Achieving PCI DSS Compliance

Take these steps to better protect citizen cardholder data.

Nearly all states and localities process credit card payments from citizens, making them unambiguously subject to the Payment Card Industry Data Security Standard (PCI DSS) and its 12 core requirements. Most of these are basic IT security measures that every organization should already have in place; but in truth, many still struggle to achieve and sustain compliance.

Whether PCI DSS represents the minimal floor or the aspirational ceiling for protecting cardholder data can be answered only from your organization's perspective. Few would seriously advocate a checkbox approach to compliance. But in the absence of more mature security programs, checking the boxes is better than doing nothing at all. The age-old problem remains that knowing the right things to do, and then doing them, is not always easy or convenient.

Organizations that succeed at PCI compliance tend to adhere to the following best practices:

1. Reduce the scope.

Our research at Aberdeen Group shows that only 49 percent of the lagging organizations currently map the flow of cardholder data and segment their networks where possible to isolate systems that store, process or transmit cardholder data from those that do not.

This critical step of PCI initiatives can significantly reduce the scope of compliance requirements.

2. Map and adapt.

Whether PCI DSS is used to guide the implementation of new or enhanced controls, or existing controls are mapped to the corresponding PCI DSS requirements, organizations should identify the gaps that need to be addressed to successfully report PCI compliance. These activities can be conducted with in-house resources if available or with a wide range of qualified external consultants and services.

3. Assign clear ownership.

Aberdeen found that just over half of the lagging organizations had given an executive or team clear ownership and responsibility for leading the PCI compliance effort. Experience tells us all that critical projects with clear accountability for results tend to succeed more often than those where ownership is diffused across multiple parties.

They may say "it takes a village," but the research shows that having everybody in charge usually translates to having nobody in charge.

75% Percentage of security breaches involving the compromise of point-of-sale devices

SOURCE: "2011 Data Breach Investigations Report" (Verizon Business, April 2011)

4. Commit adequate resources.

The corollary to clear ownership of critical projects is to fund them for success. Based on year-over-year comparisons, Aberdeen's research has shown that organizations are improving in their ability to estimate both the time and the cost to achieve PCI compliance, although they still underestimate the cost to sustain compliance by about 20 percent.

Unfunded mandates tend to struggle and quickly lose momentum, which perversely can make adequate funding even more difficult to achieve.

5. If you have to do it, do it well.

While all organizations that store, process or transmit cardholder information are compelled to achieve and sustain compliance with PCI DSS, these tasks are generally considered unrewarded risks in the sense that they do not lead to tangible business value. Worse, these activities can distract from investing in and managing the type of rewarded risks that really do matter: those that create value for citizens and advance the organization's mission.

Aberdeen's research has shown that once the processes for security or compliance are accepted as tasks that must be done, the top performers seek to optimize them for efficiency, allocate resources to minimize their ongoing operational cost and maximize the remaining investments to align with their mission.

In the case of addressing the requirements of PCI DSS, our studies show that the top performers achieve and sustain compliance at a 50 percent lower cost than all others, and that they dedicate sufficient resources for sustainable programs and continuous improvement. For more on the research, go to www.­

What Is PCI Compliance?

The Payment Card Industry Security Standards Council developed a unified, worldwide standard for best practices to protect cardholder data. All organizations that store, process or transmit cardholder information are required to implement the policies, processes and enabling technologies necessary to achieve and sustain compliance with PCI DSS.

The six high-level control objectives defined by the PCI DSS, and the 12 corresponding high-level security requirements, are summarized in the table below. At the next level of detail, there are more than 260 sub-requirements specified by PCI DSS version 2.0.

 Control Objectives  High-Level PCI DSS Requirements

 Build and Maintain a Secure Network

 1. Install and maintain a firewall configuration to protect cardholder data.
 2. Do not use vendor-supplied defaults for system passwords and other security parameters.

 Protect Cardholder Data

 3. Protect stored cardholder data.
 4. Encrypt transmission of cardholder data across open, public networks.

 Maintain a Vulnerability Management Program

 5. Use and regularly update antivirus software or programs.
 6. Develop and maintain secure systems and applications.

 Implement Strong Access Control Measures

 7. Restrict access to cardholder data by business need-to-know.
 8. Assign a unique ID to each person with computer access.
 9. Restrict physical access to cardholder data.

 Regularly Monitor and Test Networks

 10. Track and monitor all access to network resources and cardholder data.
 11. Regularly test security systems and processes.

 Maintain an Information Security Policy

 12. Maintain a policy that addresses information security for employees and contractors.

SOURCE: PCI Security Standards Council, February 2012

Mar 22 2012