There are a variety of regulatory frameworks in place to establish baseline requirements for cybersecurity around the world. Some—like Sarbanes-Oxley (SOX) or the Health Insurance Portability and Accountability Act (HIPAA)—apply to specific industry segments or verticals. Others—like the General Data Protection Regulation (GDPR) and the Payment Card Industry Data Security Standards (PCI-DSS)—potentially affect companies of all sizes and industries.
PCI-DSS, commonly referred to simply as PCI, stands out because it is not a law. PCI is a set of rules and guidelines developed and enforced by the credit card industry itself. You might think that gives PCI less authority, but the ability to revoke a company’s ability to accept or process credit card transactions is a pretty significant incentive for PCI compliance.
What is PCI compliance all about? This is a question I am familiar with. I was the Technical Editor and a contributing author of the first edition of PCI Compliance: Understand and Implement Effective PCI Data Security Standard Compliance. I worked with a number of respected cybersecurity and compliance experts, including Dr. Anton Chuvakin, to help people understand the PCI standards and how to achieve and maintain compliance. Granted, that was many years ago and a lot has changed since then—both with the threat landscape and with the guidelines of PCI-DSS itself.
The Purpose of PCI Compliance
There are a number of things that motivate cybercriminals, but money generally tops that list. Ransomware and cryptojacking are very prevalent because they both provide attackers with immediate revenue. Credit card data is always a valuable target as well, though, as evidenced by the hundreds of millions of compromised accounts from data breaches month after month and year after year.
The major card brands of the payment card industry recognized the need to protect cardholder data. Like most compliance frameworks, PCI provides general guidelines—not specific security controls. Rather than mandating specific tools or solutions, it specifies general rules designed to achieve the desired outcome. How you get there is open to interpretation.
As I explained in the book PCI Compliance, “As with any information security regulation or guideline, you need to keep your eye on the ultimate goal. When executing a compliance project, some organizations follow the letter, rather than the spirit of the requirements. The end results may be that they were able to check off all of the boxes on the checklist and declare their network compliant, yet not be truly secure. Remember, if you follow the requirements and seek to make your network as secure as possible, you are almost guaranteed to be compliant. But, if you gloss over the requirements and seek to make your network compliant, there is a fair chance that your network could still be insecure.”
Who Has to Be PCI DSS Compliant?
Almost every company is affected by PCI-DSS in some way. Any company that accepts credit card payments, processes, stores, or transmits cardholder data must comply with the PCI standards. That is a pretty wide net. It might be easier to list companies that don’t have to worry about PCI.
Maintaining PCI Compliance
Achieving PCI compliance and passing an initial audit is the easy part. The challenge is consistently maintaining compliance with the PCI requirements the rest of the year with a tech ecosystem that continuously shifts and changes. Just because you were compliant yesterday, doesn’t mean you’ll still be compliant tomorrow. You need the right PCI compliance solutions and PCI compliance software to provide effective, continuous, and scalable PCI compliance monitoring.
This is especially true with the dynamic hybrid and multi-cloud environments in many organizations today. Network security and data privacy require vigilance. As mentioned above, though, the key lies in what your goal truly is. If you focus on checking boxes and passing a PCI audit, you probably won’t really be secure, but if you strive to implement and maintain effective network security there’s a good chance you’ll also be compliant with the requirements of PCI-DSS.