The Payment Card Industry (PCI) Data Security Standards are a set of guidelines that organizations must follow to keep sensitive financial information from prying eyes.
In order to remain in good standing with the credit card industry, stakeholders must become PCI-compliant — a process that involves periodic assessments and audits. Historically, these PCI audits have revolved around a series of checkboxes.
But these self-assessments have become so routine that many businesses simply go through the motions (like flight attendants showing passengers how to buckle their seatbelts or use oxygen masks). In other words, organizations often invest the minimum number of resources required to become PCI-compliant.
The PCI Security Standards Council wishes to change this. As credit card fraud and data breaches become more commonplace, the Council hopes to emphasize ongoing “risk-based” security improvements — instead of using simplified checklists.
Organizations must still prioritize major threats and address them early on. But they should also take proactive steps to reduce risk over time — especially in the face of changing technologies and spending habits.
Below are five of the most important recommendations offered by the Council:
1. Improved Monitoring and Surveillance
Threats are not static. They evolve with time as thieves develop new and innovative ways of stealing sensitive financial information. And thus, organizations should continuously invest in better ways of monitoring their networks and how they protect credit card data.
2. Security Is Not Just about IT Infrastructure
The Council recommends making security a “key performance indicator” that applies to all departments within the organization — not just the IT department.
Sit down periodically with employees to discuss potential holes and fixes that might benefit the entire organization.
3. Leverage the Latest Technologies
From P2PE to tokenization to EMV payment terminals, there is now a range of cutting-edge technologies that can devalue and encrypt sensitive financial data. Organizations should continuously explore ways to incorporate these solutions into their payment infrastructure. The best way to deter attacks is to make financial data both inaccessible and useless.
4. Patch Management & Updates
Regardless of what security protocols and technologies you have in place, it is important that you keep them up to date. As new versions and patches come out, implement them as soon as possible. Unnecessary delays can dramatically increase your exposure. As other organizations install patches, hackers have fewer vulnerabilities from which to choose. If your business remains unprotected, you become the easiest and most likely target.
The Most Important PCI Security Improvement of All
“PCI compliant” is not something you become — it is something you become and remain. It requires ongoing improvements and updates throughout the year. An organization that becomes PCI-compliant on January 1 may lose this good standing just one month later.
This is why the simple "checkbox" model no longer applies. True PCI compliance must become as fluid and dynamic as the countless security threats facing the larger credit card industry.
To learn more about PCI compliance at BluePay, use the free resources below: