An inconvenient truth: New customer data regulations coming

Jeremy King discusses the EU Data Protection Directive and Directive on Payment Services (PSD) and the impact this will have on organisations and their data security policies.

Jeremy King, European director, PCI SSC
Jeremy King, European director, PCI SSC

Fourteen times a year. That's how often UK organisations were being breached last year on average. Some 90 percent of large organisations suffered at least one data breach in 2014. According to Lloyds Risk Index, cyber-crime is now up to number three, yet only 30 percent of companies are using the UK government's 10 Steps to Cyber-security, and worse still, 30 percent of businesses are not completing annual security training for their staff.

Organisations can no longer ignore these figures, especially when the average cost of a data breach is now well over £3 million, and card-not-present fraud is at the highest level to date in Europe at 71 percent. It's this sobering reality that's driving the European government to introduce new regulations over the coming year to protect customer data: European Banking Authority 'Securing Internet Payments'; European Commission Payment Services Directive 2; and European Commission General Data Protection Regulation.

The new European Payment Services Directive 2 along with the European Banking Authorities Guidelines for Securing Internet Payments have clear and detailed requirements for organisations in protecting cardholder data. Add to that the soon-to-be released General Data Protection Regulation which covers all data security, and you have a massive increase in data security which, when implemented, will impact all organisations in Europe and beyond. Especially interesting in the Data Protection Regulation are the requirements for breach notification, and potential fines. The fines are staggering- the maximum being either two percent or five percent of global annual turnover. That would see potential fines in the UK rise from a current maximum of £500K to 10's if not 100's of millions depending on the size of your organisation. Criminals always want to monetise the data they steal. Obviously cardholder data is the easiest to montenise and that is why PCI always says, if you don't need it don't store it, and if you must store it then encrypt it.”

Taking data security seriously is now front and centre. The inconvenient truth is that these regulations are coming. The clock is ticking. Whether organisations have tried to avoid PCI DSS or not, now they have to start protecting ALL of their customer data, not just payment data, and there will be significant penalties for companies that fail to do this. 

Here are three key questions organisations need to be asking:

1.     Do you have a person in your organisation with overall responsibility for data security, other than the IT director? Cyber-crime is so much more than just an IT issue as it affects everyone.

2.     Have you implemented and had externally assessed a data security programme? There are programmes and standards available for organisations. The PCI DSS is an excellent data security standard that can be applied across the board. There is also ISO 27001 or UK Government Cyber Essentials.

3.     Do you have an incident response plan in place, and has this been tested this year? Recent breaches have clearly highlighted the critical importance of having such a plan so that everyone, but especially board level staff are fully prepared when the breach occurs. Also this will be an on-going requirement from the new regulations.

These regulations will force organisations to take data security seriously, and PCI provides the most complete set of data security standards available globally. Although these regulations are not likely to be implemented until the end of 2017 early 2018, the time to act is now. Establishing good data security takes time and effort. Reducing risk and making data security business-as-usual is critical.

Organisations need to know these regulations are coming and put a plan in place now for ongoing security.

Contributed by Jeremy King, European director, PCI SSC