What is PCI compliance?
The Payment Card Industry Data Security Standard (PCI DSS) applies to all businesses, organizations and merchants that accept, transmit or store credit card information. Regardless of how few credit card transactions may be processed, it applies. These standards have been around since 2006 and are designed to ensure all companies process, store and transmit credit card information securely. Failure to meet PCI standards can result in fines and increased transaction fees, not to mention leave the company vulnerable to data breach. The responsibility to meet PCI standards fall on the company, making it essential for any organization that handles credit card to build a strong PCI compliant culture.
Of course you want to keep customer credit information secure, and as security professionals, you’ve got the skills to do it. But that doesn’t make PCI compliance easy; there are some roadblocks:
- No management buy-in – If the CEO doesn’t care about or understand PCI compliance, it’s going to be extremely difficult to build a PCI compliant culture that all employees take seriously.
- No obvious ROI – If it doesn’t pay, why would management put any real investment into it?
- Resources – Putting it in place takes dedicated time and resources.
- Change – PCI compliance may require change, and change is hard for many.
If done correctly, your PCI culture will offer a return on investment. Talk to management in terms they’ll understand and get their buy-in. If the high-profile data breaches making the news daily don’t convince them, come prepared to show maintaining PCI compliance will positively affect their bottom line. With C-suite support, you can get the rest of the organization on board and making changes for a more secure culture and increase chances of getting dedicated time and a budget.
How to improve PCI culture
PCI compliance is not easy to achieve, and once achieved, it needs to be maintained consistently. In the past five years, not a single company that suffered a data breach was PCI compliant. They may have been PCI compliant at one point, but practices slipped and compliance faded. PCI compliance is an ongoing process.
A few things you need to keep in mind while striving for and achieving PCI compliance:
- It takes a lot of effort to get there and maintain it.
- Your processes need to be sustainable.
- Think of PCI in a wide context.
- Use compliance as an opportunity.
- Keep your focus on the scope; you don’t need to protect data the same if you don’t store it.
PCI compliance is not a goal to be marked as done once established. It is going to be a difficult process to put it in place, and none of that work will matter if you don’t maintain it. Your PCI compliance should be built into your overall existing security programs and processes; it cannot effectively standalone. Reaching and maintaining PCI compliance is an opportunity for your organization to increase security and prevent data breaches that could be very costly and destroy its reputation; it’s an investment.
PCI compliance is not a goal; it’s a process that needs to be kept up by everyone within your organization who handles credit card information. Although it may require significant changes to how credit information is handled, getting buy-in from management and helping others understand why the changes need to be made and maintained will help you shift to a compliant culture.