Instead of receiving that long-awaited tax refund in the mail, you got a notice informing you that your organization is required to submit validation for PCI compliance. The notice probably stated that unless you provide proof of compliance, you will be hit with penalties and fees. Even worse, if you don’t provide the required information, your credit card acceptance agreement may be terminated. You’re not alone. A recent analysis of annual PCI compliance assessments on more than 500 large organizations showed that only 11.1% of enterprises maintained their compliance status between assessments. Why such a low percentage? One reason is that the compliance landscape is constantly changing. And unless you’re a compliance genius, you probably don’t grasp all of the controls and subcontrols that must be implemented correctly as part of PCI DSS 3.0 (did we mention that there are more than 400 of them)? Read on to learn how PCI compliance is established for your organization, and how to keep up with the changing landscape.
PCI compliance requirements are influenced by the credit cards a business uses
It’s important to understand which level your organization falls under by the credit card brand(s) you accept. Each credit card brand has its own umbrella compliance program that is based on the number of transactions for their credit card alone. Just to confuse things, the credit card companies differ in their level definitions and compliance submission requirements. So if your organization is processing up to one million VISA transactions annually, you are a Level 4 merchant. However, if you process the same number of MasterCard transactions, you are a Level 3 merchant. In case you’re wondering, American Express doesn’t have a Level 4 category. And just to make things even more confusing, each has its own specific PCI compliance requirements. Once you know what level your organization is at with your credit card companies, you can determine what you information you need to provide in order to confirm your compliance standing.
PCI compliance is a moving target
Many companies often view PCI compliance as a one-off activity, rather than a year-round risk mitigation initiative. Big mistake. What if your organization experiences a spike in VISA transactions, and a drop in American Express transactions? The change could influence your compliance requirements for both. It’s important to continually track progress on activities required for quarterly reviews, year-end audits, and monthly assessments. Without assigning a dedicated resource to maintain this “electronic book of evidence,” you can end up sending the wrong compliance information to your credit card companies, potentially exposing yourself to unintended data breaches and subsequent fines. And who wants to deal with that?
HOSTING Managed Security and Compliance Services™
In order to help organizations effectively manage their compliance-related activities, there is HOSTING Managed Security and Compliance Services. Developed and tested by our information security and compliance experts, it empowers companies to take a measurable, proactive stance in addressing PCI DSS regulations.
The HOSTING team creates effective compliance programs based on clearly defined systems, processes and personnel that store, process or access card holder data (CHD). They accurately scope the environment that needs to be validated by identifying the data required to be protected. The HOSTING proprietary compliance dashboard consistently monitors GRC (Governance, Risk and Compliance), providing organizations with dynamic, measurable compliance. It also allows organizations to move away from traditional paper documentation and manual processes to create a comprehensive, electronic audit trail. Automated alerts and email notifications enable them to stay ahead of the compliance curve while proactively addressing any incidents that could put their compliance standing at risk.
Confused about the changes in PCI compliance? The HOSTING team of dedicated security and compliance experts stands ready to help. Contact us anytime with your questions or concerns. You can also view our on-demand webinar to hear HOSTING Chief Information Security Officer (CISO) Johan Hybinette discuss The Changing Compliance Landscape.