PCI Compliance Series: Harnessing PCI Power for Business Success - Part 3 of 3

Over the past couple of weeks we have examined the value of PCI Security and the myths associated with compliance and data breaches. In this final part of my series, I want to examine the fundamentals of a PCI Security program and share recommendations which may help organizations harness the power PCI compliance can provide.

Simply put, companies that view PCI Security as an inconvenient cost linked to the handling of payment data are missing the larger business opportunity. In reality, this ongoing investment may be leveraged for the greater good of the business and, done right, compliance can help drive process improvements, identify opportunities to consolidate infrastructure, as well as generate new revenue.

Each year we see organizations make the same mistakes with their compliance initiatives. This is avoidable and our experience shows that the following five recommendations can help them to achieve better results.

1. Do not underestimate the effort involved in compliance – it is harder than it may seem
   Organizations may transmit, process, and store cardholder data across hundreds of systems - PCs, mobile devices, web servers, databases, and point-of-sale terminals - using private and public networks, touched not only by customers but hundreds or thousands of staff.

   With this in mind, remember that PCI DSS compliance requires a well-managed program usually comprising many projects, which will require a lot of coordination but which should not be allowed to drag on for longer than necessary. Make sure that these projects are managed centrally to ensure control and overall compliance success, avoid costly mistakes, and maximize return on investment (ROI).

2. Make compliance sustainable –there is no such thing as a quick fix
   Our experience suggests that many companies still treat compliance as a one-off scramble at the end of each year, predominantly owned by the security team. Our findings, from the past five years of PCI DSS assessments, emphasize that companies that follow this format not only struggle to be compliant in the first place, but also may find it hard to maintain their compliance status year after year.

Compliance maintenance must be an ongoing, long-term, sustainable program that’s fully integrated into the day-to-day activities of the organization — “business as usual.” In our experience, organizations that make this commitment, and maintain adequate focus on support and sustain the people, processes and technology on which data protection and PCI Security compliance depends, are noticeably better at achieving and maintaining compliance.

3. Think of compliance in a wider context of security – PCI is not the only tool you will need
   Just as PCI compliance is best managed by integrating it into wider organizational processes, it’s also most effective when integrated into a wider security program, drawing on other tools, approaches and best practices to simplify compliance and complement its security controls. The best thing you can do to simplify your PCI compliance workload is to put your PCI compliance program within your organization’s larger governance, risk, and compliance (GRC) strategy. It’s essential to ensure that your PCI compliance efforts support a broader control environment, and for all activities in the compliance program to be properly specified and governed in line with your unique operational environment and risk profile.
4. Leverage compliance as an opportunity – ask what compliance can do for your business
   PCI compliance should be seen as an ongoing investment to be leveraged for the benefit of the business. It forces organizations to take a long hard look at their systems and processes, and this new understanding – vital for compliance – can also help identify areas for improvement in areas such as system consolidation; system and job role rationalization; process streamlining or even overall system performance.
5. Focus on scoping – set clear definitions for systems, processes and people that store, process, or access cardholder data
   There are three good reasons to reduce the scope of the environment to be validated:
   • Reducing risk: By minimizing the spread of cardholder data across your organization you can limit the risk of data leaking or being stolen, and you can help reduce the scale of any breach that should happen. Creating “compartments” between the various networks within an organization helps categorize and securely contain business data. This helps reduce the likelihood that a data breach can spread throughout an organization’s IT infrastructure.
   • Reducing workload: From a practical perspective, effective scoping can help you to significantly cut your compliance workload. Any system that is validated as “out of scope” doesn’t need to be assessed (it is regarded as outside of the cardholder data environment, so none of the requirements of PCI DSS apply to it). This is crucial, because complying with all of the requirements of the PCI DSS across an entire business, even a small one with a relatively simple infrastructure, can be a challenging task; the workload would be too great for many organizations to sustain.
   • Controlling operating costs: Scoping forces you to take a long, hard look at your infrastructure. While you’re making changes to reduce scope, you may find that you can consolidate systems and restructure environments, potentially saving money on hardware, software licenses, and management along the way.

So to sum up….What does the PCI future bring?
2014 is likely to be an interesting and exciting year for PCI compliance. The new version of the PCI Standard – DSS 3.0 - will have a significant impact on the state of compliance, and is expected to fuel industry debates around many areas including scoping, risk management and reporting. In addition we predict the broader usage of Point-to-Point Encryption (P2PE) as time goes by - this could be the most important opportunity in years (for merchants at least) to simplify their PCI compliance burden.

But whatever the future holds, Verizon will continue to engage with the PCI Security community to help improve and shape the program, and help our customers harness the power of PCI compliance in support of their business goals.

In the world of information security, knowledge is power. Verizon is a highly respected security provider with a depth of insight into PCI compliance. Learn more about how we help companies manage risk and maintain brand reputations here.