The key finding from the 2011 Verizon Payment Card Industry Compliance report was organizations that meet compliance quickly fall out of compliance. Our company does as well, but in our defense, it seems virtually impossible to remain PCI compliant at all times without making it the chief focus of the entire company, which isn’t practical. Is it theoretically impossible to remain PCI compliant continuously?
The finding from Verizon’s PCI report that illustrates their instantaneous failure to remain PCI compliant is quite telling, as many companies struggle immensely with the notion of maintaining PCI compliance. To be fair, there are so many policies, procedures and processes that have to be continually changed, updated and assessed in order to truly maintain PCI compliance.
Even amid that reality, companies should strive to commit their best efforts to achieving ongoing compliance with all aspects of the 12 core requirements within the Payment Card Industry Data Security Standards (PCI DSS) initiatives. A risk assessment approach should be taken whereby organizations address and ultimately assess areas that are considered susceptible to breaches of cardholder data; this usually starts with the data at rest. With that said, are sufficient encryption and key management initiatives in place for protecting the cardholder data? It is then safe to move on to many of the other areas that have a high risk of being compromised due to their association with the cardholder data environment (CDE)?
It’s arguable that it's theoretically "possible" to stay PCI compliant with a risk assessment model that continually assesses system components within and around the CDE. The best way to be continually PCI compliant is to NOT use a start and stop process for compliance, whereby you implement all necessary requirements, walk away, and revisit the same requirements a year later. Security teams must constantly interact with all system components and personnel responsible for their compliance on a routine basis. It's challenging indeed, but it has to be done. Furthermore, continuous compliance is possible, technically speaking, as organizations commit large resources for short periods of time for meeting annual PCI compliance, via on-site by a QSA or an in-house self-assessment. Unfortunately, if an organization is retested, it’s common to uncover many PCI violations even though the enterprise in question was "technically" granted certification previously. Even if it is challenging and daunting, maintaining PCI compliance continuously is achievable and worthwhile.
Ask the expert!
Charles Denyer, SearchSecurity.com's resident expert on enterprise compliance, standards and frameworks, is standing by to answer your questions. Send in your questions via email today. (All questions are anonymous!)
Take at closer look at PCI compliance in SearchSecurity.com's Eye On series: Eye On: PCI DSS compliance
Dig deeper on PCI Data Security Standard
Related Q&A from Charles Denyer, Compliance, Frameworks
Charles Denyer explains the necessity of encrypting customer data with respect to HIPAA encryption requirements and squares out what enterprises ...continue reading
Struggling to develop an ISO implementation plan? Expert Charles Denyer offers advice on getting started with an enterprise ISO implementation.continue reading
Charles Denyer offers advice for developing a vendor compliance checklist to support a vendor review process or a third-party vendor audit.continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.