No Result
View All Result
SUBSCRIBE | NO FEES, NO PAYWALLS
MANAGE MY SUBSCRIPTION
NEWSLETTER
Corporate Compliance Insights
  • Home
  • About
    • About CCI
    • CCI Magazine
    • Writing for CCI
    • Career Connection
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Library
    • Download Whitepapers & Reports
    • Download eBooks
    • New: Living Your Best Compliance Life by Mary Shirley
    • New: Ethics and Compliance for Humans by Adam Balfour
    • 2021: Raise Your Game, Not Your Voice by Lentini-Walker & Tschida
    • CCI Press & Compliance Bookshelf
  • Podcasts
    • Great Women in Compliance
    • Unless: The Podcast (Hemma Lomax)
  • Research
  • Webinars
  • Events
  • Subscribe
Jump to a Section
  • At the Office
    • Ethics
    • HR Compliance
    • Leadership & Career
    • Well-Being at Work
  • Compliance & Risk
    • Compliance
    • FCPA
    • Fraud
    • Risk
  • Finserv & Audit
    • Financial Services
    • Internal Audit
  • Governance
    • ESG
    • Getting Governance Right
  • Infosec
    • Cybersecurity
    • Data Privacy
  • Opinion
    • Adam Balfour
    • Jim DeLoach
    • Mary Shirley
    • Yan Tougas
No Result
View All Result
Corporate Compliance Insights
Home Compliance

The Challenges of Managing PCI DSS Compliance

4 Steps to Better Govern PCI Programs

by Dennis Keglovits
September 9, 2019
in Compliance, Featured
blue credit card on black laptop keyboard

Many organizations struggle with the payment Card Industry Data Security Standard. Lockpath’s Dennis Keglovits outlines what organizations can do to get ready for the requirement now and to maintain compliance with PCI DSS going forward.

The Payment Card Industry Data Security Standard (PCI DSS) is a requirement for any entity storing, processing or transmitting customer cardholder data; essentially designed to help prevent fraud for both consumers and businesses. However, the guidelines have left many organizations struggling – not due to a lack of knowledge, but due to the comprehensive and far more technical nature of the requirement compared with industry standards.

PCI DSS pushes organizations to achieve six distinct goals in the aim of protecting payment systems and cardholder data. The typical organization is not prepared to manage the countless areas that need to be controlled across a payment IT infrastructure.

Specifically, the requirements supporting the objectives force organizations to manage, govern and integrate different departments within the organization, including IT, security, compliance, risk and incident response. Those managing PCI DSS compliance quickly realize the effort to effectively achieve the six goals requires PCI DSS to be a proactive, day-to-day part of their business.

Some of the more common challenges of PCI DSS include:

  • Understanding your vulnerabilities– Assessing assets and applications for secure configurations, identifying outdated software and issuing security patches and addressing security flaws in custom applications often requires time and resources that are unavailable.
  • Making sure everything is up to date– Requirements, business objectives, assets, incident response plans and other items vital to PCI compliance can change in an instant. Without effective governance and management processes, organizations don’t know when they are out of compliance.
  • Confirming third-party service providers are compliant– Employing third-party service providers (TPSPs) can aid PCI programs; however, the organization is still responsible for how third parties handle their data. Gaining insights into TPSP processes and ensuring they are PCI compliant is a challenge in itself.
  • Obtaining timely information – Creating reports for PCI compliance in a timely manner is always a challenge. This is especially true when different data types must be combined and communicated in a meaningful way to different audiences.

The following steps will help organizations effectively address common compliance challenges and better govern and manage PCI programs.

Conduct Risk Assessments

Risk assessments inform the organization of what is at risk; where it is vulnerable; and where controls, policies and procedures could mitigate risk. Organizations that comply with the regulation start their PCI program by conducting a risk assessment on their payment card system, which can identify broken or ineffective processes. Third parties that process or manage data should also be assessed on a regular basis. Assigning risk scores to findings enables the organization to assign appropriate mitigation plans and to better prioritize remediation efforts.

Continuously Monitor for Vulnerabilities

Many common vulnerabilities involve the misconfiguration of back-office systems and assets like web servers. One effective approach to mitigate vulnerabilities is continuously monitoring the configuration of IT assets and analyzing the collected data against industry standard benchmarks like CIS, ISO and NIST. This will help to not only decrease the chance of a breach, but also protect payment card data.

Review the Controls Environment

Having basic security controls is essential for payment card security. A lack of these controls is a top reason many organizations fail their interim compliance assessment. In an ever-changing threat environment, improving controls like security access provisions is challenging. Periodically testing controls will improve your ability to identify low-performing, redundant, conflicting and ineffective controls to keep the baseline set current.

