PCI DSS and Data Protection: It is everyones responsibility

Lack of PCI DSS awareness is not an excuse

For an organisation like Evans Halshaw, you would expect PCI DSS compliance and data standards that keep your credit card and personal safe.  Yet they are part of a hidden problem where people just don’t understand the legal and moral obligations that they represent on behalf of their organisations.

I have a wonderful email from their “sales manager” Mike Spooner and team who state that “PCI DSS will not allow us to store credit card information”.  With this gap in PCI DSS knowledge, it is likely that there is also a gap in how to handle general data protection.  Therein lies the concern.  They are taking credit card, loan,  payment and personal plan details and what are they doing with them?

Let’s just have a reminder of the basics of PCI DSS.

PCI DSS compliance requirements

The standard requires all applicable merchants and members who store, process or transmit credit or debit cardholder data to:

  • Build and maintain a secure IT network;
  • Protect cardholder data;
  • Maintain a vulnerability management programme;
  • Implement strong access control measures;
  • Regularly monitor and test networks;
  • Maintain an information security policy.

Failure to be compliant can incur increases in transaction costs and eventually exclusion from online payment systems.  Both are bad for business and designed to encourage companies to protect those purchasing from them.


Awareness through PCI DSS and Data Protection Audit

A combined DP and PCI DSS audit would help Evans Halshaw .  It would help identify the gaps in knowledge, process and practice.  Conducted on a regular basis, it would help keep the Evans Halshaw exec team and CSIO informed and guided; giving direction, impetus and organisational awareness.

But awareness everyones business. Understanding what their obligations are might help, but providing an understanding of why those obligations are in place might help more.  By putting PCI DSS and Data Protection into the context of the people who will be responsible for them, it will help make the operational scenarios more realistic and understandable.

This is the key though, putting both quite dry subjects into context.  PCI DSS is designed to ensure that your organisation is doing it’s very best to manage valuable customer information.  Keeping that information out of the hands of criminal and fraudulent use.  It is not designed to disable your business or be difficult to understand and comply with.

So the top three things you need to consider:

  • Keep a regular audit, understand where you are and where you are going.
  • Awareness is everyones business, but make it real and in context
  • It is about keeping your customers safe




  1. An excellent overview of the PCI DSS requirements can be found here.
  2. Mike Spooner, Sales team leader, Evans Halshaw Plymouth, 01752 340077 mob 07817813304
  3. You may also want to try PCI DSS Made Easy for on Amazon.

Looking for a PCI DSS audit?  Contact me below.



Want to say something interesting?