Bad news: according to Verizon’s 2019 Payment Security Report (PSR), there was a 15.85% fall in global PCI-DSS compliance in 2018 as compared to 2017. This is a big problem.
In a world where sensitive personal information is continuously under threat from cybercriminals, it is imperative that organizations put in place security policies and controls that help protect their data from unauthorized access.
The Payment Card Industry Data Security Standard (PCI-DSS) came into being to protect payment-related data and particularly targets all organizations that handle payment cards, both debit and credit.
Unfortunately, compliance is falling, but why? There is no doubting the seriousness of cyber threats and their evolving nature. Here are five reasons organizations seem to find it difficult to comply with PCI-DSS regulations:
1. Failing to accurately strategize compliance efforts
A focused and comprehensive approach towards compliance is needed if companies are serious about compliance. A compliance process begins by gaining more awareness about data, its location, and its flow within the organization and externally. It then moves on to identifying the right controls to put in place to protect the data that you want to.
Focus should be on the effectiveness of security solutions and their ability to ensure sustainable compliance through ease of use and management. What’s more, it is imperative that, when controls are deployed, the company is able to monitor their efficacy.
Inability to approach compliance with a well-thought-out comprehensive strategy has a domino-like impact on the various elements of your security posture. One piece falls, and every other piece follows suit.
2. Organizations are failing to see compliance as an ongoing activity
It’s not that organizations have chosen to be lax about PCI-DSS compliance – they just take their eyes off the ball unintentionally between compliance audits (compliance audits happen every year).
Companies that decide to meet PCI-DSS compliance requirements (yes, all 12 of them) and also succeed to prove compliance are losing steam somewhere along the line. They fail to give as much importance to maintaining compliance as an ongoing activity.
It’s the sustainability factor that is missing and this results in falling compliance rates.
3. Disparate systems result in performance management issues
PCI-DSS compliance rests on 12 pillars – essentially a set of security controls that must be implemented in order to reach peak compliance. This requires organizations to deploy a set of security solutions as a means of risk mitigation, monitoring, and control.
Often, companies put in place a set of security systems from disparate vendors in order to meet different compliance requirements. This is a recipe for disaster.
These systems might not work well together, resulting in security gaps that can be exploited by cybercriminals using advanced malware distribution and attack techniques.
4. Lack of right cybersecurity talent, resulting in a lack of comprehension of security issues
One of the more serious cybersecurity challenges is the lack of availability of talent who can manage an organization’s cybersecurity infrastructure and keep it optimized.
For many who have achieved PCI-DSS compliance, this lack of resources means they are unable to treat this as an ongoing process that needs to be sustained over the long term. Instead, once they’ve achieved compliance, there’s little or no follow up. Matters are allowed to drift until the next audit, when there is once again a scramble to achieve compliance rather than keeping up with that compliance in the interim.
5. Compliance is not made a part of the larger cybersecurity paradigm to build a strong security infrastructure
All compliance requirements, whether for PCI-DSS or other regulations, need to fit into larger security objectives. They must address the ever-growing range of cybersecurity challenges your business will encounter. It cannot be treated in isolation but rather needs to tie in with this objective.
What’s more, meeting the requirements of one set of compliance regulations can result in strengthening your security posture to meet the obligations of others. Problems arise when a company sees PCI-DSS as the end goal rather than a brick in an extensive cybersecurity infrastructure wall.
Sophos supports an organization’s efforts to achieve PCI-DSS compliance
We can help you leverage an integrated, layered, and automated approach to security that protects your data against advanced cyberattacks and, at the same time, offers single-pane-of-glass visibility and control.
Sophos delivers Synchronized Security, where different security solutions from endpoint, network, and mobile to Wi-Fi, email, and encryption all work in perfect synergy with one another, sharing information in real time and automatically responding to incidents.
Sophos helps you put in place PCI-DSS-driven security controls with XG Firewall, Endpoint Protection, Intercept X for Server, Intercept X for Mobile, Sophos SafeGuard Encryption, and much more.
Learn how the next-gen portfolio of Sophos products comes together to help your organization achieve PCI-DSS compliance with this PCI-DSS compliance card.