Developing controls is one thing. Compliance is another matter. I recently read an AOC Solutions’ blog post about the Verizon 2014 PCI Compliance Report. It cites that nearly 60% of companies do not regularly test their data security systems and processes, even though this is a requirement of the Payment Card Industry Data Security Standard (PCI DSS). Does your P-Card program suffer from similar low compliance in one or more areas? What do your compliance metrics show?
I previously wrote about declined transactions and delinquent cardholders, but there are more potential issues; for example:
- incidents of personal use of a Commercial Card
- purchasing prohibited goods/services
- improper card storage (e.g., cardholders leaving cards on their desks when they are not there)
- improper disposal of cards or documentation reflecting card account information
- sharing system login IDs and passwords or posting the information next to a computer
- cardholders allowing someone else to use their card
- suppliers who are not PCI-compliant (the Verizon report will make you think twice about what your suppliers are doing)
A good auditing program is critical to catching and resolving compliance problems, but prevention is equally important. Do your policies and procedures (P&P) address the bullet points listed above? For tips on what P-Card P&P should include, purchase the related guide for $29.99. What about your training program? P-Card training should complement other organization training, such as training focused on ethics and information security. If your organization could use help with any of these efforts, contact Recharged Education.
About the Author
Blog post author Lynn Larson, CPCP, is the founder of Recharged Education. With more than 15 years of Commercial Card experience, her mission is to make industry education readily accessible to all. Learn more…