The Payment Card Industry Data Security Standard (PCI DSS) is required for any organization that processes, stores, or handles transactional financial data. It was first released in 2004, and offers 12 requirements that companies must meet in order to claim PCI compliance. However, just because a company meets the PCI standards once doesn’t mean it’s permanently compliant. So if organizations claim PCI compliance, why is it so hard for them to maintain it?
Well, the news is not all bad. According to Verizon’s annual Payment Security Report (PDF) on the state of PCI compliance, overall compliance has increased to 55.4 percent of organizations assessed, up from 48.4 percent in 2015. But that also means that nearly half of organizations that process and handle credit card data failed to meet compliance. And of those that passed, almost half fall out of compliance within a year.
Ciske van Oosten, lead author of Verizon’s report, says this is because companies tend to treat compliance as a checkmark goal, not a process. For example, if there’s a change in a company’s environment after their audit (say, a new store location opens), they aren’t likely to go back and review the changes to make sure they’re compliant until after a new audit points out the problem–possibly a year later. A company that treats compliance as an ongoing process, however, is more likely to review new changes right away to make sure everything is still on the up and up.
Compliance doesn’t guarantee protection from a data breach, of course, but Verizon’s forensic investigation of 11 years worth of data breaches found that no company was compliant at the time of a breach. Additionally, 89 percent of breached companies were never compliant.
Another tip from the report: Don’t look at the control lifecycle management in isolation. Verizon found that basic controls such as penetration tests and vulnerability scanning were lacking in 12.4 organizations in 2015, with an increase to 13 percent in 2016. Rodolphe Simonetti, global managing director for security consulting at Verizon, says that many organizations don’t appreciate that these basic PCI controls are inter related. “This is often the result of a shortage of skilled in-house professionals; however, in our experience, internal proficiency can be dramatically improved with lifecycle guidance from external experts,” he told CIO.com.
When it comes to compliance of any kind, it should be treated as a process, not a goal. Constant vigilance can help prevent data breaches and protect sensitive cardholder data. Invest in experts both outsourced and in-house who understand compliance and how to continuously achieve it, not just check it off once a year. Online Tech can help provide the control lifecycle management guidance needed, and our culture of compliance means that we strive to continuously meet and exceed PCI standards. Our experts will help ensure that your hosted environment will remain compliant all year long, not just during an audit.