The Path To Compliance

If an organisation accepts payments on Visa, MasterCard, or American Express cards, it is obliged to comply with the PCI Data Security Standard. The standard therefore applies across many sectors, including the vast majority of retail chains, many financial services organisations that take card payments, and some public sector organisations such as local authorities and government agencies.

The Challenge

Addressing the requirements of the PCI Data Security Standard poses a number of significant challenges:

• Significant technology changes need to be implemented at all point of sale systems, but these mission-critical systems are often already struggling to keep up with peak performance demands

• The standard acknowledges that strict compliance may be impossible, but it is not clear what is required instead

• The standard demands a cross-organisational effort to improve information security, which increases the complexity of the change programme and the risks it carries. If the PCI efforts are not championed by senior management, the risk of failure is very high

• The compliance landscape is complex, involving payment card schemes (Visa, MasterCard, AmEx), acquiring banks, and qualified security assessors among others. Effectively managing these relationships is crucial to achieving compliance in a pragmatic and cost-effective manner

What we recommend is..

• Use best-practice approaches to analyse risks and define appropriate mitigations

• Engage compliance stakeholders, get buy-in for a risk-based programme of change

• Mobilise an effective and realistic programme to deliver the required compliance and risk reduction

• Ensure that PCI solutions deliver ongoing risk reduction and compliance