The CISO’s Role in Improving PCI DSS Compliance

The Payment Card Industry Data Security Standard (PCI DSS) has been around in one form or another for more than 20 years. Protecting consumers from potential credit card fraud has taken on new focus during the pandemic as many companies are forced to rely on e-commerce to remain viable and more consumers are conducting business online to avoid crowds. However, just when compliance is needed more than ever, the “Verizon 2020 Payment Security Report” (PSR) shows that credit card security is getting weaker.

“In 2019, from the total population of organizations assessed on PCI DSS compliance, only 27.9 percent of organizations achieved 100 percent compliance during their interim compliance validation,” according to the PSR. This isn’t a one-time drop, but a steady decline over the past several years, including an 8.8% drop from 2018’s 36.7% rate of full compliance, and whopping 27% drop overall from 2016, the PCI DSS compliance high point of just 55%.

“Unfortunately, we see many businesses lacking the resources and commitment from senior business leaders to support long-term data security and compliance initiatives. This is unacceptable,” Sampath Sowmyanarayan, president, Global Enterprise at Verizon Business said in a formal statement. “The recent coronavirus pandemic has driven consumers away from the traditional use of cash to contactless methods of payment with payment cards as well as mobile devices. This has generated more electronic payment data and consumers trust businesses to safeguard their information.”

Payment security is an ongoing business priority, he said, and the time has come for business leaders to accept that if they handle any type of payment data, they have a fundamental responsibility to their customers, suppliers and consumers.

PCI DSS Security Tenants

  1. There are 12 PCI DSS security requirements:
    1. Install and maintain a firewall configuration to protect cardholder data.
    2. Do not use vendor-supplied defaults for system passwords and other security parameters.
    3. Protect stored cardholder data.
    4. Encrypt transmission of cardholder data across open, public networks.
    5. Use and regularly update anti-virus software or programs.
    6. Develop and maintain secure systems and applications.
    7. Restrict access to cardholder data by business need-to-know.
    8. Assign a unique ID to each person with computer access.
    9. Restrict physical access to cardholder data.
    10. Track and monitor all access to network resources and cardholder data.
    11. Regularly test security systems and processes.
    12. Maintain a policy that addresses information security for employees and contractors.

Many of these should be basic security practices, and any that involve consumer-related data are going to fall under other data privacy compliances. So why is high-level compliance dropping?

Compliance and Leadership Traps

One reason is that compliance and security aren’t the same thing, so there isn’t cohesion formed between the two. The PSR lists seven traps that keep organizations from building a strong bridge between compliance and security:

  • Inadequate leadership. It’s not bad leadership, but a lack of proficiency in data security and compliance. One solution the PSR recommended is to give the CISO more autonomy to take full charge of security and compliance.
  • Failure to secure strategic support. Leadership must understand how PCI DSS compliance fits into business objectives, but, of course, that requires someone on the team to have experienced leadership who can explain the big picture.
  • Lack of resourcing capabilities. It’s not only budgets. It’s having little to no skilled staff and the wrong or inefficient tools to organize data.
  • Falling short on sound strategic design. “If mature processes and capabilities are not clearly specified objectives in the strategic plan, it’s unlikely there will be maturity of data security capabilities,” the report stated.
  • Deficient strategy execution. You can have a great strategy, but it won’t work if leadership takes shortcuts.
  • Low capability and process maturity with lack of continuous improvement. Too many organizations are aiming for baseline security and compliance and not moving forward as threats change or recognizing that the baseline may not be meeting their internal security and compliance challenges.
  • Communication and culture restraints. So much of security comes down to good communication between leadership and security teams, but if the CISO isn’t able to communicate with leadership, nothing will change.

The PSR makes clear that one of the greatest challenges to meeting PCI DSS compliance is the role of the CISO within the organization. The problems aren’t so much technical in nature, as the traps show, but are found in organizational weaknesses. With the creation of more formalized processes, providing the CISO with more authority and autonomy from CIOs and others in the suite they traditionally report to, and defining a sound business model built on security and compliance, organizations will have a game plan—and the leadership to enforce it—for better PCI DSS compliance going forward.

Featured eBook
Managing the AppSec Toolstack

Managing the AppSec Toolstack

The best cybersecurity defense is always applied in layers—if one line of defense fails, the next should be able to thwart an attack, and so on. Now that DevOps teams are taking  more responsibility for application security by embracing DevSecOps processes, that same philosophy applies to security controls. The challenge many organizations are facing now ... Read More
Security Boulevard

Sue Poremba

Sue Poremba is freelance writer based on Central PA. She's been writing about cybersecurity and technology trends since 2008.

sue-poremba has 133 posts and counting.See all posts by sue-poremba