Some technology pundits have coined 2014 as “the year of the hack” – citing Target, Neiman Marcus and eBay as the most recent victims of data breaches. A common theme shared by many of these companies is that they weren’t in full PCI compliance at the time of breach. A recent analysis of annual PCI compliance assessments on more than 500 large organizations showed that only 11.1% of enterprises maintained their compliance status between assessments. With more than 400 controls and sub-controls that must be implemented correctly as part of PCI DSS 3.0, many resource-constrained companies view PCI compliance as a one-off activity instead of year-round risk mitigation initiative.
Following are five steps to help you improve your PCI compliance program:
Analyze whether your existing IT resources can be allocated to a year-round compliance effort
A lack of resources and manpower are often major obstacles for companies striving to achieve PCI compliance. Companies with limited IT resources often reassign staff to other projects once they’ve passed their annual PCI security audit. But under PCI rules, large companies such as Target are required to conduct quarterly vulnerability scans to check for threats to payment card data.
Prior to launching a PCI compliance program, take stock of your IT resources and determine how they can be utilized and combined with a dedicated compliant hosting solutions provider. Some PCI requirements such as protecting data at rest, security testing, monitoring security controls and so forth may be accomplished more effectively by an outside cloud solutions provider (CSP).
Make PCI compliance “business as usual”
Many companies treat PCI compliance as a final exam – something their security team crams for once a year. In reality, many organizations often lapse in compliance within days or weeks of their latest assessment. Something that is seemingly minor such as an unencrypted drive can cause a company to fall out of compliance and risk being hit with severe fines. Organizations should implement weekly reviews of their PCI compliance activities and allocate time to track changes to every compliance environment.
IT leaders should emphasize that PCI compliance is not the sole responsibility of the security team. It’s a company-wide initiative that involves application developers, system administrators, executives and so forth.
Think of PCI compliance as part of a larger security initiative
Some organizations’ security policies begin and end with PCI compliance. However, PCI compliance should be viewed as a minimum standard for security, not the foundation for it. Understanding the context of how each control can help prevent a data breach by eliminating one of the three elements that form a data breach – data, access and egress (exfiltration) – can also facilitate buy-in of PCI compliance throughout an organization.
View PCI compliance as an investment
Many enterprises view PCI compliance as a necessary evil associated with the cost of doing business. Mapping out how card holder data (CHD) flows across an organization’s systems is a critical component of achieving PCI compliance. However, this process can also provide valuable insights into the company’s business operations, enabling companies to take advantage of “operational opportunities” including:
- Unifying systems can reduce scope while providing for cost-savings in software licensing, maintenance and so forth.
- Applying patches and configuration best practices can improve system performance and uptime.
- Consolidating existing merchant contracts with acquiring banks and payment processors can result in better transaction fees.
Maintain a manageable scope
A compliant hosting solutions provider helps organizations create effective PCI compliance programs based on clearly defined systems, processes and people that store, process or access CHD. They accurately scope the environment that needs to be validated by identifying data required to be protected as well as keeping the spread of CHD across an organization to a minimum. This enables companies to reduce their workload, mitigate their risk and control operating costs.
Request a quote from the compliance experts at HOSTING to help you achieve and maintain PCI compliance year-round.