The importance of policy management in meeting PCI compliance
Today, policy compliance transcends what are typically thought of as the main department drivers, namely HR and IT. A well established and supported security policy sets the tone for an organization and informs personnel of what is expected of them. A failure to measure, monitor and manage policy compliance can result in damage to corporate and personal reputations, as well as facilitating fines and lost revenues for organizations.
The security of card payments is an issue that the major credit card brands (American Express, Discover, JCB, MasterCard and Visa) take incredibly seriously. As such, Requirement 12 of the Payment Card Industry Data Security Standard (PCI DSS) aims to ensure that merchants and service providers accepting credit card payments enforce cultural change within their organizations to ensure that the security of their systems and processes are given the appropriate consideration.
The Payment Card Industry Security Standards Council (PCI SSC) responsible for PCI DSS is putting greater emphasis on the processes supporting security by improving an organizations policy and risk assessment processes. Specifically, it wants to see greater emphasis on ensuring year round adherence to the PCI DSS managed and measured on a consistent basis, as Troy Leach, CTO of the PCI SSC explains: “The question that the new standard will help merchants to answer is, ‘Do we have the culture to protect our customers’ cardholder data every day and every hour that we’re doing business?"