Fidelis Cybersecurity
Fidelis Blog


The 2016 Guide to Making Sense of PCI Compliance

Security teams are under pressure to ensure that a number of compliance standards are met in the digital age, but there’s no reason compliance can’t be a natural outcome of everyday network and data storage activity rather than something that has to be shoehorned into your operations. When you bake compliance in from the get-go, you save yourself money and headaches down the line. Let’s take the example of meeting PCI requirements, since organizations that struggle on PCI compliance are liable to face fines, costly forensic audits, and severe reputation damages should trouble rear it’s ugly head.

Drafted in 2004, the Payment Card Industry (PCI) data security standard (DSS) serves as the widely accepted cybersecurity compliance requirement for dealing with credit card data. Every organization or merchant, regardless of size or number of transactions, that accepts, transmits, or stores any cardholder data should maintain PCI compliance. This includes organizations using third-party processors.

Compliance naturally starts with a firm grasp of the requirements for the PCI DSS: building and maintaining a secure network, protecting cardholder data, maintaining a vulnerability-management program, implementing strong access controls, regularly monitoring and testing networks, and maintaining continuous security policies.

Drilling down, there are different PCI compliance levels, which are based on transaction volume. Smaller businesses complete a Self-Assessment Questionnaire (SAQ) and comply according to the instructions it contains or risk liability. Larger organizations managing greater volume are subject to scoping, assessment, and reporting requirements and may also have to complete and obtain evidence of a passing vulnerability scan with a PCI SSC Approved Scanning Vendor (ASV).

The aforementioned steps are only a general overview of the work required to meet compliance. If done manually, it quickly becomes a grueling process. And while designed to shore up consumer data protection, the PCI DSS doesn’t address overall security posture—so even if you abide faithfully, it’s possible that your infrastructure is still penetrable. While you may reduce your risk of unpleasant and costly consequences stemming from credit-card transaction breaches, PCI compliance is only one element of operational cybersecurity, not a shatterproof solution.

The smartest bet for achieving and maintaining PCI compliance is to incorporate its requirements into your overall data security policy. Using a platform approach, compliance teams can assure PCI DSS preconditions are automated, enforced, and auditable (system integrity verification, access control management, system and audit logs that can be tracked and archived, etc.). Compliance is thus woven into standard operations and becomes a natural byproduct of your security strategy.

The point is that with PCI DSS, as with other data-specific security standards such as HIPAA, the aim is to make your network secure and protect everyone’s sensitive data, not simply obtain a seal of approval. And meeting that goal should be central to the way your run your business.

Stay up to date on all things security

Subscribe to the Threat Geek Blog