COMMENTARY The role of the CPO — chief privacy officer — is at a crossroads. A rapidly growing number of data breaches, continually evolving regulations, and the increasing complexity of digital ecosystems have made a robust, privacy-first approach to managing data more critical for businesses than ever before. The role of a CPO was once clear-cut: Ensure compliance with privacy laws, manage data collection practices, and mitigate data risks. Now, CPOs are balancing more responsibilities than ever. Privacy has an impact on every realm of the business. So, is a CPO still a CPO, or is the role something greater? And, is it a role that just one person can handle?   The Expanding Scope of the CPO In a recent episode of my podcast, “The Privacy Insider,” Google’s outgoing chief privacy officer, Keith Enright, remarked that the data privacy role has expanded so much, it requires a jack of all trades. In many organizations, the CPO might manage privacy, but also aspects of security, data ethics, and even AI governance. Privacy does play a role in all these areas. But can a CPO — or chief information security officer (CISO), or chief data officer (CDO), or chief AI officer — wear all these hats and have them fit?  Whatever mix of letters that follows the C, many companies are striving for the same goal. They want a member of the C-suite whose mandate encompasses a broader responsibility: Be the steward of data governance, protection, compliance, and ethical use. That someone with any of the above backgrounds could be overseeing all of the above responsibilities shows how intertwined the technologies, data, and risks have become. Maybe that one job should be a more integrated team effort.   Guarding the Wall Together  For example, think about a data breach. Responsibility for preventing a data breach typically falls on the CISO. If a hacker pierces a company’s systems, that’s a security failure. But the reality of a rapidly changing threat landscape is that once you secure against one threat, another one is right behind it. For many companies, data breaches aren’t an “if,” but a “when.” How are you protecting what’s behind the wall? Good data privacy practices are good security. Are you identifying, safeguarding, and minimizing your most sensitive data? CISOs work hard on fortifying the wall, but if someone breaks through and there’s nothing to steal, you’ve contained the immediate damage, and also the reputational and regulatory damage that can follow. Protecting an organization on all sides calls for a tightly integrated strategy.   And Then There’s AI  The rise of AI presents some unique challenges: What are the ethical implications of AI? Can you trust it? What’s the recourse if sensitive data winds up in an AI model? Many companies turn to the CPO for guidance on the ethical use of these technologies, particularly around issues of consent, bias, and transparency. But AI governance is typically the domain of the CISO or the CDO, not the CPO. For now, no one person should own AI, because at this point in time, AI touches everything. Everyone shares the responsibility for using it wisely.  However, CPOs can play an important role in charting a path for AI, aside from ensuring companies use it in a privacy-forward way. The ethics of using sensitive data — and as we are seeing with the European Union AI Act, the consequences of misusing it — are similar whether the offender is human or machine. Clear insight on handling and protecting sensitive data and experience with General Data Protection Regulation (GDPR) readiness can help privacy pros guide the business in managing AI’s complexities.  The CPO as Partner Managing risk in a modern organization is the ultimate balancing act. Sometimes it’s all hands on deck to shore up cybersecurity, sometimes it’s sensitive data protection, sometimes it’s AI. Privacy, security, governance, and the rest are all critical to maintain the balance, no matter what the challenge is. There may be a CPO, there may not be a CPO. Privacy management might be centralized or distributed across the business. But that doesn’t change the importance of data privacy management in helping to shore up system security, define AI governance, build trust, and mitigate risk. The best role a CPO can play is in demonstrating the value of a strong privacy program to make the whole business stronger.  source

