Businesses that process electronic payments are unambiguously subject to the Payment Card Industry Data Security Standard (PCI DSS) and its 12 core requirements. Most of these are basic IT security measures that every organization should already have in place; but in truth, many still struggle to achieve and sustain compliance.
Whether PCI DSS represents the minimal floor or the aspirational ceiling for protecting cardholder data can be answered only from your organization's perspective. Few would seriously advocate a checkbox approach to compliance. But in the absence of more mature security programs, checking the boxes is better than doing nothing at all. The age-old problem remains that knowing the right things to do, and then doing them, is not always easy or convenient.
Organizations that succeed at PCI compliance tend to adhere to the following best practices:
Our research at Aberdeen Group shows that only 49 percent of the lagging organizations currently map the flow of cardholder data and segment their networks where possible to isolate systems that store, process or transmit cardholder data from those that do not.
This critical step of PCI initiatives can significantly reduce the scope of compliance requirements.
Whether PCI DSS is used to guide the implementation of new or enhanced controls, or existing controls are mapped to the corresponding PCI DSS requirements, organizations should identify the gaps that need to be addressed to successfully report PCI compliance. These activities can be conducted with in-house resources if available or with a wide range of qualified external consultants and services.
Aberdeen found that just over half of the lagging organizations had given an executive or team clear ownership and responsibility for leading the PCI compliance effort. Experience tells us all that critical projects with clear accountability for results tend to succeed more often than those where ownership is diffused across multiple parties.
They may say "it takes a village," but the research shows that having everybody in charge usually translates to having nobody in charge.
The corollary to clear ownership of critical projects is to fund them for success. Based on year-over-year comparisons, Aberdeen's research has shown that organizations are improving in their ability to estimate both the time and the cost to achieve PCI compliance, although they still underestimate the cost to sustain compliance by about 20 percent.
Unfunded mandates tend to struggle and quickly lose momentum, which perversely can make adequate funding even more difficult to achieve.
75% Percentage of security breaches involving the compromise of point-of-sale devices
SOURCE: "2011 Data Breach Investigations Report" (Verizon Business, April 2011)
While all organizations that store, process or transmit cardholder information are compelled to achieve and sustain compliance with PCI DSS, these tasks are generally considered unrewarded risks in the sense that they do not lead to tangible business value. Worse, these activities can distract from investing in and managing the type of rewarded risks that really do matter: those that create value for citizens and advance the organization's mission.
Aberdeen's research has shown that once the processes for security or compliance are accepted as tasks that must be done, the top performers seek to optimize them for efficiency, allocate resources to minimize their ongoing operational cost and maximize the remaining investments to align with their mission.
In the case of addressing the requirements of PCI DSS, our studies show that the top performers achieve and sustain compliance at a 50 percent lower cost than all others, and that they dedicate sufficient resources for sustainable programs and continuous improvement. For more on the research, go to www.aberdeen.com.