According to the latest annual Payment Card Industry Compliance Report from Verizon, this message isn’t getting through. Only 21 percent of companies were compliant at the initial report stage this year, about the same as last year. Another finding from this year’s study was that about 10 percent fewer organizations appeared to be following a 2009 SSC report, the PCI DSS Prioritized Approach, which aimed to help organizations prioritize their PCI compliance efforts.
Taking such an approach can be especially valuable for organizations that are in the process of developing compliance procedures or that have relatively few financial resources, according to some experts. Russo says the guidance can be an especially valuable resource. It can help the identified cardholder companies know they’re “at least cutting the biggest risk first.”
One main initial step in becoming compliant is to conduct an inventory of where cardholder data is located throughout an organization, Jamieson says. The organization can then look at the PCI requirements and determine how to handle certain data and whether to invest in certain types of security, for instance.
Many organizations do not consider compliance and security goals the same, notes the Verizon report. But the two areas often have similar goals, such as data protection. Companies can boost efficiencies by further integrating security and compliance teams either by combining them or by increasing communication and collaboration, the report states.