10/08/2024 | News release | Archived content
Creating and maintaining a sustainable PCI DSS compliance program is a crucial and complex task for organizations to protect payment card transactions and uphold consumer trust. However, despite the PCI DSS standard being around for almost 20 years, many organizations still struggle to achieve and validate compliance with it.
In April 2016, the PCI Security Standards Council (SSC) introduced the Designated Entities Supplemental Validation (DESV) framework, which provides guidance for maintaining consistent PCI compliance, particularly for higher-risk entities. In our work with clients, we have utilized this framework and expanded on it based on our own experiences and lessons learned over the years. In this summary, we offer key best practices to enhance the maturity of your PCI program.
To ensure a successful PCI compliance program, it is imperative to provide effective training that educates personnel not only on the security of cardholder data and required controls but also on their specific roles and responsibilities within the program. Therefore, training should extend beyond general PCI awareness and be tailored to the different types of stakeholders involved.
In summary, a sustainable PCI DSS compliance program requires a strong governance structure, specialized training, effective scope management, robust compliance maintenance and verification practices, and tools and processes for efficient handling of PCI compliance tasks and continuous improvement. All these components form an ecosystem designed to protect cardholder data consistently while adjusting to evolving threats, technology advancements, and changes in business priorities and objectives.
Protiviti professionals can assist organizations at various stages of their PCI compliance journey, offering expertise in building programs from scratch or enhancing existing ones.
For additional information, examples and insights, visit Protiviti's Data Protection web page. Protiviti is not a law firm, and nothing within this paper should be relied on for legal purposes. Clients should always seek legal advice from inside or outside counsel.