Too many companies are neglecting to keep up to date with the standards required for accepting electronic payments, even though compliance is easily achieved by following three simple rules, according to Securus Global senior security consultant Steven Surdich.
Surdich said that in his experience, companies are treating Payment Card Industry Digital Security Standard (PCI DSS) like a once-per-year obligation.
PCI DSS, often referred to as just PCI or PCI compliance, is a security standard developed by the Payment Card Industry Security Standards Council (of which credit providers like Visa, MasterCard and American Express are members). It consists of 12 overarching requirements, which, when implemented correctly, are meant to better protect cardholder data and thus reduce credit card fraud.
To ensure that these requirements are continually met, organisations that handle large numbers of transactions are audited by an external Qualified Security Assessor (QSA) annually, but, according to Surdich, the annual check-up has resulted in organisations forgetting about or neglecting PCI compliance until the audit date.
He said that symptoms of such behaviour include seeing an increase in last-minute activity, or an apparent spontaneous outbreak of patching behaviour as the audit date approaches.
"We'll see service tickets labelled 'patching for PCI'. It's pretty obvious how some companies approach it," Surdich said.
Despite this behaviour, PCI compliance is meant to be a year-round effort to ensure that customer payment details are constantly protected, and not just in a single, once-off activity. Surdich highlighted companies' obligations as stated in their Attestation of Compliance: "The merchant has read the PCI DSS, and recognises that they must maintain full PCI DSS compliance at all times".
Although many companies appear to be having difficulty in doing so, Surdich said it is simple if they follow the three basic rules: controlling changes to the cardholder environment; maintaining oversight of their activities; and simplifying compliance processes.
Read on to page two to see Surdich's tips for guarding the cardholder environment.