For businesses that handle, store or process credit card data, PCI compliance
is vital. Non-compliance can mean penalties as high as $10,000 per month in addition to the higher risk of data breaches. However, many organizations lack the vision or commitment from business leaders to support data security and compliance. Further, budgetary constraints, talent shortage and misaligned priorities result in compliance program taking a backseat. It is therefore not surprising to see a steady multi-year decline in PCI DSS compliance
. According to Verizon’s report, only 27.9% of organizations achieved full compliance in 2020 as against 41.2% in 20181
, an alarming number in the face of rising security threats.
In a payments landscape that has been rapidly transformed by digital innovations, compliances are key to data security. The new PCI DSS 4.0
standards place a razor-sharp focus on security as a continuous process, while adding stringent controls to enhance validation methods. It is therefore imperative that organizations create a well-designed data security and compliance program and start from a position of strength. To keep up with the ever-changing threat landscape, compliance programs must continue to evolve – and move away from the check-box routine. While there are several considerations CISOs need to pay heed to, some of the best practices discussed below, can help steer them through the compliance journey.
Best practices for PCI compliance
Focus on security as the main goal, not compliance
Organizations get excessively caught up in the compliance process and fail to establish long-term processes and governance, to maintain the security of cardholder information. Any company can attain PCI compliance by achieving the minimum security requirements set by the PCI Security Standards Council. What is essential however, is to identify risks associated with any data collection activity and deploy secure controls to mitigate the risks. Compliance should therefore not be the goal – it’s a guideline – risk mitigation and security should be.
Invest in industry-specific employee training
The weakest link in any security strategy is often the human one. According to Verizon’s 2022 Data Breaches Investigations Report, 82% of all data breaches involved a human element2
. Organizations must, therefore, invest in mandatory employee trainings to improve their awareness on PCI compliance standards. While these standards cover the entire payments industry, organizations must tailor the trainings to suit their specific niche and different scenarios to make them relevant and useful.
Create data flow maps and deploy data discovery solution
Given the exponential rise in data velocity, knowing exactly where the data is and where it’s going are two fundamental requirements organizations need to be cognizant of. Requirement 3 of PCI-DSS 4.0 states that storage of account data, in particular sensitive authentication data (SAD) should be kept to a minimum through implementation of data retention/disposal policies, procedures and processes. Hence, organizations must map their data flows and regularly conduct network scans to prevent sensitive data exposure. It is also important to keep the cardholder data segmented from standard company/operational data, as this not only enhances protection but also reduces the scope of PCI audit. Deploying a data discovery and classification tool
can help address this requirement while also allowing for remediation through masking, deletion or truncation of sensitive data.
Define ownership and drive collaboration
Planning, co-ordinating and implementing security activities pertaining to PCI compliance must be entrusted to the primary owner – typically the compliance officer, who should have adequate responsibility, budget and authority. Cross-departmental support and collaboration is also key to ensure all the teams involved in complying with PCI are fully aware of the requirements, security policies and operating protocols. It’s a good practice to set up a dedicated team internally, with representation from security, technology, payments/operations, finance and legal, to drive this initiative. Engaging with external security firms or penetration testing
vendors can also be a good option that can simplify the end-to-end compliance process.
Develop a program, policy and procedures and document it
PCI compliance is a complex program that requires organizations to meet each of the 300+ security controls defined by the PCI Council. Implementing this across the organization can be challenging, which is why it is important that organizations develop a program for overseeing it. Broadly, the program should include people, processes and technologies along with supporting policies and procedures, to ensure all parties involved (employees, contractors, vendors etc.) understand the objectives and adhere to the requirements. Equally important is to make an inventory of assets, tools and employees that have access to cardholder data and document their usage. This will help flag anomalies and prioritize vulnerabilities.
Perform mini-audits to enable continuous compliance
Rather than making PCI compliance an annual and reactive exercise, organizations must take a proactive approach by breaking it down into smaller modules. Performing mini-audits on a regular basis is one way of achieving this. This can also help organizations assess the security posture following any major structural changes such as technology redesign, replacement, cloud migration or integration of new solutions. Mini-audits can be particularly beneficial for organizations with frequent product launches as the release cycle is not sabotaged by the longer annual reviews. Plus, each of the audits can focus on different compliance areas, thereby making the whole process seamless, smooth and exhaustive.
PCI compliance can seem overwhelming and complex, but with a right mix of best practices and a carefully crafted plan, it should be easily achieved. The PCI DSS 4.0 standard is expansive in scope, futuristic in approach and sharper in focus. As a first step, organizations must analyze the robustness and resilience of control systems as the transition process picks up pace over the next months, along with rigorous planning, budgetary allocation, and operational change. As a Qualified Security Assessor (QSA), SISA offers a comprehensive suite of PCI Compliance
and Risk Assessment
services to help businesses stay ahead of the game. As a global PCI Forensic Investigator (PFI)
, SISA can provide expert security recommendations and guidance to ensure a seamless transition to PCI DSS 4.0. To understand how SISA can help you in your compliance journey, get in touch with us today