It is likely that the first thing that comes to mind when someone says “accreditation’ are educational or public institutions. The corporate world does not have to worry about accreditation, right?
If your business has customers, chances are you have or will need to participate in some form of PCI or PA -DSS accreditation. Any business that stores or processes sensitive data and payments needs to comply with PCI security standards.
For some businesses, this means participating in yearly audits that verify that your technology and organizational processes comply with security standards. For others, this also includes yearly employee training to stay up to date on security threat awareness.
Non-compliance with PCI is a big deal and potentially costly problem. If a business is not compliant, they can be held liable for any losses as a result of hacks or other unauthorized access to data. Over the last few years, there have been several high profile cases that have hit the media where large business have been “hacked” for access to credit card data. Many of these businesses already follow PCI standards, but in these cases they will still need to fight to prove process was followed.
In my industry–Point of Sale software–we are particularly scrutinized. One of the core functions of a POS is to process payment, so for us to remain competitive in the market we must maintain our PA-DSS accreditation. For us to maintain accreditation, we participate in very extensive yearly audits. All employees must also attend yearly security awareness training and any employee that works extensively with the design, development, or configuration of our product needs to attend a more intense advanced security workshop yearly.
In years to come, it is likely that the rules for accreditation will become more extensive. The industry which our POS serves is one of the most vulnerable industries: hospitality. Hospitality is highly vulnerable because outside of big chain businesses, many merchants have older technology which is not compliant with some of the new security standards. However, the technology is only one element–there are a lot of organizational processes that can impede security. Many of these businesses have not had to create or think of these processes in terms of their security risks before. The following is a very interesting article regarding the impact of new PCI legislation on the hospitality industry.
As we grow into a more digital world, it is likely that accreditation will become a word we associate with the business world. As we integrate our lives more with technology, we share our personal data with many sources. To protect us, we will want to ensure the businesses we use have security accreditation appropriate to their organization type. We are not quite there yet, but this is likely the direction we are going.