PCI Pal® Urges Businesses to Remove ‘Tick Box’ Mentality to Ensure Year-Round PCI DSS Compliance
With just 36.7% of organisations actively maintaining PCI DSS programmes in 2018, PCI Pal®, the secure payments provider to contact centres, is urging security and compliance bosses to embrace modern cloud strategies combined with rigorous updates and testing to make year-round PCI compliance an easier task to bear.
According to the latest Verizon Payment Security Report, organisations are spending time and money creating data protection compliance programs (DPCPs), yet many are ineffective and fail to withstand the scrutiny of a professional security assessment.
Commenting on the report’s findings, Geoff Forsyth, CISO of PCI Pal said, “PCI DSS was initially seen as a ‘tick box’ exercise by many companies, when the reality is that a paper exercise to achieve compliance does not stand-up to the rigorous testing that third-party Qualified Security Assessors insist happens, as part of a compliance review.
“Compliance is hard to achieve and even more difficult to maintain. Hackers are only ever getting more sophisticated, constantly finding new techniques to compromise all but the most vigilant companies. Time and time again, companies that thought they were PCI compliant suffer a breach and subsequent analysis by forensic experts shows that those companies were never fully PCI compliant in the first place.
“Instead, PCI DSS compliance involves significant planning, reviews, revisions and testing to make sure it is achieved all year round, and not just seen as an annual exam that needs to be passed once a year. Embracing modern cloud strategies, with the latest technology and security systems, will help make this overall process far easier for all to achieve.”
The Verizon report indicates that only 20% of US companies that achieve compliance manage to retain it, whist in Europe its 48% and 69.6% for Asia-Pacific.
Concludes Geoff Forsyth, “It raises the question as to why 80% of US companies are having such problems maintaining compliance? The Verizon report highlights that once companies achieve initial compliance, the constant updating, patching and testing – as per PCI DSS Requirements 6 and 11 – appear to cause problems, resulting in compliance failures. Perhaps, adopting modern cloud strategies could be one answer; removing the need for organisations to rely on older, complex infrastructures or ageing networks that create compliance barriers.”
Download the press release in full.