The European Space Agency (ESA) has signed a €119mn contract with Italian scaleup D-Orbit for its first in-orbit servicing mission, RISE.  Scheduled for launch in 2028, RISE will attempt to rendezvous with, maneuver, and detach from an ESA satellite in geostationary orbit. Then it will embark on an 8-year mission, visiting several other satellites and giving them a new lease on life.   RISE, which is about the size of a minivan, will be like a car mechanic, but for aging spacecraft. It will refuel them, repair them, relocate them to a different orbit, and even attach them with a module that will take over their propulsion and navigation.  “Now that we are able to, we want to move away from single-use, disposable satellites and instead, as the technologies continue to develop, start extending satellites’ lifetime and service them right where they are, in orbit around Earth,” said Andrew Wolahan, RISE project manager at ESA.  The 💜 of EU tech The latest rumblings from the EU tech scene, a story from our wise ol’ founder Boris, and some questionable AI art. It’s free, every week, in your inbox. Sign up now! The space mechanic’s first client is likely to be a telecommunications satellite that’s running low on fuel but still has the capacity to keep connecting people worldwide, said ESA. If successful, D-Orbit will be the first European company to demonstrate in-orbit servicing. A circular economy in space  Filling up our car with petrol, driving it until it runs empty, and then abandoning it on the side of the road isn’t something we’d do on Earth. But that’s how things have worked in space for a long time. This is not only expensive, but one of the root causes of space debris.  The aim of RISE is to extend the operational life of satellites and dispose of them safely, so that they don’t contribute to the growing cosmic traffic jam.   At present, there are over 34,000 pieces of space junk larger than 10 centimetres circling around our world. What’s more, there are about 6,500 operational satellites in orbit, a number expected to exceed 27,000 by the decade’s end.  All these objects are increasing the risk of collisions with other satellites, space stations, or even people down on Earth. If the build-up of trash continues at this rate, some regions of space could become unusable. And for those of us on Earth, the litter’s ruining our views of the cosmos. In parallel with RISE, ESA is collaborating with Swiss startup ClearSpace on a mission focused on debris removal. ClearSpace-1, scheduled for launch by 2026, aims to actively remove a piece of space debris from orbit. Both RISE and ClearSpace-1 highlight Europe’s commitment to creating a circular economy in space.  The news comes just two weeks since D-Orbit announced it had closed a €150mn Series C funding round, one of the largest space deals of the past year.  source

Generative AI bias, driven by model training data, remains a large problem for organisations, according to leading experts in data and AI. These experts recommend APAC organisations take proactive measures to engineer around or eliminate bias as they bring generative AI use cases into production. Teresa Tung, senior managing director at Accenture, told TechRepublic generative AI models have been trained primarily on internet data in English, with a strong North American perspective, and were likely to perpetuate viewpoints prevalent on the internet. This creates problems for tech leaders in APAC. “Just from a language perspective, as soon as you’re not English based — if you’re in China or Thailand and other places — you are not seeing your language and perspectives represented in the model,” she said. Technology and business talent located in non-English speaking countries are also being put at a disadvantage, Tung said. The disadvantage emerges because the experimentation in generative AI is largely being done by “English speakers and people who are native or can work with English.” While many home grown models are developing, particularly in China, some languages in the region are not covered. “That accessibility gap is going to get big, in a way that is also biased, in addition to propagating some of the perspectives that are predominant in that corpus of [internet] data,” she said. AI bias could produce organisational risks Kim Oosthuizen, head of AI at SAP Australia and New Zealand, noted that bias extends to gender. In one Bloomberg study of Stable Diffusion-generated images, women were vastly underrepresented in images for higher paid professions like doctors, despite higher actual participation rates in these professions. “These exaggerated biases that AI systems create are known as representational harms, “ she told an audience at the recent SXSW Festival in Sydney, Australia. “These are harms which degrade certain social groups by reinforcing the status quo or by amplifying stereotypes,” she said. “AI is only as good as the data it is trained on; if we’re giving these systems the wrong data, it’s just going to amplify those results, and it’s going to just keep on doing it continuously. That’s what happens when the data and the people developing the technology don’t have a representative view of the world.” SEE: Why Generative AI projects risk failure without business exec understanding If nothing is done to improve the data, the problem could get worse. Oosthuizen cited expert predictions that