PCI Compliance Turns 13: What Businesses Need to Know

The Payment Card Industry Data Security Standard (PCI DSS) is a set of requirements intended to ensure that all companies that process, store or transmit cardholder data maintain a secure environment. The standard was first launched in September 2006, and since this time it has undergone regular updates as paying by card has become more diversified and digitized. Despite their increased awareness, many organizations still don’t take PCI compliance seriously and remain at risk for costly data breaches and regulatory fines.

As we near the 13th anniversary of PCI DSS, here are four facts every business should know in order to achieve or maintain compliance while preserving brand reputation and customer loyalty.

After 13 Years, Many Organizations Are Still Not Fully Compliant

Verizon’s 2018 Payment Security Report found that only 52.5 percent of companies surveyed were in compliance with PCI DSS, which means that nearly half of all organizations are still not fully complying due to a broad variety of factors, some of which are covered in this article.

To help organizations overcome the confusion hurdle, it is essential to conduct regular compliance reviews. Most organizations (40 percent) measure their PCI compliance annually for validation purposes, but more regular reviews can help break down the remediation effort as and when issues are identified. Verizon found that less than a quarter (19 percent) measure and report their PCI DSS compliance monthly, which can be made possible with the right levels of automation and recurring process.

Investing in Automation is Essential

Another common reason PCI compliance within an organization can be so fragile is due to how lean its program is run. With today’s global cybersecurity skills shortage, existing security skilled staff are being loaded with additional time-sensitive tasks that can result in lower-priority manual tasks being deferred or missed.

Across most industries, the typical approach is ongoing investment in new and updated solutions to achieve a modern, efficient security stack and defend the organization from suffering a data breach. When making these investment decisions, it is crucial now more than ever to assess the level of human effort required to operate and maintain the proposed solution.

Modern security and risk management solutions offer a number of automation capabilities, as well as comprehensive and robust integration APIs to enable interoperability and data exchange with other platforms. This is key to minimizing the amount of manual process needed as compliance data is exchanged between systems to determine compliance status.

The net outcome from your automation efforts should be simple: reduced staff utilization requirements and improved security and compliance posture. However, more importantly: continuous compliance without gaps or reliance on manual processes.

The Cardholder Data Isn’t Always Stored Where You Expect

Having partnered with hundreds of PCI Qualified Security Assessors (QSAs) who worked with thousands of organizations over the past 10+ years, we continually learn of new situations involving insecure and unknown credit card storage. Sometimes these involve hundreds of millions of customer card numbers being uncovered with no encryption security or awareness within the business of its existence.

This problem traces back to a fundamental flaw and PCI compliance mistake: Assumption.

For the longest time, organizations validated their scope of PCI compliance by surveying each department, aka “asking them” if they handled cardholder data. This often lead to false conclusions based on assumption around where cardholder data was located. This morphs into a larger issue: expensive security controls being implemented to protect only part of the data at risk while overlooking all of the other cardholder data that was hiding within the organization and would remain exposed after the compliance controls were put in place.

The only proven way to overcome this challenge is by conducting a thorough cardholder data discovery process across all systems. This software-driven process eliminates “unknown unknowns” and provides a true position on the scope of cardholder data storage with evidence. Furthermore, if approached correctly, a thorough discovery process can search across all storage locations regardless of type, including file servers, desktops, databases, emails, big data, cloud storage and more.

Upon completion of data discovery, the associated reporting can be used to validate existing assumptions and then appropriately reprioritize the compliance program’s remediation efforts to focus on the highest-risk areas first in order to achieve compliance.

This revised approach will ensure your compliance investment will achieve its true stated goal – to identify and secure all cardholder data that exists across the organization.

Where to Start? Quick Tips for PCI Compliance

In addition to the advice given above, the PCI Security Standards Council (PCI SSC) provides a comprehensive Document Library which includes a Prioritized Approach Tool to help to get an organization focus its efforts correctly to achieve PCI compliance.

The PCI SSC recommends nine quick tips to get an organization on its way to achieving PCI compliance:

1. Buy and use only approved PIN entry devices at your points-of-sale.
2. Buy and use only validated payment software at your POS or website shopping cart.
3. Do not store any sensitive cardholder data in computers or on paper.
4. Use a firewall on your network and PCs.
5. Make sure your wireless router is password-protected and uses encryption.
6. Use strong passwords. Be sure to change default passwords on hardware and software (most are unsafe).
7. Regularly check PIN entry devices and PCs to make sure no one has installed rogue software or “skimming” devices.
8. Teach your employees about security and protecting cardholder data.
9. Follow the PCI Data Security Standard.

Compliance is a journey, not a destination. It will never be a “one and done” business initiative to meet standards; the attitude toward PCI compliance must be that of a constant desire to improve and test networks to ensure they are secure. There is no easy fix for achieving compliance or even remaining compliant. It needs to be part of everyday business practices across the entire organization.