Organizations are required to maintain compliance with an expanding number of data protection regulations. New laws like the GDPR and CCPA are designed to provide broad privacy protections to consumer data. However, these regulations are limited in their scope and the constituency that they protect.
Other regulations are designed to provide global protection for certain types of highly sensitive data. The Payment Card Industry Data Security Standard (PCI DSS) is an example of this, requiring merchants to protect customer payment card information. Any organization processing this type of data is required to maintain PCI DSS compliance or face stiff penalties.
However, the reality of the compliance landscape is very different. Many organizations do not maintain PCI DSS compliance year-round, and, even for those who do, a compliance-focused security plan doesn’t mean that an organization is fully protected against attack. Protecting the organization against cyber threats requires a focus on security over compliance.
Introduction to PCI DSS
PCI DSS is an international standard designed to protect consumers’ payment card data. In order to process payment card transactions, merchants need to achieve, maintain, and demonstrate compliance with the PCI DSS regulation.
The PCI DSS regulation consists of five different goals that are further broken into 12 different requirements. The complexity and clarity of each of these requirements vary greatly. Some, like Requirements 2 (“Do not use vendor-supplied defaults for system passwords and other security parameters”) and 5 (“Use and regularly update anti-virus software or programs”) are extremely straightforward and can be easily mapped to actions that the organization can take to be compliant.
Others, like Requirement 6 (“Develop and maintain secure systems and applications”), are vaguer.
The PCI Council provides more detail about each requirement, including a collection of sub-requirements for each of the major 12. For simpler requirements like 2 and 5, these sub-requirements may be needed just to ensure that an organization’s solution “checks all the boxes”. However, for more vague requirements like 6, an organization may need to dive into the mess of sub-requirements to determine the security controls that need to be implemented and to map them to their unique environment.
The Challenges of PCI DSS Compliance
In theory, all merchants maintain full PCI DSS compliance all the time. This is a necessary requirement to process payments from any of the major vendors, and organizations need to demonstrate their compliance regularly.
In reality, only a third of organizations globally are compliant with the PCI DSS requirements at mid-year audits, which are “dry run” practices to help companies prepare for the real thing. The level of compliance varies greatly, with APAC clocking in at 70% of organizations fully compliant while only 20% of organizations in the Americas fully implementing the necessary security controls for PCI DSS compliance.
For many of these organizations, the cause of their non-compliance is a lack of understanding of the regulation and a focus on compliance for compliance’s sake. Putting security policies in place on paper to pass an audit does little to protect the organization against attack.
Compliance Isn’t Enough
For many organizations, passing PCI DSS compliance audits is the primary goal of their cybersecurity strategy. These audits typically happen on a yearly basis, and only 18% of companies test their compliance with the requirements of PCI DSS more frequently than the regulations require. Between official compliance audits, organizations frequently fall out of compliance, leaving customer payment card vulnerable to disclosure.
Organizations that take a fully compliance-focused approach to security are much more vulnerable to attack. A PCI DSS compliance program that “looks good on paper” but lacks the appropriate security controls to properly protect payment card data has a 95% chance of being impossible to sustain.
Failing to take the long view of security can make an organization more vulnerable to attack. The PCI DSS requirements represent the minimum level of security protections that an organization can put in place and be considered to be adequately protecting payment card data. Full compliance with the PCI DSS does not make an organization invulnerable to attack, and organizations struggling to look compliant at audit time and then dropping out of compliance between audits are easily targets for cybercriminals.
Valuing Security over Compliance
Many organizations struggle with PCI DSS compliance, and the PCI standard is only one of many data protection regulations that organizations must now comply with. Taking a compliance-focused approach to cybersecurity means that organizations will spend a lot of time finding ways to meet each requirement of each regulation, and the result of their efforts may do little or nothing to protect them against the cyber threats that these regulations are designed to combat.
In most cases, a well-designed cybersecurity program will be compliant by default. Many organizations take a piecemeal approach to compliance by deploying specific security solutions to meet each requirement of each regulation. By taking a more integrated and intentional approach to security, an organization can deploy a security architecture that makes it much easier to maintain regulatory compliance and can actually protect the organization against attack.
For example, protecting payment card information against unauthorized access is the goal of the PCI DSS. Deploying strong access management and data security solutions can dramatically improve an organization’s visibility into their sensitive data and their ability to protect it. From there, it is easy to implement and integrate solutions to meet the remaining requirements of PCI DSS, making year-round compliance easier.