PCI DSS (Payment Card Industry Data Security Standards) compliance is important to any company processing, storing, or transmitting cardholder data. However, its 12 security requirements are complex (each requirement is broken down into many different sub-categories so that at the end of the day there’s over 200 points to consider) and technical, causing many companies to stumble when working towards compliance.
In 2011, only 21 percent of organizations were found to be PCI compliant upon their first assessment. This was only up one percent from the year before, which is disconcerting for consumers who have been bombarded this year with news of data breaches on top of data breaches. Understanding some of the biggest issues surrounding PCI compliance can help sidestep potential costs from breaches and non-compliance, and preserves a company’s reputation.
A big hurdle for businesses working toward compliance is understanding what is in scope. Thinking simply, it’s anything within the company that transmits, stores, or processes cardholder data. A smart first step would be to go through the actual life-cycle of cardholder data within the company. Understanding how the data moves through a system, and what components that data touches along the way can clarify what areas will fall under what is called the Cardholder Data Environment (CDE), and is in scope. Any system that is connected to that CDE is considered in scope as well, and will need to be compliant. Drawing diagrams of how the data flows throughout an organization helps to see how systems are connected, and will help more clearly define scope for the company.
It’s also important to understand which vendors are considered in scope. If you outsource your PCI hosting, for example, the hosting provider will need to be compliant as well. One good way to do the due diligence of making sure a prospective vendor is compliant is making sure that they have an independent audit report, and that they’re willing to share it with you.
Prioritizing Policies and Procedures
PCI compliance is much more prescriptive than some other types of compliance that companies might need (HIPAA compliance, for example, is quite a bit more subjective, and not as technically specific), but that shouldn’t overshadow how important the policies and procedures are in structuring the IT implementation. Spending time on these policies allows the processes to be streamlined and clear for any employees carrying out compliance measures. Having both employees and higher level management looking at universal processes in place removes ambiguity, and thus helps reduce the risk of non-compliance or worse yet, a breach.
Support From Upper Management
This is possibly the most important point that can be made, as it has an effect on all compliance efforts. The attitude of Upper Management often dictates how policies and procedures are determined, and the effects of that can be seen within implementation. The entire organization can’t look at PCI compliance as a short-term project, but rather as a long-term process. For example, it is stated within PCI DSS that antivirus is mandatory, so an organization gets the antivirus it needs in order to be compliant. However, if the attitude toward compliance is that it’s a nuisance rather than a necessity, a company might not have procedures and manpower allocated toward updating and maintaining this antivirus regularly. This not only causes non-compliance, but puts the organization at risk if a malicious attack was to be made on the company.
Maintaining and updating security tools can be a time-consuming process, requiring certified professional IT staff. Outsourcing managed services and technical security may be the answer for companies that want to maintain not only their PCI compliance, but also a secure environment to safely house their customer cardholder data.
Looking for more information on PCI hosting requirements, recommendations, and the foundation of a secure PCI compliant data center?
Download our PCI Compliant Hosting white paper now for a complete guide to PCI hosting with IT vendors.