tiero - Fotolia
PCI DSS compliance has decreased dramatically: Verizon reported it fell for the second year in a row, from 52.5% in the company's 2018 Payment Security Report to 36.7% in 2019's.
Organizations must prioritize their PCI compliance policy to avoid a data breach. Simply put, brushing off data protection best practices in the hopes that it will scrape by without any security incident is a risk no company should take.
The drop in compliance has many potential causes, but the security implications of PCI DSS noncompliance are more than clear.
Compiled here are four articles to equip enterprise leaders with context and expert recommendations on how to best tackle payment data protection and meet PCI DSS compliance policy requirements.
Avoid noncompliance penalties with a PCI DSS checklist
Complying with data protection regulations is an ongoing challenge for organizations -- even large ones with chief compliance or privacy officers or other designated compliance staff members. For SMBs, compliance is even more of a hurdle. Limited IT staff and budgets -- characteristics of SMBs -- are major obstacles to staying compliant.
Since GDPR's implementation, public awareness and conversation around data protection and compliance have grown. The compliance landscape is complicated and confusing for many organizations, especially with so many overlapping regulation requirements. In recognition of the challenges SMBs face when tackling data protection requirements, the U.K. government released checklists covering key compliance components.
Read up on these checklists and key industry-specific frameworks in this article to learn how SMBs can avoid steep penalties for regulatory noncompliance with data protection legislations, including PCI DSS.
Overlaps between GDPR and PCI DSS compliance policy
Organizations with the right PCI DSS best practices are on track to also be GDPR-compliant. For one, limiting the amount of customer and employee data retained can benefit organizations of all sizes. One of the principles of GDPR is: If a company does not need the data, it should not store it. This overlaps with other data protection regulation principles. It should sound familiar to PCI DSS requirements. One of the preliminary steps in a PCI DSS assessment is known as scope reduction.
Learn more about specific PCI DSS best practices that can help satisfy GDPR stipulations.
Address PCI DSS noncompliance with zero trust
The declining rates of PCI DSS compliance are worth examining. One way to get the attention of enterprise leaders, experts said, is to zoom out and frame compliance as a competitive advantage instead of a financial obstacle.
Here, zero trust can come into play. A new gold standard to mitigate security incident and data breach risks, zero trust includes many PCI DSS principles, including encryption, access management, segmentation and isolation. The difference is that zero trust extends to all sensitive information, not just payment card data.
Learn why experts maintain zero trust could be the logical solution to declining PCI DSS compliance rates.
How PCI DSS requirements can affect call centers
Anyone who has contacted a call center is familiar with the "this call is being recorded for quality assurance" disclaimer. Many companies that outsource their call centers may wonder how to handle the recordings, which may contain various personal data. Like any other form of customer information, call recordings must be treated with careful security attention.
As of 2011, recording systems that collect payment card data are considered in scope of PCI DSS and may face penalties for noncompliance. Learn how to handle call center data securely and in accordance with PCI DSS best practices.