/ciol/media/agency_attachments/c0E28gS06GM3VmrXNw5G.png)
Follow UsUK: The data storage destruction specialist DiskShred has warned UK companies that process credit card transactions - which accounts for almost all SMEs and larger businesses - of plans to dramatically ramp up the security requirements under Version 3 of the PCI DSS rules due later this year.
Developed by the card payments industry in close consultation with the Payment Card Industry (PCI) council, the PCI Data Security Standards (PCI DSS) consists of 12 significant requirements including multiple sub-requirements, which contain numerous directives.
These directives - which apply to most organisations that process payment card transactions - allow businesses to measure their own payment card security policies, procedures and guidelines.
Most experts agree that version 3 of the PCI DSS rules will see the scope of the rule's external audit requirements extended to cover many more companies, as well as impose harsher requirements on all companies who accept credit and debit cards from their customers. According to Philip McMichael, operations director with DiskShred, this will impose a far more stringent set of security requirements when companies dispose of their data, especially where the IT equipment has reached an end-of-life situation.
"We've all heard the horror stories of customer data appearing on the hard drives of computers sold on auction Web sites - resulting in fines from the Information Commissioner's Office (ICO) under the Data Protection Act. Under the PCI DSS rules, if you do not comply with the required standard, you may lose you ability to accept credit and debit cards from your customers - which is arguably far worse than a hefty fine from the ICO," he said.
And with other legislation - including the aforementioned Data Protection Act - and the Companies Act, imposing increasing levels of data security duty of care on company directors and their senior staff - there is also the spectre of the Government introducing custodial sentences for individuals who breach data protection laws to contend with.
And this is where his firm's fully auditable on-site data storage device destruction service can provide a hassle-free way of avoiding corporate angst over breaking the law or required governance standards. It's also why on-site destruction is essential, "A company needs to be sure its hard drives definitely made it into the shredder without any ‘en-route diversions' into the wrong hands", McMichael said.
"Our observations suggest that no matter how effective the data security and destruction rules within an organisation, the human element will always mean that rules can be deviated from - and corners will be cut. People get tired, become bored and even turn to crime depending on the circumstances. This is why we believe that on-site media shredding - to verifiable minimum standards, backed up with criminal background checks on the staff completing the process and CCTV footage to act as the ultimate audit proof," he added.