PCI DSS 3.0, which became effective on 1 January 2014 but will only be mandatory from 1 January 2015, heralds an important shift in how companies approach PCI DSS compliance, with its ‘business as usual’ theme.
The PCI SSC has stated that the changes in the DSS are designed to, “help organisations take a proactive approach to protecting cardholder data that focuses on security, not compliance, and makes PCI DSS a business-as-usual practice”.
According to The Verizon 2014 PCI Compliance Report, whenever a major update to the Standard is released there is an initial dip in compliance, so organisations will have to put in additional effort to prepare for achieving compliance with DSS 3.0.
The report reveals that in 2013 only 11.1% of organisations fully complied with the requirements of the PCI DSS.
Furthermore, only approximately one in five organisations came close to complying and passed 95%+ of controls. Of these organisations, more than half failed Requirement 11, which states that organisations must regularly test security systems and processes (penetration testing).
A meagre 31.3% of European organisations complied with 80% of the controls for the PCI DSS, considerably worse than North America (56.2%) and the Asia-Pacific (75.0%) region.
The team at Verizon offer the following advice to companies that wish to increase their compliance efforts ahead of the looming January 2015 deadline.
1 Don’t underestimate the effort involved
The Verizon report warns that PCI compliance requires time, money and executive sponsorship. It needs to be part of everybody’s job — application developers, system administrators, executives, and even staff in shops and call centres — and not just left to the IT security team.
2 Make compliance sustainable
There are thousands of tasks that an organisation must complete throughout the year to stay compliant. To be sustainable, compliance needs to be embedded in ‘business as usual’ as an ongoing process.
3 Think of compliance in a wider context
The best thing you can do as an organisation to simplify your PCI compliance workload and achieve real security is to put your compliance program within your wider governance, risk and compliance strategy.
4 Leverage compliance as an opportunity
Done right, PCI security compliance can drive process improvements, identify opportunities to consolidate infrastructure and generate additional equity. Think of it as an opportunity, not a burden.
5 Focus on scoping
There is a lot of misunderstanding about how to keep systems out of scope, but there are clear best practices to follow. The first is to store less data on fewer systems. This not only makes achieving compliance easier, it can also save you money on storage and backup.
View the full PCI Compliance Report here.