When it’s time for their annual audit, many organizations scramble to be in compliance with the Payment Card Industry (PCI) Data Security Standard (DSS), a broad set of guidelines on securing customer payment card data. The problem is that they don’t integrate PCI compliance into regular business functions.
These organizations “struggle because they leave [PCI DSS] compliance to a few months before” the assessment, says Jen Mack, director of PCI Consulting Services for Verizon. This sometimes results in organizations paying more to meet compliance requirements, she says; a new technological solution may need to be purchased relatively quickly, for instance. Mack suggests considering integrating compliance efforts into daily, weekly, or monthly company procedures.
Many organizations that have been successful with compliance have spent time mapping their compliance goals, she adds. “They create a roadmap for the next few years and consult it regularly.” This includes integrating short- and long-term strategies for protecting payment data as well as carefully documenting security processes and procedures.
The PCI standard represents a good guide for increasing overall information security, and it makes good business sense, say many experts. The standard is based, in fact, on a large number of security best practices, says Bob Russo, general manager of the Security Standards Council (SSC), which helps develop and manage the standard. It’s intended to help organizations achieve compliance, he says, “but more importantly [to strengthen] security.” If an organization becomes secure, “compliance comes along with it.”
If companies in the payment card industry are “just along for a [compliance] tick, they’re missing the whole point, and the value that PCI can bring,” says Andrew Jamieson, a Qualified Security Assessor for the security consulting firm Witham Laboratories. “If you’re going to be spending money to become compliant with these requirements, then you might as well get something out of it.”