Best Practices for Maintaining PCI DSS Compliance
Since the inception of the Payment Card Industry Data Security Standard (PCI DSS), compliance with PCI DSS has steadily increased among organizations that store, process, and transmit cardholder data. The increase in PCI DSS compliance rates can likely be attributed to increased awareness of the standard, evolutions in card brand compliance programs and mandates, and an overall increase in the maturity of PCI DSS. However, despite these improvements, statistics show that most of these organizations still have to master ongoing PCI DSS compliance: only one in ten organizations maintain full compliance with PCI DSS at the time of their initial re-assessment following successful validation the year prior.
The PCI Standard Security Council recently published a document entitled; “Best Practices for Maintaining PCI DSS Compliance,” which details seven best practices for maintaining PCI DSS compliance. It’s worth reviewing briefly here, but for a detailed discussion of the practices go to the document.
- Maintain the proper perspective. Before engaging in any ongoing compliance efforts, organizations must first understand that the primary function of the PCI DSS is to protect everyone in the payment chain—merchants, service providers, acquirers, issuers, the payment brands, and consumers—from damages resulting from the theft or loss of cardholder data.
- Assign ownership for coordinating security activities. Maintaining PCI DSS compliance requires a well-managed program to integrate security into the day-to-day activities of the organization.
- Emphasize security and risk, not just compliance. PCI DSS comprises a minimum set of security requirements for protecting cardholder data that apply to any organization that stores, processes, or transmits cardholder data.
- Continuously monitor security controls. Maintaining PCI DSS compliance requires that an organization have well-defined processes in place to review and reassess security practices, even in highly dynamic business environments.
- Detect and respond to security control failures. It is critical that organizations are able to detect failures in security controls during the control-review or control-monitoring processes. Organizations must have processes to respond to security control failures in a timely manner.
- Develop performance metrics to measure success. Organizations should quantify their ability to sustain security practices and PCI DSS compliance by developing a set of metrics that summarizes the performance of their security controls and security program.
- Adjust the program to address changes. Threats to an organization’s information security assets are constantly evolving.
Epicor Payment Exchange
With customers completing more than half of all purchase transactions using credit and debit cards, working with a payment processor is a fact of retail life. But, too often, getting those transactions processed is more costly and cumbersome than it should be. Epicor Payment Exchange handles all the key steps in accepting card payments: authorization, settlement, and reporting. Because Epicor Payment Exchange leverages technology and relationships that serve thousands of merchants, volume discounts get passed on, leaving more of every sale where it should be: on the bottom line.
With Epicor Payment Exchange, compliance with PCI and other requirements is simplified, due to advanced encryption and security technology. These highly secured data and enhanced compliance features include:
- Encryption of cardholder data to protect vendors and their customers
- Fully integrated technologies, from swipe to final settlement,
ensuring the highest possible level of security
- Ongoing compliance with card industry security requirement,
including PCI DSS
In today’s security environment, having a payment solution that meets the most rigorous security requirements is also an essential best practice. Learn how Epicor Payment Exchange meets this requirement, and see the business benefits the solution provides.
Post by Shay Smith, Sr. Manager, Epicor Payment Exchange