PCI Compliance

Introduction

PCI compliance has been a requirement for merchants for many years now, all previous mandated dates for completion have been surpassed, and acquiring banks have taken on the mantle of ensuring that their customers meet compliance. However, there are still businesses which are not compliant and even some which have not even considered the steps involved.

The reasons why businesses are still non-compliant or yet to address this, is due to the view that compliance is either considered too difficult to undertake, not applicable to them or doesn’t have any tangible benefits.

Too Difficult

PCI Compliance is certainly comprehensive and for some businesses it may seem unachievable to them, and in some cases that may well be true. With 12 requirement areas and numerous controls, it can be a daunting task to know where to start and what may apply. It is important not to forget that PCI is just good, basic security and like any other security project, may require an architecture redesign in order to mitigate the risks.

What many people really seem to mean when they say PCI is difficult, is that it is not cheap and does require careful consideration. For IT security professionals who have known that they have gaps in their security posture, the best course of action is to ensure their PCI project has its own budget. That way they can effectively manage the expectations of, for example, the Finance Department, when it comes to incurring any costs.

Not Applicable

PCI compliance is applicable to all merchants without exception. There are definitely some areas or controls that are not applicable to particular merchants and if in doubt then the PCI Standards Council recommends that a merchant seeks advice from either their Acquiring bank or a Qualified Security Assessor (QSA).

No Tangible Benefits

You could argue that if merchants handling credit card data had made best-practice efforts to secure that data in the first place then credit card theft and fraud might therefore be negligible. The Data Security Standard (DSS) provides businesses with a sensible security framework that can be adapted and expanded to provide a better security posture for the whole of that business, which can only be a positive benefit in the long term.

Non-compliance is no longer the easy option

Breaches do still occur even though they are not overly advertised and there have been some high profile examples such as TJX, Hannaford Brothers and Global Payments. In the case of Global Payments they were quick to contain the breach and make the necessary assurances to their partners and customers. If anything this is proof that it is easier and more commercially beneficial for businesses to be PCI compliant especially as the DSS can enable businessesto effectively contain and manage threats and vulnerabilities.

How to achieve PCI compliance

There are additional benefits for businesses achieving PCI compliance outside of the protection of cardholder data. There is a framework which ensures that basic security standards are met and some of these apply to the business as a whole.

The framework outlines those steps required to achieve compliance as follows:

• Access your current environment and decide if you need to make business or technology changes to achieve compliance
• Perform a gap analysis against the Self-Assessment Questionnaire (SAQ) that applies to your business
• Analyse the gaps and discuss the remediation steps with the business
• Run through the remediation plan in a prioritised approach
• Perform any of the scheduled scans applicable to how you process, transmit or store card data
• Complete your compliant SAQ or have a Report on Compliance performed by a QSA
• Maintain your compliance

How we can help you

SecureData can assist with any of the seven steps detailed above to help your business achieve PCL compliance. For further details please see Risk Management within Solutions.