Tactical Advice

5 Steps to Achieving PCI DSS Compliance

Take these steps to better protect cardholder data.
5 Steps to Achieving PCI DSS Compliance

Businesses that process electronic payments are unambiguously subject to the Payment Card Industry Data Security Standard (PCI DSS) and its 12 core requirements. Most of these are basic IT security measures that every organization should already have in place; but in truth, many still struggle to achieve and sustain compliance.

Whether PCI DSS represents the minimal floor or the aspirational ceiling for protecting cardholder data can be answered only from your organization's perspective. Few would seriously advocate a checkbox approach to compliance. But in the absence of more mature security programs, checking the boxes is better than doing nothing at all. The age-old problem remains that knowing the right things to do, and then doing them, is not always easy or convenient.

Organizations that succeed at PCI compliance tend to adhere to the following best practices:

1. Reduce the Scope

Our research at Aberdeen Group shows that only 49 percent of the lagging organizations currently map the flow of cardholder data and segment their networks where possible to isolate systems that store, process or transmit cardholder data from those that do not.

This critical step of PCI initiatives can significantly reduce the scope of compliance requirements.

2. Map and Adapt

Whether PCI DSS is used to guide the implementation of new or enhanced controls, or existing controls are mapped to the corresponding PCI DSS requirements, organizations should identify the gaps that need to be addressed to successfully report PCI compliance. These activities can be conducted with in-house resources if available or with a wide range of qualified external consultants and services.

3. Assign Clear Ownership

Aberdeen found that just over half of the lagging organizations had given an executive or team clear ownership and responsibility for leading the PCI compliance effort. Experience tells us all that critical projects with clear accountability for results tend to succeed more often than those where ownership is diffused across multiple parties.

They may say "it takes a village," but the research shows that having everybody in charge usually translates to having nobody in charge.

4. Commit Adequate Resources

The corollary to clear ownership of critical projects is to fund them for success. Based on year-over-year comparisons, Aberdeen's research has shown that organizations are improving in their ability to estimate both the time and the cost to achieve PCI compliance, although they still underestimate the cost to sustain compliance by about 20 percent.

Unfunded mandates tend to struggle and quickly lose momentum, which perversely can make adequate funding even more difficult to achieve.

5. If You Have to Do It, Do It Well

75% Percentage of security breaches involving the compromise of point-of-sale devices

SOURCE: "2011 Data Breach Investigations Report" (Verizon Business, April 2011)

While all organizations that store, process or transmit cardholder information are compelled to achieve and sustain compliance with PCI DSS, these tasks are generally considered unrewarded risks in the sense that they do not lead to tangible business value. Worse, these activities can distract from investing in and managing the type of rewarded risks that really do matter: those that create value for citizens and advance the organization's mission.

Aberdeen's research has shown that once the processes for security or compliance are accepted as tasks that must be done, the top performers seek to optimize them for efficiency, allocate resources to minimize their ongoing operational cost and maximize the remaining investments to align with their mission.

In the case of addressing the requirements of PCI DSS, our studies show that the top performers achieve and sustain compliance at a 50 percent lower cost than all others, and that they dedicate sufficient resources for sustainable programs and continuous improvement. For more on the research, go to www.­aberdeen.com.

Sign up for our e-newsletter

About the Author

Derek Brink

Derek Brink is vice president and research fellow covering IT security and governance, risk, and compliance at Aberdeen Group. He is also an adjunct professor at Brandeis University.

Security

Three Ways to Integrate Fire... |
Follow these tips to align the devices with log management and incident tracking systems.
Why Cloud Security Is More E... |
Cloud protection services enable companies to keep up with security threats while...
Securing the Internet of Thi... |
As excitement around the connected-device future grows, technology vendors seek ways to...

Storage

The New Backup Utility Proce... |
Just getting used to the Windows 8 workflow? Prepare for a change.
How to Perform Traditional W... |
With previous versions going unused, Microsoft radically reimagined the backup utility in...
5 Easy Ways to Build a Bette... |
While large enterprises have the resources of an entire IT department behind them, these...

Infrastructure Optimization

Why Cloud Security Is More E... |
Cloud protection services enable companies to keep up with security threats while...
Ensure Uptime Is in Your Dat... |
Power and cooling solutions support disaster recovery and create cost savings and...
The Value of Converged Infra... |
Improvements in security, management and efficiency are just a few of the benefits CI can...

Networking

Securing the Internet of Thi... |
As excitement around the connected-device future grows, technology vendors seek ways to...
How to Maximize WAN Bandwidt... |
Understand six common problems that plague wide area networks — and how to address them.
Linksys Makes a Comeback in... |
The networking vendor introduced several new Smart Switch products at Interop this week.

Mobile & Wireless

Now that Office for iPad Is... |
After waiting awhile for Microsoft’s productivity suite to arrive, professionals who use...
Visualization Can Help Busin... |
Companies need to put their data in formats that make it consumable anytime, anywhere.
Linksys Makes a Comeback in... |
The networking vendor introduced several new Smart Switch products at Interop this week.

Hardware & Software

New Challenges in Software M... |
IT trends such as cloud, virtualization and BYOD pose serious hurdles for software...
Visualization Can Help Busin... |
Companies need to put their data in formats that make it consumable anytime, anywhere.
The Tools That Power Busines... |
Ever-evolving analytic software can greatly improve financial institutions’ decision-...