Pragmatic PCI Compliance

The Payment Card Industry Data Security Standard (PCI DSS) is a set of requirements designed by the industry to help merchants understand the activities and procedures necessary to protect sensitive cardholder data. PCI compliance, though, can be a time consuming and resource intensive endeavor. This does not, however, justify the tendency to procrastinate your compliance.

A simple analysis of the costs and benefits of PCI compliance and the recent history of security breaches should be enough to convince any merchant of the necessity of information security. And yet, current trends say that while the level of compliance is improving, the industry is still very far from complete compliance.

Why would this be, you ask? Why, if the benefits are so clear, would anyone put off their compliance procedures?

The most obvious reason would be that long-term benefits, no matter how clear, often take the back seat when compared to immediate costs. But there are two things that need to be remembered, here. First, long-term benefits imply long-term success. And isn't that what we should be focused on? Second, by taking a pragmatic approach to PCI compliance, merchants can work toward complying with the PCI mandates by employing a measured and strategic plan.

Your approach to PCI compliance begins, as they say, at home - with your own website and/or business procedures. You need to know where you stand on your own technology standards and how much you are already in-line with, or missing out on, compliance standards.

An assessment of your company, your procedures, and your compliance is exactly what you need to serve as a foundation for future security efforts and strategic planning. This is the best way for a merchant to determine and identify the gaps between your current business practices and the required PCI compliance.

The PCI SAQ (Payment Card Industry Self Assessment Questionnaire) is a powerful validation tool to help merchants do just that. Recently this tool has also been upgraded to encompass the various scenarios that may be relevant to different companies. By completing the SAQ, a merchant can more easily record progress and plan for the future. If you're going to be pragmatic, these first steps are crucial.

The next step is to make sure the various departments within the company are working together to achieve PCI compliance. Each department must understand the importance of the PCI DSS and their own responsibilities toward it.

The twelfth requirement of the PCI DSS makes direct reference to this. It states that a company must: "Maintain a policy that addresses information security." It goes on to discuss how you must make sure that correct information is efficiently and completely disseminated throughout the company.

What's the best way to do this? It's the next step in this pragmatic approach - and that is to assign someone to be specifically responsible for PCI compliance. This person, or even this team, should be assigned the responsibility of seeing the strategic plans through to the end.

And the only way that is going to happen is if the management also understands the importance of the PCI DSS and fully support this team in their actions. But this goes back to what was said earlier: that each department must understand their own responsibilities. And that certainly includes the management department. With the team to spearhead efforts, and the management to propel the efforts, pragmatic PCI compliance is within reach.

Still, some companies continue to procrastinate their compliance measures - always planning to get to it eventually. This, however, only amounts to bad business practices, because the gap between compliance and current procedures will only grow larger.

But PCI compliance can be expensive and time consuming. So what is a merchant to do?

Being pragmatic means doing what you can, when you can. And that includes the requirements of the PCI DSS. As resources and costs permit, you should do everything you can to reach compliance.

Outsourced payment processing has become a popular option because of the costs of trying to reach compliance in-house. This is often the more cost effective way for many companies to start their journey toward being compliant.

Finally, as management and every other department in the company takes their appropriate responsibilities, regular meetings need to be held to make sure things are progressing as they are supposed to. PCI compliance is an important concept in today's modern business world, and a pragmatic, methodical approach can see it through.

Andy Eliason is a writer at Main10, Inc. If you'd like to learn more about PCI compliance, or the PCI SAQ, visit Braintree Payment Solutions today.