large proportions of the internet’s images could be artificially generated within just a few years. She explained that “when we exclude groups of people into the future, it’s going to continue doing that.” In another example of gender bias, Oosthuizen cited one AI prediction engine that analyzed blood samples for liver cancer. The AI ended up being twice as likely to pick up the affliction in men than women because the model did not have enough women in the data set it was using to produce its results. Tung said health settings represent a particular risk for organisations, as it could be dangerous when treatments are being recommended based on biased results. Conversely, AI use in job applications and hiring could be problematic if not complemented by a human in the loop and a responsible AI lens. More Australia coverage AI model developers and users must engineer around AI bias Enterprises should adapt the way they either design generative AI models or integrate third-party models into their businesses to overcome biased data or protect their organisations from it. For example, model producers are working on fine-tuning the data used to train their models by injecting new, relevant data sources or by creating synthetic data to introduce balance, Tung said. One example for gender would be using synthetic data so a model is representative and produces “she” as much as “he.” Organisational users of AI models will need to test for AI bias in the same way they conduct quality assurance for software code or when using APIs from third-party vendors, Tung said. “Just like you run the software test, this is getting your data right,” she explained. “As a model user, I’m going to have all these validation tests that are looking for gender bias, diversity bias; it could just be purely around accuracy, making sure we have a lot of that to test for the things we care about.” SEE: AI training and guidance a problem for employees In addition to testing, organisations should implement guardrails outside of their AI models that can correct for bias or accuracy before passing outputs to an end user. Tung gave the example of a company using generative AI to generate code that identified a new Python vulnerability. “I will need to take that vulnerability, and I’m going to have an expert who knows Python generate some tests — these question-answer pairs that show what good looks like, and possibly wrong answers — and then I’m going to test the model to see if it does it or not,” Tung said. “If it doesn’t perform with the right output, then I need to engineer around that,” she added. Diversity in the AI technology industry will help reduce bias Oosthuizen said to improve gender bias in AI, it is important for women to “have a seat at the table.” This means including their perspectives in every aspect of the AI journey — from data collection, to decision making, to leadership. This would require improving the perception of AI careers among women, she said. SEE: Salesforce offers 5 guidelines to reduce AI bias Tung agreed improving representation is very important, whether that is gender, racial, age, or other demographics. She said having multi-disciplinary teams “is really key,” and noted that an advantage of AI is that “not everybody has to be a data scientist nowadays or to be able to apply these models.” “A lot of it is in the application,” Tung explained. “So it’s actually somebody who knows marketing or finance or customer service very well, and is not

(Fed美聯儲預計在GMT+8 &#… source

The multicloud calculus Mojgan Lefebvre, EVP and chief technology and operations officer at Travelers, says a multicloud architecture not only offers enterprises the freedom to use best-of-breed cloud services but also the ability to negotiate better financial terms from each cloud provider. “Different cloud providers offer various pricing models,” she says. “A multicloud strategy allows organizations to optimize costs by selecting the most cost-effective services for their needs.” [ Related: CIOs sharpen cloud cost strategies — just as gen AI spikes loom ] Lefebvre says Travelers’ approach to multicloud is intentional, with best fits for each workload being decided on a case-by-case basis — including keeping specific workloads in-house. She also notes that not relying on a single cloud provider reduces the risk of downtime and data loss, while also fostering better business opportunities. “Access to a broader range of tools and services, including advanced AI and machine learning capabilities, can drive innovation and improve business outcomes,” she says. “However, managing multiple cloud environments can be complex and requires specialized skills and tools to ensure consistent security and compliance and effective integration of services and data.” That often means applying vendor-supplied connectors to exchange data from cloud to cloud, interoperability