PCI compliance

Why it’s important to comply with PCI

shaane syed / 07.13.17

PCI Compliance is not just a fantastic way for your Director of Operations to sound important in meetings. It’s also key to ensuring all of your customer payment data is secured from attack.

Beyond the fact that inadvertently exposing customer information is the wrong thing to do to people who’ve trusted your organization enough to hand over their money, exposing customer payment data will absolutely wreck both your company’s reputation and bottom line. Large businesses like Target may have a big enough customer base with enough built-in goodwill that they’re able to ride out such a storm. But some organizations aren’t so lucky.

Reaching full PCI Compliance is not common. According to a report released by Verizon in 2015 (their most recent), only 20% of businesses are fully compliant. This is notable not only because of the low number, but also because all breaches investigated by Verizon were found to have occurred to businesses and organizations that were not fully compliant at the time they were breached. This implies that full compliance can allow for a certain peace of mind.

Yet, only 29% of fully compliant organizations remain compliant year-over-year. If PCS DSS is so incredibly important, why aren’t more companies staying on top of the continually updated standard?

You may as well ask why every single homeowner doesn’t own a security system. It doesn’t seem like you’re going to be robbed until the day you are, with the robbers climbing in through a window you forgot to lock before you left for work in the morning.

Security requires resources. Resources that could be used to build new features, sell more products, and deal directly with customer needs. Unlike bugs or missing features that are continually encountered and discussed by customers, it isn’t obvious that security is flawed until the moment it’s breached. This makes it easy to ignore or put off until later. What are the chances something bad is going to happen tomorrow? Or the next day? Or the day after that? Suddenly it’s six months later and no improvements have been made.

But breaches are constantly happening in the world of cyber security. Waiting until the moment customer data is compromised is way too late. How can your company stay on top of things?

This may seem pretty minor, but get your company on the pcisecuritystandards.org mailing list so you’re aware as soon as standards are updated. Updates aren’t made lightly. They’re made in response to real threats from ever more sophisticated cyber criminals.

Make it someone’s job to worry about compliance. It doesn’t necessarily have to be their only job, but it should be their responsibility to push the company to stay on track. To hassle decision makers during meetings so it stays on their radar.

Automate as much of your compliance as possible. Though there is no way to fully automate compliance, automating and streamlining as many compliance steps as possible with platforms like Halo, and tools like Puppet will help to ensure continual compliance with many PCI standards so that you don’t have to spend as much time worrying about updates and the continually evolving threats that led to those changes. This is also significantly less expensive, (and more accurate) than hiring the staff you’d need to stay manually up-to-date.

Get in the habit of auditing your security practices during every release. Compliance isn’t a one-and-done process only because the Security Standards Council is constantly making updates, it’s also that way because developers will release code that breaks your security just like they release code that breaks everything else. That’s just the nature of software development.

Remember that the end purpose of this process isn’t to get a certificate and declare your company compliant. It’s to protect your customers from breaches and your company from the kind of terrible blowback that comes with allowing your customers to be robbed. There are few things more important to the long term success of your organization than that.

Read over our PCI Across Clouds: Achieving PCI DSS Peace of Mind whitepaper to learn more.