Payment Card Industry Data Security Standard (PCI DSS) compliance is an involved process for merchants that generally requires implementing company-wide security management practices, policies, secure software design and other protection measures.
While the Standard was developed and is maintained by the PCI Security Standards Council (SSC), each of the major credit card brands — American Express, Discover, JCB, MasterCard and VISA — have established their own compliance requirements.
For retailers, this means that validation requirements, deadlines, fines and reporting standards may differ. What’s more, PCI DSS and card brand requirements change periodically.
For example, in response to pressure by the National Retail Federation, MasterCard reversed a requirement in December that it set six months earlier that would have forced retailers to use a qualified security assessor (QSA) instead of an internal audit team to achieve PCI compliance.
Small to medium-size business will continue to see additional security regulations outlined in their contractual agreements with major credit card brands as they are administered through either the acquiring bank or the transaction processor. For instance, the annual on-site PCI data security assessment may soon be required for Level 3—and even Level 4—merchants by some card brands. Keeping up with multiple, changing requirements further complicates the compliance management process, especially for SMBs with limited resources.
Automated IT Governance, Risk and Compliance (IT GRC) systems can help retailers manage the compliance process by “rationalizing” the various PCI DSS compliance requirements so that effort is not excessive or duplicated. SMBs can implement PCI DSS compliance technology and programs to reduce the costs of compliance on a year-over-year basis.
For starters, IT GRC refers to a class of automated systems that help organizations integrate and control the management of complex regulatory mandates and operational risk in alignment with high-level company governance. IT GRC is a strategic approach to the universal concept of compliance. It can help retailers meet PCI compliance requirements while also providing a controls management framework to protect personally identifiable information (PII).
How can SMBs use IT GRC? Here are some best practices for SMBs implementing PCI DSS compliance technology.
Automate compliance. A new breed of advanced IT GRC systems automates the compliance process and manages the various PCI DSS and card brand-specific requirements. You want to choose an automated IT GRC system that incorporates the PCI DSS framework, and provides an easy way to create new policies for each card brand’s requirements, such as simply uploading the requirements from a file into the system.
The IT GRC system then “rationalizes” the PCI DSS and card brand requirements against one another, automatically performing a gap analysis between each set of requirements. From that, the IT GRC system produces a report that shows only those requirements that are “exceptions.”
Automating the process of rationalizing requirements simplifies compliance. Instead of manually sifting through each card brand’s requirements and comparing them against the PCI DSS requirement and one another—or hiring a consultant to manually load each requirement for each card brand into a computer program—an automated IT GRC system does the work for you. It also allows you to run a compliance report for each card brand on an ad hoc basis.
Compliance automation reduces consulting costs and creates repeatable processes that increase operational efficiencies to keep up with requirement changes and streamline audits, thereby reducing the cost of establishing and maintaining a compliance program.
Adopt continuous compliance. Many retailers view PCI DSS compliance as a checklist project, and equate being compliant to being secure. Nothing could be further from the truth–the Hannaford Brothers supermarket chain received its PCI DSS compliance certification one day after it had learned of a two-month long breach of its network.
Achieving PCI DSS compliance and passing annual audits are based on a snapshot of the retailer’s level of security at the time of the audit. It does not ensure that a security vulnerability won’t develop the next day or beyond.
Merchants should know their risk profile and level of PCI DSS compliance daily, be able to adapt quickly to requirement changes, and ensure that employees are following security policies. An automated IT GRC system provides the management information and the security standards framework and associated policies needed for achieving and sustaining a high level of continuous compliance and security.
Leverage vendor expertise. Look for an IT GRC vendor that can provide guidance in the PCI DSS compliance process and understands real-world retail data security challenges. This will hasten the time to it takes to set up and benefit from an automated compliance program.
Using an automated IT GRC system combined with a few best practices can help SMBs manage multiple card brand requirements for PCI DSS compliance, adapt to requirement changes, reduce compliance and audit costs, and, ultimately, reach a state of continual compliance and security.
Avoid costly data breaches. While the cost to fully deploy an IT GRC system may range in price from a low of $10,000 (for fewer than 25 users) to a high of multiple millions in a large enterprise, this pales in comparison with the cost to a retailer’s reputation should a data breach occur. Many retailers today are outsourcing many aspects of their PCI DSS compliance or are performing many of the functions and record keeping in spreadsheets.
Gary Blume ([email protected]) is senior vice president of corporate strategy and business development for Lightwave Security (www.lightwavesecurity.com), an Atlanta-based GRC systems provider.