PCI compliance: The best defense is a great defense

Sophisticated criminal syndicates, rogue nation states and a global community of nefarious attackers are all eager to pilfer valuable data, including payment card information. Not surprisingly, Payment Card Industry Data Security Standard (PCI DSS) compliance is crucially important. 

Updating the PCI DSS is likewise critical. Slated to go into effect after the current PCI DSS version 3.2.1 expires, the updated PCI DSS version 4.0 includes numerous updates and 64 new requirements designed to help organizations more effectively defend themselves in the face of efforts to compromise and steal payment card data. 

Compliance with PCI DSS v4.0 is designed  to help to defend against the three most common attack vectors identified in Verizon’s annual Data Breach Investigations Report (DBIR). Researchers for the 2023 DBIR identified system intrusion, social engineering and basic web application attacks as the most common attack patterns that led to breaches and data theft. PCI DSS compliance is a robust defense that significantly mitigates the risks involved with all three.

Cybersecurity experts at Verizon Cyber Security Consulting services draw on hands-on experience in solving payment card security challenges dating back to the formation of the PCI security regulation in 2002. The team offers a portfolio of practical and economical solutions to organizations across the payment card industry that simplifies the complexity of compliance management, delivering programs that produce sustainable, high-quality results.

“Over the past two decades of providing many of the world’s most successful companies and recognizable brands with the guidance and peace of mind that comes with a robust PCI DSS assessment and compliance program – as well as extensive security services for everything from penetration testing to security gap analysis and complete security program review – we’ve learned what constitutes a great defense,” says Kris Philipsen, managing director of Verizon Cyber Security Consulting.

This begins with having the right goal for a PCI DSS compliance program, Philipsen notes. This goal setting effort must prompt enterprises to develop, maintain and continually improve their security and include a mature control environment that offers reasonable assurances that payment card data is effectively protected in a sustainable manner. 

More specifically, Philipsen stresses that an effective PCI DSS program is marked by five outcomes or characteristics, including:

1. Effective and key controls are proven to mitigate risks;
2. Efficiently executed without wasting resources;
3. Strategically aligned with the organization’s business and security strategies;
4. Sustainable – PCI compliance is a marathon not a sprint; and
5. Allows for ongoing and measurable improvements.

“Success in PCI DSS compliance and enterprise-wide efforts to protect data is not determined by luck,” adds Philipsen. “It is an outcome achieved by design, in organizations where the importance of a great defense against today’s cyberthreats is not only endorsed and articulated from senior leadership, but ingrained in the corporate culture. The best defenders of payment card data are organizations that consider its safekeeping crucial. To these organizations, compliance with PCI DSS v4.0 is a mission-critical imperative.”

You can find more information on Verizon’s PCI DSS assessment here. Security and compliance teams can also download the 2023 Payment Security Report insights for information on advanced PCI security program management and design.