No Result
View All Result
SUBSCRIBE | NO FEES, NO PAYWALLS
MANAGE MY SUBSCRIPTION
NEWSLETTER
Corporate Compliance Insights
  • Home
  • About
    • About CCI
    • CCI Magazine
    • Writing for CCI
    • Career Connection
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Library
    • Download Whitepapers & Reports
    • Download eBooks
    • New: Living Your Best Compliance Life by Mary Shirley
    • New: Ethics and Compliance for Humans by Adam Balfour
    • 2021: Raise Your Game, Not Your Voice by Lentini-Walker & Tschida
    • CCI Press & Compliance Bookshelf
  • Podcasts
    • Great Women in Compliance
    • Unless: The Podcast (Hemma Lomax)
  • Research
  • Webinars
  • Events
  • Subscribe
Jump to a Section
  • At the Office
    • Ethics
    • HR Compliance
    • Leadership & Career
    • Well-Being at Work
  • Compliance & Risk
    • Compliance
    • FCPA
    • Fraud
    • Risk
  • Finserv & Audit
    • Financial Services
    • Internal Audit
  • Governance
    • ESG
    • Getting Governance Right
  • Infosec
    • Cybersecurity
    • Data Privacy
  • Opinion
    • Adam Balfour
    • Jim DeLoach
    • Mary Shirley
    • Yan Tougas
No Result
View All Result
Corporate Compliance Insights
Home Cybersecurity

PCI Compliance Turns 13: What Businesses Need to Know

9 Steps to Reduce the Risk of Data Breaches and Regulatory Fines

by Stephen Cavey
September 13, 2019
in Cybersecurity, Featured
closeup of hand using EDC machine for credit card payment

Nearly half of companies remain noncompliant as we near the 13th anniversary of the PCI DSS, and these organizations are at serious risk of data breaches and regulatory fines. Ground Labs’ Steven Cavey provides an overview of the standard and tips to achieve compliance.

The Payment Card Industry Data Security Standard (PCI DSS) is a set of requirements intended to ensure that all companies that process, store or transmit cardholder data maintain a secure environment. The standard was first launched in September 2006, and since this time it has undergone regular updates as paying by card has become more diversified and digitized. Despite their increased awareness, many organizations still don’t take PCI compliance seriously and remain at risk for costly data breaches and regulatory fines.

As we near the 13th anniversary of PCI DSS, here are four facts every business should know in order to achieve or maintain compliance while preserving brand reputation and customer loyalty.

After 13 Years, Many Organizations Are Still Not Fully Compliant

Verizon’s 2018 Payment Security Report found that only 52.5 percent of companies surveyed were in compliance with PCI DSS, which means that nearly half of all organizations are still not fully complying due to a broad variety of factors, some of which are covered in this article.

To help organizations overcome the confusion hurdle, it is essential to conduct regular compliance reviews. Most organizations (40 percent) measure their PCI compliance annually for validation purposes, but more regular reviews can help break down the remediation effort as and when issues are identified. Verizon found that less than a quarter (19 percent) measure and report their PCI DSS compliance monthly, which can be made possible with the right levels of automation and recurring process.

Investing in Automation is Essential

Another common reason PCI compliance within an organization can be so fragile is due to how lean its program is run. With today’s global cybersecurity skills shortage, existing security skilled staff are being loaded with additional time-sensitive tasks that can result in lower-priority manual tasks being deferred or missed.

Across most industries, the typical approach is ongoing investment in new and updated solutions to achieve a modern, efficient security stack and defend the organization from suffering a data breach. When making these investment decisions, it is crucial now more than ever to assess the level of human effort required to operate and maintain the proposed solution.

Modern security and risk management solutions offer a number of automation capabilities, as well as comprehensive and robust integration APIs to enable interoperability and data exchange with other platforms. This is key to minimizing the amount of manual process needed as compliance data is exchanged between systems to determine compliance status.

The net outcome from your automation efforts should be simple: reduced staff utilization requirements and improved security and compliance posture. However, more importantly: continuous compliance without gaps or reliance on manual processes.

The Cardholder Data Isn’t Always Stored Where You Expect

Having partnered with hundreds of PCI Qualified Security Assessors (QSAs) who worked with thousands of organizations over the past 10+ years, we continually learn of new situations involving insecure and unknown credit card storage. Sometimes these involve hundreds of millions of customer card numbers being uncovered with no encryption security or awareness within the business of its existence.

This problem traces back to a fundamental flaw and PCI compliance mistake: Assumption.

For the longest time, organizations validated their scope of PCI compliance by surveying each department, aka “asking them” if they handled cardholder data. This often lead to false conclusions based on assumption around where cardholder data was located. This morphs into a larger issue: expensive security controls being implemented to protect only part of the data at risk while overlooking all of the other cardholder data that was hiding within the organization and would remain exposed after the compliance controls were put in place.

The only proven way to overcome this challenge is by conducting a thorough cardholder data discovery process across all systems. This software-driven process eliminates “unknown unknowns” and provides a true position on the scope of cardholder data storage with evidence. Furthermore, if approached correctly, a thorough discovery process can search across all storage locations regardless of type, including file servers, desktops, databases, emails, big data, cloud storage and more.

