It was sad to see in the press that even a comparatively small company such as a US-based homebrewing and winemaking company had their payment systems and customer credit card data compromised. They’re in good company however – many major companies have had similar problems; but are typically equipped to ramp up resources to deal with the consequences. Not an ideal scenario, but one that a smaller company could ill-afford.
Regency can help. We’re a small company (admittedly backed by one of the biggest technology and engineering companies in the world), but we understand the difficulties of economically protecting information in the first place and the kind of procedures you could put in place if the worst did happen. Payment data is especially sensitive, because of the breach in trust between the customer and company, reputational consequences, and all of the charges and potential liabilities the card schemes layer on top if your systems don’t meet the standards. For example, did you know that you could be liable to pay for their investigation, the re-issue of cards and anti-fraud insurances for compromised customers if you don’t meet the standards?
We can help give you pragmatic advice to help meet the strict standards required (called PCI DSS – Payment Card Industry Data Security Standards), or even suggest methods of working that limit your exposure to payment card data, and therefore limit your need to comply with the standard.
You also need to consider some contingencies. There’s been some debate on how to limit the impact on your reputation as a business and keep the trust and loyalty of your customers if a breach were to occur. A traditional (and unadvised) approach involves keeping the whole matter a secret and hoping that no-one notices. This is what the homebrewing company did unfortunately, notifying stakeholders a full six weeks after the breach was first detected. In our experience, this causes a significant breach in trust and consequential loss of business. One significant recent example involves the security company RSA. It was really interesting to see the effect a frank notification – albeit after some public persuasion – to all owners of their security system and the press that they had been breached, had information stolen and that action was needed to protect customer systems. This timely notification resulted in an immediate and significant dip in their share price, but business recovered, and improved, over the following quarters and people continued to buy RSA’s system – because they felt informed, empowered to make a decision and that they could visibly see that RSA was acting in their interest.
So how does this translate to actions you could take? Regency is good at assessing risk – we do this for lots of people, from Government and, financial systems for major banks, industrial control system security for Critical National Infrastructure systems, to commerce in all shapes and sizes. We can help you look at your business in a structured way, identify the weak spots and give you some pragmatic advice to help minimise the risk to your business. We also believe strongly in giving you advice that’s tailored to the size of your business. A new tax system containing the population’s personal information would be protected in a very different way to, for example, a corporate email system! As an example of the kind of things that we look out for: Do you have a way of contacting all of your affected customers if card data is breached? If your website was down or under attack, have you already thought through how you could use social media to communicate with your customers? Are any of your contingency plans tested and rehearsed? Where is the password to the company twitter account anyway?!
If all of this feels complicated – especially where PCI DSS is concerned, why not give us a call to have a friendly, no-commitment chat with one of our consultants. It would be good to hear from you.