management tools, and in many cases, pricey systems integrators to stitch it all together and ensure, above all else, that there is no data leakage. Bob McCowan, CIO of Regeneron Pharmaceuticals, says taking a cloud-native approach can help ease some multicloud challenges. “For those organizations that embraced ‘native cloud,’ the architecture and design allow for movement of the work between different cloud providers without significant effort,” he says. “In most cases this is part of a business continuity play but it’s good practice to avoid getting overly committed to any provider, as well as leaving the door open for pivoting to cloud providers that may deliver a capability unique to their platform.” Given the pace of change in the cloud industry itself, that flexibility can readily pay off, McCowan says. “Cloud providers are going to be leapfrogging each other and if the capability, price point, or global reach warrants it, organizations will need to have the agility to change things up,” he says. “The rapid growth in AI, with very specific use cases will also require organizations to plan for change or risk getting tied to the wrong technology or cloud provider.” AI has become a game changer in many ways, and it is causing CIOs to rethink their cloud strategies. There is a lot to be gained from leveraging the latest tools in the public cloud and being able to defect as necessary. Still, Max Chan, CIO of Avnet, says IT leaders ought not fret about building a multicloud architecture unless there is a well-defined need. “Public cloud interoperability is increasingly important for gen AI deployment, but whether it is critical or more of a ‘nice to have’ depends on the specific use case and enterprise needs,” he says. “Enterprises with complex workflows that require integrating data and services from multiple cloud providers, such interoperability is essential for seamless data flow and service integration. However, for most other organizations that use a single cloud provider, interoperability might be less critical.” And, Chan notes, the added complexity, as well as the potential costs associated with managing multicloud environments, might outweigh the benefits for many organizations. Still, for those organizations embracing multicloud, all eyes will be on interoperability advancements. Oracle has taken a big step in that direction but only time will tell if enterprise demand forces cloud providers to build further interoperability directly into their clouds or risk losing customers. In the interim, there are many tools and data integration strategies CIOs can use to make a hybrid, multicloud environment functional, says Nick Golovin, senior vice president of enterprise data platform at CData. Amazon, for instance, advises customers to use homegrown services such as AWS DataSync, Glue, Athena, and CloudWatch to enable hybrid, multicloud interoperability. In a blog post this summer, AWS claimed Phillips 66 achieved multicloud interoperability by deploying its Managed Service for Prometheus but acknowledged AWS Professional Services was hired to make it work. AWS also pointed to Elastic Container Services and EKS Anywhere, as well as AWS Outposts Family and AWS Snow Family as additional tools to enable interoperability. “CIOs and data decision-makers can create a comprehensive data management strategy for the hybrid cloud environment by considering their environment as a data ecosystem and focusing on aspects such as integration, data quality, governance, master data management, and metadata management,” Golovin says. “Cloud platform vendors often provide parts of these aspects, so understanding where the gaps are and leveraging third-party specialized tools for critical data management functions can help overcome the limitations of proprietary cloud ecosystems, ensuring seamless connectivity and flexibility,” he adds. source

By Hannah Albarazi ( October 23, 2024, 9:38 PM EDT) — A patent owner has urged the U.S. Supreme Court to review the Federal Circuit’s one-word decision affirming summary judgment in favor of TD Ameritrade in a high-stakes patent fight, saying the appellate court is routinely and summarily affirming orders that ignore factual disputes in patent cases, without explanation…. Law360 is on it, so you are, too. A Law360 subscription puts you at the center of fast-moving legal issues, trends and developments so you can act with speed and confidence. Over 200 articles are published daily across more than 60 topics, industries, practice areas and jurisdictions. A Law360 subscription includes features such as Daily newsletters Expert analysis Mobile app Advanced search Judge information Real-time alerts 450K+ searchable archived articles And more! Experience Law360 today with a free 7-day trial. source

