Across the US and the UK, adoption of the Payment Card Industry or PCI compliance requirements is slowly gaining momentum, at least among larger merchants. According to a February 2012 report from Visa, for example, approximately 98 percent of Level 1 merchants and 91 percent of Level 2 merchants were PCI compliant.
However, problems remain. Many of these organizations are finding that they are now ill-equipped for their next round of assessments, despite having successfully met PCI requirements previously, as demonstrated by a Report on Compliance (ROC) or Self-Assessment Questionnaire (SAQ).
Another major concern is that despite increased levels of PCI compliance, Level 1 and 2 merchants have continued to make headline news in the past year due to large data breaches. This is particularly troubling given that these organizations presumably have the resources and processes to protect themselves and their customer data. Given the changing nature of the threat landscape, there is every reason to believe this trend will continue in 2012.
Lack of Monitoring, Out-of-Date Policies, and New Services Lead to Non-Compliance
Some merchants have found that while they initially implemented controls successfully to pass their previous PCI assessments, they no longer monitored those controls once their compliance project team disbanded. In other cases, policies have not been updated to reflect technical and organizational changes over the course of the year.
In addition, some merchants have introduced new services into their networks, such as free wireless access for customers or patients, without considering the implications for PCI compliance. As a result, many organizations are now scrambling to catch up in preparation for their next PCI assessment. They have in effect been non-compliant, with the results being data breaches, brand damage, costly fines and lawsuits.
Recommendations to Ensure Compliance and Security
There are, however, several steps merchants can take to better address these issues and ensure they have an effective security program in place between assessments. These include embedding security controls into everyday processes, performing regular PCI health checks, and preparing for assessments with an organized plan. In my next post, I?ll discuss these in more detail.
Click to read Part II.
Rafe Pilling is a PCI QSA and Principal Consultant with Dell SecureWorks' Security and Risk Consulting team and is located in Europe.