Problem solve Get help with specific problems with your technologies, process and projects.

Is maintaining PCI compliance in the enterprise actually possible?

Manage the ongoing struggle enterprises face in maintaining PCI compliance, weighing practicality with security necessity.

The key finding from the 2011 Verizon Payment Card Industry Compliance report was organizations that meet compliance quickly fall out of compliance. Our company does as well, but in our defense, it seems virtually impossible to remain PCI compliant at all times without making it the chief focus of the entire company, which isn’t practical. Is it theoretically impossible to remain PCI compliant continuously?

The finding from Verizon’s PCI report that illustrates their instantaneous failure to remain PCI compliant is quite telling, as many companies struggle immensely with the notion of maintaining PCI compliance. To be fair, there are so many policies, procedures and processes that have to be continually changed, updated and assessed in order to truly maintain PCI compliance.

Even amid that reality, companies should strive to commit their best efforts to achieving ongoing compliance with all aspects of the 12 core requirements within the Payment Card Industry Data Security Standards (PCI DSS) initiatives. A risk assessment approach should be taken whereby organizations address and ultimately assess areas that are considered susceptible to breaches of cardholder data; this usually starts with the data at rest. With that said, are sufficient encryption and key management initiatives in place for protecting the cardholder data? It is then safe to move on to many of the other areas that have a high risk of being compromised due to their association with the cardholder data environment (CDE)?

It’s arguable that it's theoretically "possible" to stay PCI compliant with a risk assessment model that continually assesses system components within and around the CDE.  The best way to be continually PCI compliant is to NOT use a start and stop process for compliance, whereby you implement all necessary requirements, walk away, and revisit the same requirements a year later. Security teams must constantly interact with all system components and personnel responsible for their compliance on a routine basis. It's challenging indeed, but it has to be done. Furthermore, continuous compliance is possible, technically speaking, as organizations commit large resources for short periods of time for meeting annual PCI compliance, via on-site by a QSA or an in-house self-assessment. Unfortunately, if an organization is retested, it’s common to uncover many PCI violations even though the enterprise in question was "technically" granted certification previously. Even if it is challenging and daunting, maintaining PCI compliance continuously is achievable and worthwhile.

Next Steps

Take at closer look at PCI compliance in SearchSecurity.com's Eye On series: Eye On: PCI DSS compliance

This was last published in December 2011

Dig Deeper on PCI Data Security Standard

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.