No Result
View All Result
SUBSCRIBE | NO FEES, NO PAYWALLS
MANAGE MY SUBSCRIPTION
NEWSLETTER
Corporate Compliance Insights
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe
No Result
View All Result
Corporate Compliance Insights

Organizations Struggle to Implement Fluid PCI DSS Compliance Processes

by Steven Grossman
September 2, 2016
in Uncategorized
The risk of noncompliance with the PCI DSS is great – so what’s the hold up?

September 2016 marks the 10-year anniversary of the Payment Card Industry Security Standards Council, a group created by the major card brands to manage the Payment Card Industry Data Security Standard (PCI DSS).  Any business that stores, processes or transmits payment card information must comply with the PCI DSS.  Through the enforcement of the Standard, the Council has set the bar for payment card data protection, although that bar marks the beginning of the road, not the end.  Companies that solely strive to “check the box” in order to comply with the PCI DSS are selling themselves short and exposing themselves and their customers to a potentially catastrophic breach.  As threats become more sophisticated and environments more complex, companies need to implement a process that focuses on cybersecurity first, making PCI DSS compliance inherent.  However, many companies still struggle to achieve that goal, mainly due to the effort and cost involved.

Merchants that manage large, distributed, legacy environments, including proprietary point-of-sale systems that are in hundreds of stores, face significant challenges updating those technologies so that they continue to comply with the evolving PCI DSS requirements.  For example, PCI DSS 3.0 requires merchants perform annual penetration tests to validate that segmentation methods used to separate the cardholder environment are “operational and effective.” For large merchants, that often includes the legacies of acquired companies and their infrastructure with distributed networks nationwide. Testing and evaluating the segmentation methods used across all of those networks can be a time-consuming and trying task.

Companies also face challenges when it comes to compliance reporting.  Historically, security teams were never focused on reporting results in a structured way.  They were focused on protecting the business.  Gathering and making sense of a large amount of data to report to auditors is a resource-intensive, time-consuming, error-prone effort.  In many cases, security and compliance teams collect the data manually, filling out spreadsheets which are stitched together into other spreadsheets.  The manual process creates a major distraction, forcing them to take their eye off the ball of protection so that they can pull together spreadsheets and send out emails. Throughout the process, errors and bias will inevitably be introduced, so that it “fits” together.  In some cases, the process takes so much time and effort, companies wait until the last minute and end up having to use outdated data to fill the gaps because they could not complete it on time.

The PCI DSS has created a baseline for security, and the requirements provide companies with a starting point for best security practices.  However, as the Standard continues to evolve, companies must work on simplifying the implementation of a consistent PCI DSS compliance process.  First, they must use automation.  They must automate how they collect and make sense of their cyber risk data so that reporting is truthful, traceable and everyone involved is working off the same set of numbers.  Automation is critical not just for compliance reporting to auditors, but also for IT and security executives, application owners and boards of directors to understand how well they are protecting their crown jewels.

Adhering to compliance requirements should also not solely fall on the security and/or compliance team’s shoulders.  The PCI-DSS compliance process requires coordination between compliance, security, IT and the line-of-business application owners.  Oftentimes the dance between these many parties is broken, resulting in firefighting and last-minute reactive activity.  To stay ahead of the game, line-of-business application owners should be made an integral part of protecting the applications and data that they own, and not just a peripheral sign-off along the way.

Unfortunately, the challenges organizations face with complying with changing PCI DSS requirements will not change.  As threats evolve and business environments become more complex, the PCI DSS must change as well to help organizations better protect cardholder data.  However, if organizations focus on cybersecurity first, fulfilling changing compliance requirements would come more easily.  For example, using two-factor authentication for remote access to a company’s network is a security best practice and a PCI DSS requirement.  If organizations implemented two-factor authentication from the get-go, before it became a PCI DSS requirement, they would not have needed to make any changes once it became one.  Having the right cybersecurity processes and methodologies in place, outside of complying with the PCI DSS, will minimize business disruption when inevitable changes to the Standard take place.