Upon completion of data discovery, the associated reporting can be used to validate existing assumptions and then appropriately reprioritize the compliance program’s remediation efforts to focus on the highest-risk areas first in order to achieve compliance.

This revised approach will ensure your compliance investment will achieve its true stated goal – to identify and secure all cardholder data that exists across the organization.

Where to Start? Quick Tips for PCI Compliance

In addition to the advice given above, the PCI Security Standards Council (PCI SSC) provides a comprehensive Document Library which includes a Prioritized Approach Tool to help to get an organization focus its efforts correctly to achieve PCI compliance.

The PCI SSC recommends nine quick tips to get an organization on its way to achieving PCI compliance:

  1. Buy and use only approved PIN entry devices at your points-of-sale.
  2. Buy and use only validated payment software at your POS or website shopping cart.
  3. Do not store any sensitive cardholder data in computers or on paper.
  4. Use a firewall on your network and PCs.
  5. Make sure your wireless router is password-protected and uses encryption.
  6. Use strong passwords. Be sure to change default passwords on hardware and software (most are unsafe).
  7. Regularly check PIN entry devices and PCs to make sure no one has installed rogue software or “skimming” devices.
  8. Teach your employees about security and protecting cardholder data.
  9. Follow the PCI Data Security Standard.

Compliance is a journey, not a destination. It will never be a “one and done” business initiative to meet standards; the attitude toward PCI compliance must be that of a constant desire to improve and test networks to ensure they are secure. There is no easy fix for achieving compliance or even remaining compliant. It needs to be part of everyday business practices across the entire organization.


Tags: Data BreachPayment Card Industry Data Security Standard (PCI DSS)
Previous Post

When it Comes to Diversity in the Boardroom, Progress is Not Perfection

Next Post

What Is Ethical Culture, and Why Does It Matter?

Stephen Cavey

Stephen Cavey

Stephen Cavey is Co-Founder and Chief Evangelist at Ground Labs, where he leads a global team empowering its customers to discover, identify and secure sensitive data across their organizations. He leads its worldwide product development, sales and marketing and business operations and was instrumental in extending Ground Labs’ presence with enterprise customers. Stephen has deep security domain expertise with a focus on electronic payments and data security compliance. He is a frequent speaker at industry events on topics related to data security, risk mitigation and cybersecurity trends and futures. He started Ground Labs after holding leadership positions at Paycorp Holdings, a provider of integrated electronic payments solutions; he also held engineering roles with Webpay, a payment services provider later acquired by Fidelity, and Webtel, an early Australian ISP.

Related Posts

new york and us flags

New York Tightens the Breach Clock: 30 Days to Notify

by Melissa Crespo and Reiley Porter
May 12, 2025

State joins growing national trend toward broader personal information definitions and stricter notification timelines for data compromises

group looking at data breach details digital art collage

Navigating Data Breach Compliance & Communication

by Salim Gheewalla
October 28, 2024

Compliant response starts well before an incident occurs

sec building

News Roundup: SEC Finalizes New Cybersecurity Rules for Broker-Dealers, Others

by Staff and Wire Reports
May 16, 2024

OFAC launches public-facing sanctions database

characters breaking into padlock

Navigating Personal Liability: Post–Data Breach Recommendations for Officers

by Daniel B. Garrie and Richard A. Kramer
April 16, 2024

Executives may be on the hook if info is compromised

Next Post
megaphone with paint on gray wall

What Is Ethical Culture, and Why Does It Matter?

No Result
View All Result

Privacy Policy | AI Policy

Founded in 2010, CCI is the web’s premier global independent news source for compliance, ethics, risk and information security. 

Got a news tip? Get in touch. Want a weekly round-up in your inbox? Sign up for free. No subscription fees, no paywalls. 

Follow Us

Browse Topics:

  • CCI Press
  • Compliance
  • Compliance Podcasts
  • Cybersecurity
  • Data Privacy
  • eBooks Published by CCI
  • Ethics
  • FCPA
  • Featured
  • Financial Services
  • Fraud
  • Governance
  • GRC Vendor News
  • HR Compliance
  • Internal Audit
  • Leadership and Career
  • On Demand Webinars
  • Opinion
  • Research
  • Resource Library
  • Risk
  • Uncategorized
  • Videos
  • Webinars
  • Well-Being
  • Whitepapers

© 2025 Corporate Compliance Insights

Welcome to CCI. This site uses cookies. Please click OK to accept. Privacy Policy
Cookie settingsACCEPT
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
CookieDurationDescription
cookielawinfo-checbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytics
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Others
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
SAVE & ACCEPT
No Result
View All Result
  • Home
  • About
    • About CCI
    • CCI Magazine
    • Writing for CCI
    • Career Connection
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Library
    • Download Whitepapers & Reports
    • Download eBooks
    • New: Living Your Best Compliance Life by Mary Shirley
    • New: Ethics and Compliance for Humans by Adam Balfour
    • 2021: Raise Your Game, Not Your Voice by Lentini-Walker & Tschida
    • CCI Press & Compliance Bookshelf
  • Podcasts
    • Great Women in Compliance
    • Unless: The Podcast (Hemma Lomax)
  • Research
  • Webinars
  • Events
  • Subscribe

© 2025 Corporate Compliance Insights