Thursday, January 28, 2021
Corporate Compliance Insights
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Articles
    • See All Articles
    • NEW: COVID-Related
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Leadership and Career
  • Vendor News
  • Jobs
  • Events
    • Webinars & Events
    • Submit an Event
  • Downloads
    • eBooks
    • Whitepapers
  • Podcasts
  • Videos
  • Subscribe
No Result
View All Result
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Articles
    • See All Articles
    • NEW: COVID-Related
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Leadership and Career
  • Vendor News
  • Jobs
  • Events
    • Webinars & Events
    • Submit an Event
  • Downloads
    • eBooks
    • Whitepapers
  • Podcasts
  • Videos
  • Subscribe
No Result
View All Result
Corporate Compliance Insights
Home Compliance

The Challenges of Managing PCI DSS Compliance

4 Steps to Better Govern PCI Programs

by Dennis Keglovits
September 9, 2019
in Compliance, Featured
blue credit card on black laptop keyboard

Many organizations struggle with the payment Card Industry Data Security Standard. Lockpath’s Dennis Keglovits outlines what organizations can do to get ready for the requirement now and to maintain compliance with PCI DSS going forward.

The Payment Card Industry Data Security Standard (PCI DSS) is a requirement for any entity storing, processing or transmitting customer cardholder data; essentially designed to help prevent fraud for both consumers and businesses. However, the guidelines have left many organizations struggling – not due to a lack of knowledge, but due to the comprehensive and far more technical nature of the requirement compared with industry standards.

PCI DSS pushes organizations to achieve six distinct goals in the aim of protecting payment systems and cardholder data. The typical organization is not prepared to manage the countless areas that need to be controlled across a payment IT infrastructure.

Specifically, the requirements supporting the objectives force organizations to manage, govern and integrate different departments within the organization, including IT, security, compliance, risk and incident response. Those managing PCI DSS compliance quickly realize the effort to effectively achieve the six goals requires PCI DSS to be a proactive, day-to-day part of their business.

Some of the more common challenges of PCI DSS include:

  • Understanding your vulnerabilities– Assessing assets and applications for secure configurations, identifying outdated software and issuing security patches and addressing security flaws in custom applications often requires time and resources that are unavailable.
  • Making sure everything is up to date– Requirements, business objectives, assets, incident response plans and other items vital to PCI compliance can change in an instant. Without effective governance and management processes, organizations don’t know when they are out of compliance.
  • Confirming third-party service providers are compliant– Employing third-party service providers (TPSPs) can aid PCI programs; however, the organization is still responsible for how third parties handle their data. Gaining insights into TPSP processes and ensuring they are PCI compliant is a challenge in itself.
  • Obtaining timely information – Creating reports for PCI compliance in a timely manner is always a challenge. This is especially true when different data types must be combined and communicated in a meaningful way to different audiences.

The following steps will help organizations effectively address common compliance challenges and better govern and manage PCI programs.

Conduct Risk Assessments

Risk assessments inform the organization of what is at risk; where it is vulnerable; and where controls, policies and procedures could mitigate risk. Organizations that comply with the regulation start their PCI program by conducting a risk assessment on their payment card system, which can identify broken or ineffective processes. Third parties that process or manage data should also be assessed on a regular basis. Assigning risk scores to findings enables the organization to assign appropriate mitigation plans and to better prioritize remediation efforts.

Continuously Monitor for Vulnerabilities

Many common vulnerabilities involve the misconfiguration of back-office systems and assets like web servers. One effective approach to mitigate vulnerabilities is continuously monitoring the configuration of IT assets and analyzing the collected data against industry standard benchmarks like CIS, ISO and NIST. This will help to not only decrease the chance of a breach, but also protect payment card data.

Review the Controls Environment

Having basic security controls is essential for payment card security. A lack of these controls is a top reason many organizations fail their interim compliance assessment. In an ever-changing threat environment, improving controls like security access provisions is challenging. Periodically testing controls will improve your ability to identify low-performing, redundant, conflicting and ineffective controls to keep the baseline set current.

