Analyst Advocates Embracing PCI for Better Business Security
As regulatory pressures build, PCI has become a particularly hot topic.
According to Forrester Research, some businesses believe the Payment Card Industry Data Security Standard--a set of requirements for all card processors--is impossible to comply with, ineffective and has no value.
But PCI isn't going anywhere, so instead of fighting it, organizations that process card payments should embrace it, according to the think firm's new report, titled "PCI Unleashed: Using PCI as a Foundation for Security and Risk Management."
While meeting PCI requirements may seem like a nuisance, doing so added value and security to organizations, Forrester said.
"Too many companies spin their wheels and complain about what they perceive as the negative or unjust parts of PCI," the think firm's John Kindervag said. "But the bottom line is, PCI is here to stay. It's time to move beyond complaining and embrace PCI to extract value."
Before integrating PCI requirements into their cardholder data practices, managers must first understand what it encompasses and why it's valuable, the report said.
The first key element of PCI is compliance, the act of meeting its requirements. The second is validation, which involves checking whether a business is in fact PCI compliant.
Most validations take place through self-assessment paperwork filled out by managers themselves, but large businesses and those that have experienced a data breach can expect to be visited by on-site assessors, Forrester said.
The third element of PCI is security, which refers to the motive behind PCI-to secure cardholder data. Executives must understand that every organization needs security and that it's a duty to their customers, the report said.
But processors shouldn't stop at becoming PCI compliant. The report said that PCI opens doors to more security initiatives and that businesses should use PCI as a launching pad to developing data security across the board.
"Unfortunately, many organizations consider PCI compliance to be their ultimate security goal," Kindervag said. "In reality, PCI should be the minimum baseline of security within a PCI-obligated organization. Once you have built the PCI foundation, you must continue to strive for enhanced security above and beyond PCI, according to your business needs."
In fact, gaining the ability to design a business-wide security framework is a key benefit of PCI compliance, the report said. PCI cardholder data regulations can be tweaked and used to control other forms of secure information, such as Social Security numbers, and the rules can be thought of as a set of best practices that can be applied to any information the business considers confidential.
One example of using PCI to launch other security initiatives is with ISO (International Organization for Standardization) standards. PCI was built on ISO standards and many requirements overlap, so organizations can easily become PCI and ISO compliant at the same time, Forrester said.
Another value of PCI is that it can lead to funding for new security initiatives, the report said. It brings awareness to data security, carving paths to corporate sponsorships for security funding. Plus, since the ability to process debit and credit cards is vital, funding for PCI compliance can be considered necessary. This can lead to an unlocking of security budgets for many businesses, Kindervag said.
When becoming PCI compliant, cost is a factor, but Forrester researchers said it's worth the investment, since card data breaches can cost far more.
"The first question that always comes up when discussing the use of PCI as a security framework is always, 'How much will it cost?'" Kindervag said. "For companies bound to PCI, the answer is 'A lot less than the cost of a compromise.'"