UK Level 1 Merchants that accept Visa payments and process more than 6 million transactions annually will need to comply with the original v1.2 PCI guidelines by September 30 2010. The deadline means Level 1 merchants must demonstrate that they are fully compliant or risk being fined for non-compliance. This deadline comes as European director for PCI, Jeremy King, is raising awareness of PCI across Europe.
PCI compliance might have been around for some time, but merchants are still struggling to get their heads around the requirements. The September 30th deadline is mandating that Level 1 merchants now comply with the original v1.2 guidelines. However, the compliance puzzle doesn’t end there. Version 2.0 is just around the corner. Meaning, merchants not only need to be concerned about their ability to prove compliance with v1.2, but with the steps they need to take to get to the next stage of compliance.
All too often, organisations fall into the compliance trap and focus all their efforts on meeting the requirements of a new deadline, without thinking about the bigger picture. This broken compliance strategy is not only costly, but ineffective when it comes to security. Taking a myopic view of regulatory compliance creates a situation where merchants are constantly reinventing the wheel, wasting time and effort, and ultimately blowing security budgets.
Merchants must avoid detaching risk management from compliance. PCI standards are designed as a starting point to helping build a strong security posture, but are specifically concerned with payment card data. To achieve true, continuous security across all aspects of the organisation, merchants should consider the following:
- Avoid a silo approach – don’t separate compliance and risk management
- Gain visibility across security controls and regularity compliance
- Ensure processes are manageable, automated and repeatable to enable 24×7×365 compliance and security
- Enforce security policies with operational endpoint management
- Prevent the execution of malicious code by allowing only approved applications to run in an environment – this can be achieved with intelligent whitelisting
- Centralise data gathering to ease compliance reporting and audit workflows