If your organization handles credit card data, there is no avoiding PCI. Most organizations treat it as an inconvenient fact of business life. They want to minimize the expense and effort of PCI compliance.
A month doesn't go by that something isn't in the news about PCI. Last month, it was reminders about the deadline to eliminate designated vulnerable PCI applications. That's a serious concern. Click here for a list of these applications.
The goal of PCI efforts, however, should not be compliance for its own sake but better security of credit card information. It is about reducing risk to the organization and to the cardholders whose data is at risk. These are your customers. Losing sight of this goal leads organizations into making four critical mistakes, according to Tripwire, a PCI compliance tools provider.
Here are Tripwire's four PCI mistakes:
1 — Treating PCI as a technology checklist
Many organizations think of PCI as a checklist of things they must do periodically to satisfy the auditors. They do the minimum once, document it, and give the resulting report to the auditors. Instead, organizations need to make PCI a continuous part of their normal operations, which dramatically lowers the risk of exposing cardholder data and of the problems and liabilities that would follow.
2 — Focus on the cost PCI compliance tools
It is natural to opt for the lowest-cost compliance tools. The risk here lies in not meeting all the PCI requirements. The low-cost, limited tool that gets you past the first PCI audit may not be sufficient to meet subsequent, more demanding audits. This neither saves the organization money nor delivers effective card security.
3 — Not practicing PCI all year long
Organizations focus on PCI only in the weeks leading up to the audit. PCI, however, requires continuous reporting, especially of things that have changed in the card environment. The result is a mad scramble to figure out what has changed and document it just before the auditors arrive. There are tools that generate lists of changes, but they may create more work for you if they don't differentiate between meaningless and significant changes, thereby bombarding you with massive amounts of useless information. Practicing PCI all year long means using tools that bubble up suspect changes for your attention and ignore the rest.
4 — Failing to look at the whole picture
They key to effective PCI is to look at things holistically, at the big picture. When organizations look at events in silos, it often takes them months to realize they have experienced a breach. During that time, someone may have been stealing data or otherwise compromising the card environment. An effective solution entails a holistic approach to PCI that looks across the various silos and beyond the minimum documentation required by the auditors.
In short, the issue here is card security, not just getting PCI auditors off your case. Achieving card security requires a continuous effort combining technology, looking across silos, and correlating what you find. The payoff is reduced risk for you and your customers, not just compliance. ###