Businesses looking to increase their sales now have a powerful new tool at their disposal — AI.  AI revolutionizes sales by enhancing traditional selling methods and introducing new capabilities, says Bob Seaton, CTO advisor and solutions architect at technology consulting firm BUILT. “It builds upon established data science techniques, offering advanced customer segmentation, rapid industry insights, and streamlined training processes,” he explains in an online interview. “This approach allows companies to gain crucial information about their customers at unprecedented speeds, fostering more meaningful relationships and providing a competitive edge.”  AI’s core powers include creating natural content, handling Q&As, and automating action-based tasks, says Jared Coyle, chief AI officer with business applications provider SAP North America, in an email interview. “These capabilities open a wide range of opportunities for sales teams by simplifying various stages of the sales process.”  Meanwhile, generative AI (GenAI) is opening new frontiers in sales communication. “This technology enables micro-level customization of messaging, acting as a sophisticated personal assistant to clarify and tailor communications for specific audiences,” Seaton says. “AI not only refines existing sales strategies, but also introduces powerful new tools for personalization and efficiency, ultimately leading to more impactful customer interactions and improved sales outcomes.”  Related:Empowering Sales Leaders to Drive Success with AI In the early stages of selling, when greater personalization is required, AI can equip sales teams with valuable insights for more enhanced interactions, Coyle says. “By providing capabilities like intelligent customer profiles, sales teams can better understand customer purchasing patterns and preferences, as well as gain insight into where a customer is on their journey.”  “As sales teams move beyond the early stages of selling and into active customer interaction, AI can aid in contract management, content preparation, and the generation of custom visual designs tailored to specific target audiences,” Coyle notes. “Predictive analytics, powered by AI, can better forecast customer satisfaction and increase the likelihood of contract signings by enabling better resource allocation and insights.”  Data Matters  AI’s sales effectiveness hinges on its ability to harness vast amounts of data. “AI’s power lies in its speed and capacity to identify trends at an unprecedented scale,” Seaton says. It allows business leaders to recognize patterns hidden in their data, ask more insightful questions, and accelerate growth with targeted actions. AI’s data processing capabilities can also dramatically enhance product development, enabling rapid prototyping and testing. Such efficiency can compress months of testing into days, leading to faster solution creation and significant cost savings. “The key to AI’s utility isn’t just in having abundant data, but in knowing how to leverage it effectively to drive real insights and tangible business outcomes.”  Related:SAP’s Sophia Mendelsohn on Using AI to Scale Sustainability Opportunity and Risks  Businesses that embrace AI will replace companies that don’t, claims Pranav Gupta, a senior data scientist at home improvement retailer Lowe’s. In an email interview, he recommends getting started with AI as soon as possible. “The first step is to answer the question of what is the biggest opportunity area that could lead to a better customer experience or convince customers to buy your product.”  Sales teams that fall behind in AI use risk missing out on valuable data insights, leading to lost sales opportunities and revenue growth, Coyle says. Customer experience will also suffer, due to slower response times and less personalized services, impacting satisfaction and loyalty. Additionally, without AI’s predictive analytics, businesses may struggle with inaccurate forecasts, leading to poor decision-making and resource misallocation, he warns.  Related:How Intelligent Applications Can Boost Sales Not Just Another Tool  AI is not just another tool; it’s a universal accelerator rapidly that redefines every aspect of work, Seaton says. “By leveraging AI to quickly process vast amounts of data and generate insights, companies can respond to customer needs with unprecedented speed and precision,” he explains. “This acceleration allows businesses to present proposals before competitors, giving customers the opportunity to say ‘Yes’ earlier in the sales cycle.”  AI’s transformative power extends beyond enhancing existing processes, Seaton says. “Those who embrace AI as an accelerator will gain a significant competitive edge, while those who don’t risk falling behind,” he warns. “It’s clear that failing to adopt AI technology, especially in sales, means losing out on opportunities and efficiency gains that many competitors already leverage.”  