Leverage Policies and Procedures

A well-run PCI DSS program requires participation and collaboration between all parts of the business. The trouble is, such a program often interrupts employees’ daily responsibilities. It creates an environment where needed actions fall through the cracks and produce more confusion. By including PCI requirements in company policies and procedures, employees can integrate compliance activities into daily operations and make PCI compliance business-as-usual.

PCI compliance involves many parts of the business, not just compliance. All parties have a different level of understanding of business needs, vendor relationships, compliance, IT and audit requirements, which creates challenges. The ability of an organization to adopt technology offering integrated risk management and continuous security monitoring can be an increasingly valuable service for complying with PCI DSS and adapting when the standard changes. The flexibility of technology can help mitigate the inevitable extra costs encountered when solving compliance issues.

Having an agile system in place is necessary to manage the challenges of PCI DSS compliance in 2020 and years into the future. The system integrates all the relevant data and activities from across the business; addresses the needs, roles, responsibilities and processes of all stakeholders involved in PCI DSS compliance; and helps effectively address the day-to-day, quarterly and annual activities required to achieve PCI compliance.


Tags: Payment Card Industry Data Security Standard (PCI DSS)Risk Assessment
Previous Post

Deutsche Bank Settles FCPA Case with SEC for $16 Million for Hiring Relatives of Public Officials

Next Post

Consequences of Low-Level Ethics at Google and Wayfair

Dennis Keglovits

Dennis Keglovits

Dennis Keglovits is Vice President of IRM Services at Lockpath, a NAVEX Global Company. Dennis has over 20 years of consulting experience in the areas of risk management, internal audit and compliance services across several industries. A veteran of Big 4 Accounting and Consulting Firms, Dennis has served some of the world’s most recognizable brands. As a regional managing director in a national firm, he developed the service delivery model and go-to-market strategy across the Midwest.  

Related Posts

ai policy

Planning Your AI Policy? Start Here.

by Bradford J. Kelley, Mike Skidgel and Alice Wang
May 7, 2025

Effective AI governance begins with clear policies that establish boundaries for workplace use. Bradford J. Kelley, Mike Skidgel and Alice...

business relationship concept hands

Relationship (Owner) Goals: Why Half Your TPRM Red Flags Stay Hidden

by Chris Audet
April 9, 2025

The front-line staff who manage vendor relationships are uniquely positioned to spot problems before they escalate, yet many organizations fail...

cute robot looking at financial volumes

AI’s Dual Role in FinServ Risk Management

by Nalini Priya Uppari
March 28, 2025

As technology evolves, so do the tools that help banks and investment firms maintain stability amid uncertainty

mineral mining operation

Why Critical Minerals Demand a Compliance Revolution

by Rebeca Vergara Gaona
February 11, 2025

Corporate compliance lessons could help strengthen intergovernmental mineral agreements before problems arise

Next Post
illustration of many hands pointing to businessman looking distressed

Consequences of Low-Level Ethics at Google and Wayfair

No Result
View All Result

Privacy Policy | AI Policy

Founded in 2010, CCI is the web’s premier global independent news source for compliance, ethics, risk and information security. 

Got a news tip? Get in touch. Want a weekly round-up in your inbox? Sign up for free. No subscription fees, no paywalls. 

Follow Us

Browse Topics:

  • CCI Press
  • Compliance
  • Compliance Podcasts
  • Cybersecurity
  • Data Privacy
  • eBooks Published by CCI
  • Ethics
  • FCPA
  • Featured
  • Financial Services
  • Fraud
  • Governance
  • GRC Vendor News
  • HR Compliance
  • Internal Audit
  • Leadership and Career
  • On Demand Webinars
  • Opinion
  • Research
  • Resource Library
  • Risk
  • Uncategorized
  • Videos
  • Webinars
  • Well-Being
  • Whitepapers

© 2025 Corporate Compliance Insights

Welcome to CCI. This site uses cookies. Please click OK to accept. Privacy Policy
Cookie settingsACCEPT
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
CookieDurationDescription
cookielawinfo-checbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytics
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Others
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
SAVE & ACCEPT
No Result
View All Result
  • Home
  • About
    • About CCI
    • CCI Magazine
    • Writing for CCI
    • Career Connection
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Library
    • Download Whitepapers & Reports
    • Download eBooks
    • New: Living Your Best Compliance Life by Mary Shirley
    • New: Ethics and Compliance for Humans by Adam Balfour
    • 2021: Raise Your Game, Not Your Voice by Lentini-Walker & Tschida
    • CCI Press & Compliance Bookshelf
  • Podcasts
    • Great Women in Compliance
    • Unless: The Podcast (Hemma Lomax)
  • Research
  • Webinars
  • Events
  • Subscribe

© 2025 Corporate Compliance Insights