Tags: Communications ManagementDOJ pilot program
Previous Post

Would Willy Wonka Be A Good Compliance Officer?

Next Post

Brazil: A Study on the Impact of Corruption

Steven Grossman

Steven Grossman

Steven GrossmanSteven Grossman is Vice President of Program Management at Bay Dynamics.  Steven has more than 20 years of management consulting and industry experience working with technology, security and business executives. At Bay Dynamics, Steven is responsible for ensuring businesses are successful in achieving their security and risk management goals.  Prior to Bay Dynamics, Steven held senior positions at top-tier consultancies such as PwC and EMC, where he architected and managed programs focused on security, risk, business intelligence/big data analytics, enterprise Program Management Offices, corporate legal operations, data privacy, cloud architecture and business continuity planning for global clients in the financial services and health care industries. Steven holds a B.A. in Economics and Computer Science from Queens College and has achieved his CISSP certification.

Related Posts

Clarity on Sanctions Compliance: Examining OFAC Guidance and Enforcement

Clarity on Sanctions Compliance: Examining OFAC Guidance and Enforcement

by Steven Kuzma and Christian Cooper
March 12, 2020

With U.S. sanctions compliance fines at a decade high, organizations should be taking note of how to address emerging areas...

stack of newspapers on laptop

The Social Construction of a Scandal

by Michael Toebe
December 9, 2019

Do corporate execs and legal counsel truly understand the role news media plays in establishing the narrative about fault and...

woman holding smartphone with many "like" and "heart" reactions

Engaging Social Media is More Effective Risk Management

by Michael Toebe
October 25, 2019

Social media communication is a rarely implemented risk management tool, but it should get more play. Michael Toebe makes the...

black and white illustration of shark jumping out of water

The Shark in the Wave: Revealing the Lurking Danger of Slack Data

by James Murphy
June 17, 2019

Hanzo’s Jim Murphy explores the danger of Slack data; voluminous, informal, unstructured and context-dependent, it’s a threat hiding in plain...

Next Post
corruption in Brazil has far-reaching consequences

Brazil: A Study on the Impact of Corruption

Compliance Job Interview Q&A

Jump to a Topic

AML Anti-Bribery Anti-Corruption Artificial Intelligence (AI) Automation Banking Board of Directors Board Risk Oversight Business Continuity Planning California Consumer Privacy Act (CCPA) Code of Conduct Communications Management Corporate Culture COVID-19 Cryptocurrency Culture of Ethics Cybercrime Cyber Risk Data Analytics Data Breach Data Governance DOJ Download Due Diligence Enterprise Risk Management (ERM) ESG FCPA Enforcement Actions Financial Crime Financial Crimes Enforcement Network (FinCEN) GDPR HIPAA Know Your Customer (KYC) Machine Learning Monitoring RegTech Reputation Risk Risk Assessment SEC Social Media Risk Supply Chain Technology Third Party Risk Management Tone at the Top Training Whistleblowing
No Result
View All Result

Privacy Policy

Founded in 2010, CCI is the web’s premier global independent news source for compliance, ethics, risk and information security. 

Got a news tip? Get in touch. Want a weekly round-up in your inbox? Sign up for free. No subscription fees, no paywalls. 

Follow Us

Browse Topics:

  • CCI Press
  • Compliance
  • Compliance Podcasts
  • Cybersecurity
  • Data Privacy
  • eBooks Published by CCI
  • Ethics
  • FCPA
  • Featured
  • Financial Services
  • Fraud
  • Governance
  • GRC Vendor News
  • HR Compliance
  • Internal Audit
  • Leadership and Career
  • On Demand Webinars
  • Opinion
  • Resource Library
  • Risk
  • Uncategorized
  • Videos
  • Webinars
  • Well-Being
  • Whitepapers

© 2022 Corporate Compliance Insights

No Result
View All Result
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe

© 2022 Corporate Compliance Insights

Welcome to CCI. This site uses cookies. Please click OK to accept. Privacy Policy
Cookie settingsACCEPT
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
CookieDurationDescription
cookielawinfo-checbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytics
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Others
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
SAVE & ACCEPT