An AI sales tool’s effectiveness can be evaluated by measuring increases in revenue and net promoter score, reduction in customer complaints, and related metrics that typically constitute key performance indicators, Gupta says. He suggests estimating such impacts early, even before an AI-based tool has been deployed. “For example, if you know the accuracy of a model recommending products to customers is 90%, you can make assumptions about the customer funnel and calculate company KPI from the value of the model accuracy.”  To obtain a clearer understanding of a sales tool’s overall effectiveness, Coyle advises conducting A/B tests of multiple AI initiatives to find the one that generates higher conversions and better customer engagements.  Faster Growth  Experts say that AI is the new electricity, Gupta observes. “Soon it will be unimaginable to have a product without some component of AI, just like it’s unimaginable to spend a single day at the office without a computer.”  source

Private capital investment in Belgian startups has exceeded €470mn in the first half of 2024, compared to a total of €424mn in 2023. At the current rate of spending, the country’s tech ecosystem is heading for a record funding year. That’s according to the State of Belgian Tech Report, published today. It combines data from Dealroom, a survey of over 130 startup founders, and interviews with Belgian entrepreneurs and investors. According to the findings, the average amount of investment per round per stage has steadily increased between 2018 and 2024 to date. It has tripled at the seed and Series B stages and more than doubled at Series A. AI dominates investments Reflecting a wider European (and global) trend, AI startups attracted over 70% of the total capital invested in H1 2024. Calling all Scaleup founders! Join the Soonicorn Summit on November 28 in Amsterdam. Meet with the leaders of Picnic, Miro, Carbon Equity and more during this exclusive event dedicated to Scaleup Founders! This was driven by a number of larger rounds by companies including TechWolf and Robovision, which secured investments of $42.7mn and $42mn, respectively. Other sectors that attracted investment are energy, professional services, and consumer goods. Sings of a maturing ecosystem According to the report, the gradual increase in startup funding since 2018 is a signs that the Belgian ecosystem is entering a maturation phase. Another indication is a steady growth in exits, which rose from 13 in 2018 to 31 in 2022 and 36 in 2023. This year has seen 22 exits so far. Belgium also counts four home-grown unicorns: Collibra, Odoo, Deliverect, and team.blue. The latter reached a €4.8bn valuation in July. There’s also a continuous inflow of capital from foreign investors (accounting on average for 66% of the total funding since 2020), while there’s a renewed momentum among local funds and VCs. In 2024 to date, Belgian VCs have raised over €200mn in new funds and are projected to close the year with over double the amount. Nevertheless, difficulties still remain in the ecosystem’s journey towards maturity — especially when it comes to scaling and late-stage growth. Tellingly, in the past six years, early-stage funding rounds account for approximately 77% of the total capital raised by Belgian startups. That’s compared to 42% in Europe as a whole. “The challenges are clear, and they’re not that different from other ecosystems in this early maturation phase,” Robin Wauters, founding member of Belgian VC firm Syndicate One and co-author of the report, told TNW. One such challenge is attracting senior talent. “Anything that can be done to make it easier for founders to recruit, retain, and reward that talent will enable the ecosystem as a whole to move to the next level,” Wauters said. In addition to talent, the availability of growth capital and government reforms for businesses  can deliver “a good mix of elements that level up Belgian tech,” he said. Ecosystems is one of the main themes at next year’s TNW Conference. Early birds can now buy 2-for-1 tickets for the June event.  source

As retailers brace for a challenging 2025, technology will play a crucial role in offsetting the impact of waning consumer demand on their business. To be sure, retail overall will continue to grow: Globally, we forecast $24.9 trillion total retail sales in 2025. Of that, $5.3 trillion (or about one-fifth) will be online retail sales specifically, almost two-thirds of which will come from China and the US. Retail growth is reverting to pre-pandemic levels, and businesses across all sectors will face pressure to drive revenue and profit. Factors such as higher wages, lower purchasing power, and increased competition from Chinese merchants like Temu are forcing retailers globally to invest in and explore innovative tech solutions to retain and grow their customer base. A mix of technological advancements and economic