The Dis-Chem Group’s 110 stores across South Africa do well over 6-million credit card transactions a month. Keeping that sensitive customer data safe is a priority for the group.
With its second successful Payment Card Industry Data Security Standard (PCI DSS) certification audit – achieved with the support of Galix, an accredited PCI Quality Security Assessor – the group has put industry-grade security best practices in place at every physical store and online.
“This certification assures our clients that Dis-Chem is a trusted retailer, that our IT infrastructure is solid and secure, and that their credit card information is safe with us,” says Riaan van der Westhuizen, Dis-Chem group IT manager.
PCI DSS certification is complex and for Dis-Chem passing the 2017 PCI DSS audit is a significant achievement built on four years of hard work.
Simeon Tassev, director at Galix, explains: “The PCI DSS standard has been put in place by major card issuers, such as Visa and Mastercard, to govern the use and security of sensitive credit card information. For companies handling high volumes of transactions, certification is non-negotiable. However, compliance is not an easy task. The standard covers every system within the business that has anything to do with credit card information — how the data enters and exits an organisation, who has access to it or handles it, how it is used, transported and stored.”
“Our first certification in 2015/16 was a scramble,” notes Van der Westhuizen. “However, with Galix on board, we received much more hands-on guidance, enabling us to develop effective policies and put repeatable practices in place.”
“Galix personalises the process,” says Tassev. “Our goal is to ensure the best, most beneficial approach for the business but also the most secure approach that will facilitate compliance.”
“Dis-Chem’s 2017 audit was consequently achieved with much greater ease and, with the help of Galix, we have been able to refine our security practices significantly,” notes Van der Westhuizen.
PCI DSS control objectives help Dis-Chem build and maintain a secure network. However, it also protects cardholder data, maintains a vulnerability management programme and implements strong access control measures. Moreover, PCI DSS compels Dis-Chem to monitor and test its networks and maintain its information security policy.
To achieve certification, the organisation needs to be 100% compliant. Yearly validation, which comprises a full audit of all 12 specified PCI DSS requirements and 240 sub requirements, is done by a Qualified Security Assessor (QSA). Conversely, the company this QSA works for, like Galix, must be registered with the Payment Association of South Africa.
“PCI DSS may be complex and difficult to achieve, but the standards are not there to make business more difficult or costly to conduct — businesses that deal with credit card data have a responsibility to protect that data,” says Tassev, “and Dis-Chem takes that responsibility very seriously.”
PCI DSS compliance is journey. There is much preparation and considerable effort required from the whole organisation. And, once achieved, there is a rigorous maintenance schedule that must be kept up.
Tassev adds: “The Dis-Chem team has worked hard to put a firm security foundation in place. The best practices that have been introduced to the Group through compliance with the PCI DSS standard include ongoing scans, tests and assessments of technology, processes, staff and the physical facilities. This creates a strong layer of security around sensitive transactional data to protect the company’s most critical asset: its clients. They team can be proud of its achievements.”
“The PCI DSS standard lays the groundwork, however, with new cyberthreats emerging every day we are keenly aware that maintaining Dis-Chem’s security stance requires ongoing vigilance,” says Van der Westhuizen. “We thus continuously review and refine our security measures to cater to changes within the business, such as the introduction of new business technology, new ways of working, and new ways of engaging with customers.
“Galix is able to support and guide us with regards to many of these critical decisions in terms of how they impact the PCI DSS regulations.”