Merchants Should Develop Clear Path to PCI Compliance
While the Payment Card Industry Data Security Standard (PCI DSS) lays out clear industry-standards for merchants to follow regarding how they protect sensitive customer data, the path an organization takes to security and compliance should be based on each company’s needs.
Most merchants are familiar with the 12 requirements of PCI DSS and many assume that merely meeting the compliance requirements means that they are also secure. But, as we’ve seen with the Target and Home Depot breaches, compliance does not always equal security.
PCI DSS is continually updating its effectiveness based on research. In the new version 3.2, for example, system administrators who access cardholder data will now be required to use multi-factor authentication after several industry reports confirmed breaches have occurred as a result of weak or stolen passwords.
But, one of the reasons we still see breaches is that PCI DSS simply does not cover every possible attack vector and many merchants don’t have a mature data security program.
Many merchants focus their energy on meeting these regulations and on preventative measures, alone. They forget they need to allocate some resources to identifying and investigating security events thoroughly. Some merchants have the proper controls in place, but do not react to alerts or have a plan to remediate them when they occur.
Sword & Shield believes that “drive-by” assessments, or assessments done solely to pass the requirements without further thought to overall security, are ineffective in preventing data breaches.
The PCI-DSS is considered a baseline security standard that is designed to provide guidance to merchants and service providers that process, store or transmit cardholder data. Most companies only enforce the standard 3 months out of the year when they are going through their annual PCI DSS assessment. Most don’t realize that the assessment is a snapshot in time and it is up to companies to maintain their compliance throughout the rest of the year.
After an initial assessment, merchants should work with their Qualified Security Assessor (QSA) year-round to build on their security posture.
Some tasks include:
- Designating an individual or group to monitor PCI DSS compliance year-round and give them the power to influence policy development
- Conduct a data security process regularly and work with your QSA to develop your PCI DSS scope
- Provide security awareness training to managers, staff and other stakeholders and tailor that training to meet your company’s individual needs
- Follow the PCI Security Standards Council’s best practices
Sword & Shield will present information this month about the changes in the new PCI DSS 3.2 and how it will affect merchants and service providers.
For more information on how to become both secure and compliant, please request a free consultation.