realities will shape the retail landscape in 2025. Here is a sampling of some of our predictions for the retail industry in the coming year: One in five US and EMEA retailers will launch customer-facing generative AI applications. Already, 15% of retail and wholesale companies have multiple genAI deployments within their enterprise, per Forrester’s Priorities Survey, 2024. These AI-powered tools will improve both customer outcomes and business efficiencies, particularly in competitive sectors. We expect to see retailers leveraging genAI for enhanced product search, personalized recommendations, and improved category navigation. For their list of potential genAI experiments, savvy retailers start with those that support better site search and navigation or that help to explain recommendations and other content they present to customers that otherwise may seem arbitrary to those shoppers. A few US retailers will implement biometric-powered solutions to curb internal theft. As employee theft becomes a growing concern, retailers with high-value or easily stolen merchandise (e.g., health and beauty products) will invest in biometric identification systems to secure employee-only areas and protect valuable inventory. Which companies are likeliest to invest? Think retailers with recognized security issues and easy-to-steal, high-priced, and/or high-demand assortments (perhaps in drugstore and consumer electronics sectors) that will evaluate and then make the costly investment and ultimately launch internal biometrics use. US grocers’ operating profit margins will decline by 150 basis points or more. Facing higher supplier costs, waning consumer sentiment, and a slowing job market, grocers will struggle to maintain profitability. Revenue growth for US grocers will see significant pressure: US food-at-home inflation has been in the 1.0–1.2% range since January 2024. Grocers will increase promotional activity and adjust the product mix to low-margin essentials to retain market share. They’ll need to implement cost-cutting measures and explore new revenue streams to stabilize their margins. For grocers, that means analyzing and testing potential revenue and margin gains by growing their private-label shelf space, product mix, and retail media offerings. Brands will need to invest in retail media to offset lower share of shelf. To thrive in this challenging environment, retailers must be willing to invest in and experiment with new technologies and strategies. Some initiatives will succeed while others will fail, so the key is to cultivate a culture of innovation and adaptability. Read our full Predictions 2025: Retail report to get more detail about each of these predictions and read additional predictions. Set up a Forrester inquiry or guidance session to discuss these predictions or plan out your 2025 strategy. If you aren’t yet a client, you can download our complimentary Predictions guides, which cover more of our top predictions for 2025. Get additional complimentary resources, including webinars, on the Predictions 2025 hub. source

You likely accept credit and debit card payments every day. But with so much sensitive data, you need robust protection against hackers. Luckily, there is a standardized checklist of measures to defend against fraud. These security protocols are called the Payment Card Industry Data Security Standard (PCI DSS). Since that’s a mouthful, people simply say a business is “PCI compliant” to mean it follows these strict protective measures. The top credit card companies enforce these rules. Let’s dive into why your small business needs to stay PCI-compliant. What is PCI compliance? PCI compliance is a prescription of security guidelines intended to protect cardholder data during transactions. The standards were incarnated in 2004 by the Payment Card Industry Security Standards Council (PCI SSC). This body is composed of major credit card companies such as Visa, MasterCard, American Express, Discover, and JCB. Any business that handles credit card information should adhere to these regulations. That’s because PCI compliance also protects businesses. The protocols slash the risk of data breaches and credit card fraud. Consumers trust entities that take security seriously, too. This medley of benefits makes your organization more secure — and more successful. Why PCI compliance is crucial for small businesses There are real-world perks to following these strict security fundamentals. Here are the three main motives behind compliance: Protects Customer Data: PCI compliance ensures customer data is handled securely, lowering the risk of destructive data breaches so you and your customers sleep better at night. Avoids Financial Penalties: Non-compliance can result in steep fines from credit card companies or banks. These fines can enter into the six-figures, which can cripple a small business rapidly. Strengthens