive has appropriate PCI training and access to resources, Morton said. "Realize that the threats are real," Morton said. "Set up your data security processes so they will last. … Get it right, and keep it going."
