PCI: How a Laggard Can Become a Leader7 Habits for Effective Compliance
While an estimated 77% of Level 1 Merchants (those that have more than 6 million credit card transactions per year) are PCI compliant, according to Visa, the average cost of compliance is $586,000. The Level 2 Merchants (those that have 1 million to 6 million credit card transactions per year) that are PCI compliant is only 62%, and this group spends on the average of $267,000 to get there. The Level 3 Merchants (those that have 20,000 to 1 million credit card transactions per year) have only 54% in compliance and spend an average of $81,000 to become compliant. Level 4 merchants, which make of the largest group of merchants (more than 6 million) aren't registered with percentages on the Visa compliance matrix, but recorded compliance with PCI is "low," says Taylor.
Taylor and the PCI Alliance have done a series of interview with retail merchants, acquiring banks and PCI compliance experts to assemble the "PCI Knowledge Base," which has more than 100 hours of anonymous interviews on the searchable site. (http://www.knowpci.com/)
In these interviews, Taylor finds some hard and fast reasons why Level 1 and 2 merchants were able to get PCI compliant as quickly as they did. The growth of compliance in such a fast manner caused a "separation" of compliance from security. Taylor notes the merchants were forced to utilize the checklist approach, use replaceable, tactical tools, and shifted budget from strategic solutions. The merchants also by-passed integration and manageability and liberally used compensating controls to become compliant.
Seven Habits of PCI Compliant Companies What makes one company a compliance leader and another a loser when it comes to meeting PCI requirements? According to Taylor there are seven traits of PCI compliance leaders. Emulate these seven traits and you will achieve "nirvana" or oneness with the PCI.
1. Leverage controls data to predict breaches - The study of PCI Leadership by the PCI Alliance finds that most companies rushed to get PCI compliant quickly, implementing controls as needed. Leaders focused more on Security Information and Event Management (SIEM) - using the data generated from network, system and Data Base access controls to predict problems before they became serious.
2. Have tools or services to monitor their environment - Leaders know that security and compliance must be monitored continuously, and they have implemented Log Monitoring and alerting tools (or have engaged services) to sort through the vast reams of log data.
3. Share ownership of PCI - The most successful leaders do not try to run PCI all by themselves. They have "deputized" internal audit, HR, data owners and store managers and given them specific things to do, from employ education to access monitoring, to policy enforcement.
4. Focus investment on tracking individual actions - The leading firms have implemented tools that automate the provisioning of access, so that only those with "need to know" can access data, and when their role changes, so do their permissions. Identity and Access Management and Data Loss Prevention are two types of tools critical to continuous compliance.
5. Use risk management tools - Because PCI requires a 100% score to pass, only leading firms have gone beyond this to manage their security based on a thorough risk analysis. Beyond a basic "stoplight" rating spreadsheet, a risk analysis requires that companies take specific actions to address identified risks, based on their priority.
6. Protect other data besides card numbers - One of the clearest definitions of going "beyond PCI" is the organization that applies the PCI security controls to social security numbers, account numbers, and other confidential data. The key is defining and enforcing a "data classification" scheme.
7. Monitor service providers and partners - PCI only requires a letter of agreement that a service provider will adhere to PCI. Leading firms are doing real due diligence of their service providers and partners. Some are sending out questionnaires, others are sending auditors to review the security of their service providers.