Customer Trust: It takes hard work and lots of time to earn a person’s trust. PCI compliance accelerates this process as it develops peace of mind among your customer base. Understanding essential PCI compliance requirements PCI DSS involves twelve primary requirements. Some mandates involve more technical knowledge to implement. But they’re all crucial to a secure payment environment. Let’s explore each of the fundamental requirements. Install and Maintain a Secure Network: This step includes using firewalls to protect data and block unauthorized access to your network. Use Robust Passwords and Security Settings: Avoid using default or weak passwords for systems and devices. Employ strong, unique passwords that are difficult to guess. Related: How to Create a Secure Password Protect Stored Cardholder Data: Encrypt sensitive data, such as credit card numbers, when storing them. Only store data necessary for business operations and ensure it is protected. Encrypt Transmission of Cardholder Data: Use encryption protocols like SSL or TLS to protect data when it is transmitted over public networks. Use and Maintain Anti-Virus Software: Anti-virus software helps prevent malware and other threats from compromising your systems. Keep this software updated to ensure it can defend against new threats. Develop and Maintain Secure Systems and Applications: Regularly update software, including security patches, to protect against known vulnerabilities. Restrict Access to Cardholder Data: Limit access to only employees who need it for their job duties. This step reduces the risk of data being accessed by unauthorized individuals. Identify and Authenticate Access to System Components: Implement user IDs and passwords to monitor who accesses cardholder data and system components. Restrict Physical Access to Cardholder Data: Ensure that any physical copies of cardholder data, such as receipts and photocopies, are stored securely and accessible only to authorized personnel. Track and Monitor Access to Network Resources: Use logging mechanisms to monitor access to network resources and cardholder data. Regularly review these logs for any suspicious activity. Regularly Test Security Systems and Processes: Conduct vulnerability scans and penetration testing to identify and resolve weaknesses in your security systems. Maintain an Information Security Policy: Develop a written security policy that clearly spells out your organization’s approach to PCI compliance and data protection. The four levels of PCI compliance PCI compliance is categorized into four levels based on the number of credit card transactions your business processes annually. Understanding these tiers can help you determine which requirements apply to your situation. Tier Criteria Requirements Level 1 Over 6 million card transactions per year from all sales channels. Must undergo an annual on-site assessment conducted by a Qualified Security Assessor (QSA). Level 2 1 to 6 million card transactions annually from all sales channels. Must complete an annual Self-Assessment Questionnaire (SAQ) and conduct a quarterly network scan by an Approved Scanning Vendor (ASV). Level 3 20,000 to 1 million e-commerce transactions annually. Must complete an annual SAQ and undergo quarterly network scans. Level 4 Fewer than 20,000 e-commerce transactions annually, OR1 million or fewer transactions from all sales channels. Must complete an annual SAQ and conduct quarterly scans. Most small businesses fall under Level 3 or Level 4. As a result, they can often manage compliance themselves with the right tools and guidance. Achieving PCI compliance for your small business Achieving PCI compliance can feel daunting. However, each step is manageable even among smaller organizations. Here’s a step-by-step guide to help you get started: Step 1: Determine your PCI compliance level Identify your level based on the volume of credit card transactions your business processes annually. This figure dictates the type of assessment and documentation you need to complete. Step 2: Complete a self-assessment questionnaire (SAQ) The SAQ is a series of questions that assess your organization’s security practices. Choose the form that matches your business model and payment methods. For example, SAQ A is suitable for merchants that outsource all cardholder data functions to a third party. Tip: SAQs and related resources can be found on the PCI Security Standards Council website. Step 3: Conduct a vulnerability scan Work with an approved scanning vendor (ASV) to perform a vulnerability audit of your systems. This procedure surfaces security weaknesses in your network. Step 4: Address any security gaps Analyze the SAQ and vulnerability scan results to address any identified weaknesses. This response could involve updating your firewall, improving password practices, or deploying more robust encryption.