Managing PCI Compliance – How to Improve Your PCI Compliance This Year
Survive the holidays? How about your company’s PCI compliance? It seems that for many businesses, the first thing that suffers during the holiday crunch is anything that doesn’t bring in additional sales and revenues. Among them, maintaining PCI compliance.
The increase in transaction volumes tends to complicate the challenges of storing, transmitting, and tracking and monitoring credit card numbers. While that may not directly impact a company’s PCI compliance status, it does often shift focus away from the task of mitigating risk and maintaining compliance.
As you know, the holidays are a time when cybercrime peaks. Companies need to be particularly vigilant—despite the rush. Because the last thing you want is a hefty PCI fine negating all the hard work and long hours you and your staff put in. Worse still, if credit card numbers were to be disclosed, the damage to your business’ reputation would far exceed any fine that could be imposed.
Hindsight Provides a 20/20 View
As you look back on the holidays, here are some questions you might want to ask yourself:
• How many people did it take to maintain PCI compliance through the holiday season? What did that cost you?
• Does the compliance solution you’re using now cover all 12 PCI categories? Are you integrating point products yourself? How many vendors are involved?
• Do you have enough storage? Is it online? Any transmission issues? Are you assigning IDs to each credit card transaction? Is that working?
• Did you put any processes in place to enable automation and scalability of meeting compliance requirements? How did those processes work out?
• What are your plans for automating and enabling scalability and manageability going forward? As your business grows, are you going to be set for 2011? What about 2012? Beyond that?
• Do you have an integrated platform with a single console for reporting and managing?
• In terms of sales figures, did you do any better than last year? Are you going to take advantage of the improving economy to reinvest in your business? Are you going to make similar investments in compliance solutions to protect your customers?
What to Look for in a PCI Compliance Solution
Most midsize and large retailers are looking for ways to improve operational efficiency of managing security and compliance. Here are a few suggestions to help you do a better, more cost-effective job of protecting company and customer information.
Holistic Compliance Calls for Broad Coverage Using point products for the various PCI categories isn’t efficient or secure. And the burden is on you. You have to find products to cover all 12 categories, integrate them if possible, learn different interfaces, keep specialists on staff for each product, maintain multiple licenses and vendor relationships, and somehow still ensure nothing falls through the cracks. And the more products involved, the worse the situation is. Achieving PCI compliance requires merchants and service providers to address approximately 180 individual requirements across 12 categories. Look for a security and compliance platform that covers as many of the 12 categories of the PCI standards as possible. That way, you can take a more holistic, integrated approach to securing your information and meeting compliance. Of course, solution quality counts.
Large Transaction Volumes Scream for Automation
One goal with compliance is to reduce the number of people required to achieve and prove it. If yours is a successful business, the amount of customers and data is only going to increase. If you have a semi-manual process, it’s just going to impede your ability to stay on top of issues, especially during peak volume times like the holidays. Automation is the only way to realistically, cost-effectively handle increasing volumes without hiring more and more internal auditors. The more automated you are, the better you can handle increased volumes without hiccups. Then, you can stay focused on bringing in additional revenues for the business. You want compliance to be as seamless and invisible as possible. Using automation, you can conduct your internal audits, hand those to external auditors, and be done with it. As a retailer, you’re not in business to handle PCI compliance. You’re in business to make sales and serve customers.
Manageability Demands Integration
When you have multiple point products in place to handle your compliance requirements, you almost invariably have multiple management consoles, too. Often, that means you have to keep multiple people on staff to manage all the disparate consoles. And what do you do when one of those people is out of the office? It seems like Murphy’s Law always comes into effect: The moment that a certain person is out, there’s a problem with whatever their specialty is. Look for a platform product that offers you a single unified console. A single pane of glass for managing and reporting on security, risk and compliance across your business. Something that offers a consistent look and feel across all the various tools and capabilities needed to meet PCI compliance. This approach enables a single person to manage it all (versus multiple people running multiple consoles). An integrated platform should give you the capability to run dashboard views as well. At a glance, your internal auditors as well as managers can see your compliance status.
Overcoming the ROI Hurdle
Of course, the major cultural barrier to any successful project is always one of demonstrating return on investment to the business. This is especially the case when projects include large, multiphase implementations. Be sure to seek out a scalable platform that dramatically accelerates the pace at which you can demonstrate returns to the business and achieve a higher level of IT accountability. The software must maintain a continuously controlled environment in which to enable automation. Without a controlled change environment, all investments in automation and efficiency produce poorer returns than they should because they are essentially aiming at a moving target. Conversely, total visibility into change through a centralized console provides the ability to selectively enforce change policies on local and distributed servers with immediate impact.
Make 2011 Your Year for Continuous Compliance
Now that the holiday crunch is over, it’s a good time to take stock of where your business is with regard to PCI compliance. Make a plan—a resolution, if you will—to take a larger, more holistic approach to managing compliance. One that provides categorical control over IT infrastructure, enabling you to fulfill the difficult PCI requirements and validate PCI compliance in a more efficient and cost-effective manner.