Leverage Policies and Procedures

A well-run PCI DSS program requires participation and collaboration between all parts of the business. The trouble is, such a program often interrupts employees’ daily responsibilities. It creates an environment where needed actions fall through the cracks and produce more confusion. By including PCI requirements in company policies and procedures, employees can integrate compliance activities into daily operations and make PCI compliance business-as-usual.

PCI compliance involves many parts of the business, not just compliance. All parties have a different level of understanding of business needs, vendor relationships, compliance, IT and audit requirements, which creates challenges. The ability of an organization to adopt technology offering integrated risk management and continuous security monitoring can be an increasingly valuable service for complying with PCI DSS and adapting when the standard changes. The flexibility of technology can help mitigate the inevitable extra costs encountered when solving compliance issues.

Having an agile system in place is necessary to manage the challenges of PCI DSS compliance in 2020 and years into the future. The system integrates all the relevant data and activities from across the business; addresses the needs, roles, responsibilities and processes of all stakeholders involved in PCI DSS compliance; and helps effectively address the day-to-day, quarterly and annual activities required to achieve PCI compliance.


Tags: PCI DSSrisk assessment
Previous Post

Deutsche Bank Settles FCPA Case with SEC for $16 Million for Hiring Relatives of Public Officials

Next Post

Consequences of Low-Level Ethics at Google and Wayfair

Dennis Keglovits

Dennis Keglovits is Vice President of IRM Services at Lockpath, a NAVEX Global Company. Dennis has over 20 years of consulting experience in the areas of risk management, internal audit and compliance services across several industries. A veteran of Big 4 Accounting and Consulting Firms, Dennis has served some of the world’s most recognizable brands. As a regional managing director in a national firm, he developed the service delivery model and go-to-market strategy across the Midwest.  

Related Posts

folder of Chinese apps blacklisted in the US (QQ, Alipay, CamScanner, WeChat, SHAREit, WPS Office)

EO Sets in Motion Ban on Transactions with Chinese App Developers and Owners

January 27, 2021
invisible man in black on neutral background

The Curious Absence of Corporate Monitors

January 27, 2021
businessmen in miniature studying volatile stock market

The Risk of Undervaluing Culture in a Volatile Market

January 27, 2021
digital cybersecurity and network protection

Vetting Vendors’ Cybersecurity

January 26, 2021
Next Post
illustration of many hands pointing to businessman looking distressed

Consequences of Low-Level Ethics at Google and Wayfair

Access realtime data
Dynamic Risk Assessments with Workiva

Special Coverage

Special COVID page graphic

Jump to a Topic:

anti-corruption anti-money laundering/AML Artificial Intelligence/A.I. automation banks board of directors board risk oversight bribery CCPA/California Consumer Privacy Act Cloud Compliance communications management Coronavirus/COVID-19 corporate culture crisis management cyber crime cyber risk data analytics data breach data governance decision-making diversity DOJ due diligence fcpa enforcement actions financial crime GDPR GRC HIPAA information security internal audit KYC/know your customer machine learning monitoring regtech reputation risk risk assessment Sanctions SEC social media risk supply chain technology third party risk management tone at the top training whistleblowing
No Result
View All Result

Privacy Policy

Follow Us

  • Facebook
  • Twitter
  • LinkedIn
  • RSS Feed

Category

  • CCI Press
  • Compliance
  • Compliance Podcasts
  • Cybersecurity
  • Data Privacy
  • eBooks
  • Ethics
  • FCPA
  • Featured
  • Financial Services
  • Fraud
  • Governance
  • GRC Vendor News
  • HR Compliance
  • Internal Audit
  • Leadership and Career
  • Opinion
  • Resource Library
  • Risk
  • Uncategorized
  • Videos
  • Webinars
  • Whitepapers

© 2019 Corporate Compliance Insights

No Result
View All Result
  • Home
  • About
  • Articles
  • Vendor News
  • Podcasts
  • Videos
  • Whitepapers
  • eBooks
  • Events
  • Jobs
  • Subscribe

© 2019 Corporate Compliance Insights