Verizon's PCI Security practice recommends five key approaches to help organizations achieve and maintain PCI compliance and perhaps even derive ROI from compliance efforts:
- Don't underestimate the effort involved in staying PCI compliant.
- Make PCI compliance sustainable.
- Think of PCI compliance in a wider context.
- Leverage compliance as an opportunity.
- Focus on scoping.
1. Don't Underestimate the Effort Involved in Staying PCI Compliant
Staying compliant with PCI DSS is challenging. The CHD that you transmit, process and store may flow across hundreds of systems, via private and public networks, touched by customers and potentially hundreds or thousands of staff. There are 289 controls that must be implemented correctly as part of DSS 2.0 — even more in DSS 3.0 — and even some of the individual subcontrols can be difficult to implement properly.
"A majority of organizations accepting payment cards still fail to maintain PCI security compliance," says Simonetti says. "Only 11 percent of companies are PCI compliant during their first check. A lot of companies fail to maintain compliance totally."
Whether they're large enterprises with a complex cardholder data environment (CDE) or small or mid-sized organizations with relatively simple CDEs, Simonetti says the overwhelming majority of organizations that initiate a PCI program for the first time fail to fully appreciate the impact it will have in terms of scope, resources and time required.
First and foremost, coordination is essential. Simonetti says that it's fairly common for a mid-sized organization to have at least 20 to 30 PCI projects within the initial remediation phase of its overall program. Large organizations often have many more. To avoid costly mistakes and maximize ROI, each of those projects must be managed and centrally coordinated to ensure overall compliance success.
You need to develop the required configurations and policies, implement the required technologies and infrastructure and, most important, recognize the degree of process and cultural change involved in such remediation.
It is also imperative to understand the size of the task at hand. Many companies start down the road to PCI compliance only to discover weeks or even months later that they underestimated that amount of work required.
Simonetti suggests conducting a business impact analysis to understand the impact a PCI compliance program will have on your business and the amount of effort required to achieve compliance. As an added bonus, this information can be invaluable in securing board-level sponsorship for compliance projects and securing budget for them.
2. Make PCI Compliance Sustainable
Simonetti says many companies treat PCI compliance as a goal that can be attained and then checked off — a one-off annual scramble owned by the security team. Companies that treat their PCI compliance programs this way often lapse in compliance within days or weeks of their latest assessment, Simonetti says. After all, all it takes is one new uncontrolled Wi-Fi access point, unprotected admin account or unencrypted drive.