Businesses Continue to Struggle with PCI DSS Compliance

Since they were introduced in the mid-2000s, the Payment Card Industry Data Security Standards (PCI DSS) have been ensuring a standard of transaction security for any companies that stores, processes or transmits data involving credit cards. PCI DSS provides various frameworks, tools, support processes and more that organizations can use to make sure that they are properly protecting cardholder information.

PCI DSS was created as a response to changes in the payments market. Starting in the 1990s and increasing at a rapid rate, online shopping meant that more people than ever were using their credit and other payment cards to buy products over the internet. While this opened up plenty of new opportunities for legitimate ecommerce merchants and customers alike, unfortunately it also created new ways that scammers could operate.

Initially, financial companies like Visa, MasterCard, Discover and American Express set up their own rules to make sure that merchants and service providers maintained certain security standards. But while their willingness to act quickly was an appreciated action, it quickly resulted in a confusing compliance framework laying unified standards. With fraud cases increasing in the mid-2000s, the first PCI DSS framework was created in December 2004, requiring merchants to comply with the new unified rule set. Two years later, in 2006, the independent PCI Security Standards Council was set up to oversee compliance.

PCI DSS evolves

Since then, PCI DSS has continued to evolve. New versions of the rules are typically published every one to two years, reflecting the latest guidance for payment security. For example, the most recent PCI DSS guidelines, version 3.2.1 was published in May 2018. It included requirements related to multi-factor authentication (MFA) and more.

Unified compliance rules have been a net positive. However, there’s still plenty of room for improvement. 

While companies working with credit cards have had to comply with rules, this compliance isn’t necessarily something that happens all year round. According to the Verizon 2020 Payment Security Report, only 27.9 percent of businesses say that they maintain full compliance during the period between audits. Specifically, they are not complying with the rules regarding security policies, processes related to risk assessment, management and documentation. 

This is particularly bad news because, from the perspective of cybercriminals, information related to payments and finance is an especially alluring target since this is where they can most easily make money, while having the biggest negative impact on victims.

PCI DSS compliance can be a (necessary) challenge

The challenge of complying with PCI DSS guidelines is easy to understand. While PCI DISS includes only 12 main requirements, it also has more than 300 sub-requirements in the form of security controls, and upwards of 1,800 pages of official documentation. These would take days to simply read and understand — let alone put into action. With rules constantly being tweaked and adjusted, compliance isn’t straightforward, although it is 100 percent necessary. 

Failure to comply with these rules puts payment card data at risk. Since 2005, around the time that PCI DSS guidelines were first put into places, more than 11 billion consumer records have been leaked as a result of more than 8,500 data breaches. Not all of these breaches involved stolen financial data, but this has definitely been a primary target — particularly as more and more of consumers’ spending is carried out online using payment cards, as opposed to in brick-and-mortar stores using cash.

Companies must work hard to build PCI compliance strategies. This means knowing exactly what is expected of them and figuring out a way for this to be sustainable — not just when it comes time for the periodic checks, but throughout the year. Mapping data flows with a comprehensive map of your systems, checking security protocols and controls, and other steps will all help companies practice good data hygiene when it comes to payments.

The importance of WAF and other tools

A usable Web Application Firewall (WAF) is a key part of a sustainable approach to compliance. PCI DSS compliance requires the installation of firewalls, the encryption of data transmissions, and the use of anti-virus software. A WAF will safeguard businesses against application attacks, using tools like IP reputation and signature recognition methodologies to improve compliance. 

Tools like WAFs may be required, but that doesn’t mean that all are of equal quality — or, in many cases, offer the same functionality. So make sure you pick wisely…

Ultimately, compliance shouldn’t be thought of or treated as a box-ticking exercise. Data breaches revealing sensitive information belonging to customers will have major repercussions — including fines from the issuers of payment cards, damaged reputations, lawsuits, and more. 

After the immediate breach is rectified, companies may have to pay higher charges than they would have spent on initially ensuring that they had adequate security measures in place. Even if it’s for that reason alone, any company or organization should ensure they put the right procedures in place to begin with. It’s the smart thing to do.