PCI DSS Compliance, also popularly known as PCI or PCI Compliance, is a security standard put in place by the Payment Card Industry Security Standards Council (PCI SSC). The standard lists twelve overarching requirements which, if observed by all credit card users, can help reduce credit card fraud and ultimately, better protect the cardholders.
According to Rodolphe Simonetti, the managing director at Verizon Enterprise Solutions, the increase in high profile data breaches is partly caused by failure to fully comply with PCI DSS. In a recent PCI compliance report released by Verizon, Mr. Simonetti encourages businesses to embed compliance in normal business processes arguing that “it should be a year-round activity.” Referring to the latest victims of major data breaches, he states that none of the companies were fully compliant at the time of the breach, noting that it has become a trend for companies to stop complying just a few weeks after the assessment. In other words, the first step in compliance is to always be compliant.
Verizon’s PCI Security compiles a list of four practices that that can help you keep your organization PCI compliant.
1. Think of compliance differently
Mr. Simonetti advises that you should view PCI DSS as the basic minimum standard for whatever security efforts you engage in. However, the standard must also be treated not as the blueprint of security, but as one piece of the wider jigsaw. So, PCI shouldn’t be the checklist; it should be a part of the checklist. The best way to do this, according to Mr. Simonetti, is to put your PCI compliance strategy within the company’s Governance, Risk, and Compliance (GRC) strategy.
2. Make PCI DSS compliance sustainable
One reason why so many organizations can’t remain compliant is because they never set up to be compliant. Many times, companies treat PCI compliance as a goal that once achieved can be checked off. This, often causes these companies to lapse in compliance within a short time after compliance. Considering that it takes just a few minutes on a new uncontrolled Wi-Fi access point to break into a database, this lapse in concentration is simply not allowable. Compliance shouldn’t be just about technology; it should involve the whole business and requires staff education.
3. View compliance as a challenge
The compliance process is not easy and so must it be treated. You’ll be transmitting, processing, and storing CHD over hundreds of systems, cutting across public and private networks, and passing though hundreds to thousands of staff and customers. DSS 2.0 comes with 289 controls that must be implemented correctly; DSS 3.0 has even more controls. Simply put; to be able to comply successfully, you need to fully appreciate the challenge that comes with that compliance.
4. Use compliance as an opportunity
Yes, compliance can be hectic, however, compliance also comes with several exploitable opportunities. For example, as you map your CHD flows across systems and processes;
• You get the opportunity to consolidate your systems, which allows you to reduce scope while you cut on costs associated with software licensing and maintenance.
• You’ll be able to rationalize your list of suppliers.
• You can identify, streamline, and transform outdated processes often resulting in reduced staffing.
• You’ll be able to identify holes and apply required patches consequently improving uptime and system performance.
PCI DSS Compliance poses a challenge for all organizations – big and small. In addition to the tips listed above, you should try to minimize the amount of data you need to protect.