Experts Share Compliance Tactics

By John Wagley

01 December 2011

Print Issue: December 2011

WHEN IT’S TIME FOR their annual audit, many organizations scramble to be in compliance with the Payment Card Industry (PCI) Data Security Standard (DSS), a broad set of guidelines on securing customer payment card data. The problem is that they don’t integrate PCI compliance into regular business functions.

These organizations “struggle because they leave [PCI DSS] compliance to a few months before” the assessment, says Jen Mack, director of PCI Consulting Services for Verizon. This sometimes results in organizations paying more to meet compliance requirements, she says; a new technological solution may need to be purchased relatively quickly, for instance. Mack suggests considering integrating compliance efforts into daily, weekly, or monthly company procedures.

Many organizations that have been successful with compliance have spent time mapping their compliance goals, she adds. “They create a roadmap for the next few years and consult it regularly.” This includes integrating short- and long-term strategies for protecting payment data as well as carefully documenting security processes and procedures.

The PCI standard represents a good guide for increasing overall information security, and it makes good business sense, say many experts. The standard is based, in fact, on a large number of security best practices, says Bob Russo, general manager of the Security Standards Council (SSC), which helps develop and manage the standard. It’s intended to help organizations achieve compliance, he says, “but more importantly [to strengthen] security.” If an organization becomes secure, “compliance comes along with it.”

If companies in the payment card industry are “just along for a [compliance] tick, they’re missing the whole point, and the value that PCI can bring,” says Andrew Jamieson, a Qualified Security Assessor for the security consulting firm Witham Laboratories. “If you’re going to be spending money to become compliant with these requirements, then you might as well get something out of it.”

According to the latest annual Payment Card Industry Compliance Report from Verizon, this message isn’t getting through. Only 21 percent of companies were compliant at the initial report stage this year, about the same as last year. Another finding from this year’s study was that about 10 percent fewer organizations appeared to be following a 2009 SSC report, the PCI DSS Prioritized Approach, which aimed to help organizations prioritize their PCI compliance efforts.

Taking such an approach can be especially valuable for organizations that are in the process of developing compliance procedures or that have relatively few financial resources, according to some experts. Russo says the guidance can be an especially valuable resource. It can help the identified cardholder companies know they’re “at least cutting the biggest risk first.”

One main initial step in becoming compliant is to conduct an inventory of where cardholder data is located throughout an organization, Jamieson says. The organization can then look at the PCI requirements and determine how to handle certain data and whether to invest in certain types of security, for instance.

Many organizations do not consider compliance and security goals the same, notes the Verizon report. But the two areas often have similar goals, such as data protection. Companies can boost efficiencies by further integrating security and compliance teams either by combining them or by increasing communication and collaboration, the report states.

Technological solutions can help with compliance, Mack says. PCI requires some organizations to conduct quarterly vulnerability scans, for example. But some solutions can allow organizations to conduct scans monthly, weekly, and even more frequently. Integration can involve conducting compliance efforts in “smaller batches throughout the year versus huge batches when it comes as a surprise to you.”

Even organizations already in compliance with the existing guidance cannot rest on their laurels. Starting January 1, organizations will need to follow a new second version of PCI DSS. Most of the changes are in areas such as documentation, says Mack.