Back in 2014, we examined in detail why PCI Compliance should not be treated as an annual event. Since then, there has been a raft of changes in the form of PCI DSS v3.2.1 and other regulations come into effect. Considering this we ask – Should PCI Compliance still be treated as an annual event?
When we first posed this question, every company that had a cardholder data breach was not PCI compliant at the time of the breach, and this is still true. Failing to maintain compliance can be for several reasons, including:
- Cost – Compliance potentially represents a large segment of a business’s annual operational budget
- Time – Attaining compliance is not a quick fix and often takes months to ensure a company is ready for a visit from the QSA
- Resources – The task of becoming compliant or maintaining compliance is often left with a senior member of staff whose time is solely focused on PCI DSS
With the introduction of PCI DSS v3.2.1, businesses now must provide evidence of compliance year-round and not just at the time of audit. At the same time, the General Data Protection Regulation (GDPR) has come into effect. As mentioned by Tony Smith, both sets of regulation sit on the same branch, as a breach of PCI compliance is a breach of the GDPR. If a credit card breach did happen, it could cost businesses financially (up to 4% of global turnover and slumps in share prices) and damage reputation beyond repair, as was evident with the closure of Cambridge Analytica. It’s now not an option, PCI compliance can no longer be treated as an annual event. With this in mind, what can businesses do to achieve year-round compliance?
To date, businesses have looked at ways of keeping cyber criminals out of vulnerable areas such as the contact centre environment, which are a prime target for attacks as they are full of sensitive credit card data. This isn’t always enough to prevent a breach however. Solutions such as Agent Assist go one step further; by completely de-scoping the contact centre from PCI not only are you compliant, you ensure there’s no credit card data for hackers to take in the first place.
To discuss the benefits of de-scoping your business, get in touch with one of our experts today.
*** This is a Security Bloggers Network syndicated blog from Knowledge Centre – PCI Pal authored by Geoff Forsyth. Read the original post at: https://www.pcipal.com/en/knowledge-centre/news/pci-compliance-is-it-still-an-annual-event/