Maintaining PCI compliance is a big challenge for most companies — Misconceptions keep companies from 100% compliance says, Jim McNeese 

A majority of companies that achieve annual compliance with the Payment Card Industry Data Security Standard (PCI DSS) fail to then maintain that status. As a result, they often remain exposed to potential data breach risks and other security threats.

Companies do not have the resources to deal with compliance and security properly.  IT staff are generalists with a lack of expertise in these areas.  There are gaps in what companies/IT staff believe to be compliance and secure vs. PCI and HIPAA requirements.

More advice from our experience to companies and franchise systems

  •  Work with a QSA (Qualified Security Assessor) company for compliance.  They are audited by the PCI Council and held accountable for their actions. C2XCEL works with the best of the best QSA companies that will handle this for them.
  • Don’t try the DIY approach to security and compliance.  There are too many moving pieces and gray areas that can keep you from compliance.  Utilize an expert that has a larger view of the compliance landscape.
  • Don’t leave franchisees to their own devices when it comes to PCI Compliance and HIPAA.  Work with a company that will help manage compliance and hand-hold franchisees through the process.

The areas where many companies appear to have particular problems involve PCI requirements on protecting data at rest, security testing and monitoring security controls and detecting and responding to compromises, he said. More than half of the companies assessed failed compliance requirements for protecting data at risk in their initial annual compliance assessments.

The recent data breach at Target that exposed data on more than 40 million debit and credit cards has focused considerable attention on PCI standards and compliance issues in general.

Target, like many others before it, has noted that it was breached despite achieving compliance with all PCI requirements. The implication is that the standard does little to protect companies against new and sophisticated threats.

But the reality is that “most breaches are not a failure of the technology or standards but rather a failure to implement the standards. A lack of resources and manpower continue to be major roadblocks to ongoing PCI compliance at many companies, which often reassign staff to other projects once they have passed their annual security audit. Under PCI rules, large companies such as Target are required to conduct quarterly vulnerability scans to check for threats to payment card data. But companies then fail to take the requirement in the spirit it was intended and fail their quarterly scans.

Read more