Payment Card Industry Compliance: Are Companies Really Compliant?

By Protiviti Inc.

The Payment Card Industry Data Security Standard (PCI DS ) is a multifaceted document with 12 security sections and more than 250 individual requirements contained in the supporting detailed audit procedures. Even the most established and capable Level 1 merchants have trouble translating all the requirements in order to become 100 percent PCI-compliant. As part of the process to achieve compliance, the PCI Security Standards Council created a self-assessment questionnaire (SA Q) for Level 2 merchants and below to "simplify" the process. The problem with the selfassessment questionnaire was it merely summarized the larger PCI DSS and supporting detailed audit procedures. This simplification or summarization of an already complex document has, in some cases, provided merchants with a false sense of compliance. Although many merchants consider themselves compliant, it is not uncommon to find 160 of the 250 controls deficient when subjected to a comprehensive gap analysis.

At the heart of the PCI DS is how best to protect the many varieties of cardholder data that all merchants possess. Cardholder data exists in many different forms, and whether it is in applications, databases, files, email, removable media or paper, its location must be identified. Only after all cardholder data repositories and transit paths are identified can merchants begin to effectively evaluate their environments against the PCI DS requirements.