Removing Roadblocks to PCI Compliance
Many businesses look at payment card industry (PCI) compliance as an annual issue necessary to avoid fines. Transitioning to an outlook of risk mitigation encompasses more payment card security issues and can result in cost savings, better business data protection, and an improved reputation.
Companies find it challenging to maintain PCI compliance when they treat it as an annual event rather than a living process. Complying with the Payment Card Industry Data Security Standard (PCI DSS) becomes a constant challenge for them and requires that they maintain what they might otherwise allow to let go.
Verizon issued a report that analyzed the compliance assessments of more than 500 large organizations conducted in 2011, 2012, and 2013. These companies spanned five sectors: financial services, hospitality, retail, travel, and others.
The report revealed that 11.1 percent maintained compliance from assessment to assessment. Once met for purposes of successful assessment, the companies turned lax with their security measures. At the time of assessment, about 82 percent complied with eight of 10 criteria. They required three months to bring the other two criteria into compliance.
From an annual task to one of living risk management strategy, a change in outlook could solve this problem. Integrating the techniques and processes used in the assessment and compliance achievement phases into day-to-day business procedures could squelch the need to address security shortfalls annually.
Most of the recurring compliance issues are in the area of data security and protection of personal information. Security monitoring and testing and data protection and response to hacks and other types of data breaches top the list of repeat issues.
For businesses operating in or doing business with customers in the state of New York, the need to improve PCI compliance and to transition to a regular protection scenario has grown since the pass of its SHIELD law. This law increases security and reporting requirements for businesses with NY customers and upped the fines they could incur if they fail to comply.
The technology and software exist to protect the data. However, the majority of companies have not implemented the best available technology. The recent Target hack that revealed the credit and debit card data of more than 40 million individuals provides anecdotal evidence of this.
Most companies update annually, but new security threats and delivery mechanisms crop up consistently, so user data remains unprotected. While the standards remain high and the technology exists, companies do not implement the best available technology throughout the year. Although large companies must conduct quarterly vulnerability checks, many fail the checks and avoid using the quarterly opportunities to update and strengthen their protections. This leaves them in a rush at the end of the fourth quarter to bring everything into compliance for the annual check.
Contact V & C Solutions to learn how we can help you transition to a living compliance implementation. Leverage our managed IT services to lessen your employees’ specialized workload and bring your company into compliance year-round.