Continual PCI compliance: Securing cardholder data on a year-round basis
WHITE PAPER |
The Payment Card Industry Data Security Standard (PCI DSS) requires an annual compliance audit for organizations with a high volume of customer payment card (credit, debit or prepaid) transactions. The PCI DSS is designed to protect customer card information with continual compliance throughout the year, but many organizations focus only on compliance prior to the audit process. Unfortunately, many companies experience data security incidents because of this approach, meeting the letter, but not the spirit of regulations.
In addition to creating vulnerabilities for data breaches, several penalties can be levied if a merchant is not compliant with PCI guidelines. The card brands impose fines based on transaction volume and previous infractions, and additional financial sanctions are often included from merchant banks, acquirers and card processors. Another key result of noncompliance is the significant reputational damage following the potential loss of customer data.
PCI DSS compliance is not optional; organizations are expected to maintain compliance on a constant basis. Achieving compliance can be a difficult task, especially for small and midsized businesses, but it is necessary to protect consumers and limit risk to the organization. Businesses must implement processes to assess their control framework periodically, and strengthen internal staff or leverage outside resources to help ensure PCI compliance and mitigate the risk of a data breach.