payment card industry compliance icon


I’m going to refer to another something in a previous blog, the one about Verizon’s 2012 Data Breach Report regarding PCI Compliance.

One statistic they mentioned was that 96% of victims subject to PCI DSS had not achieved compliance.  What does that say?  Probably would have stood a better chance had they been compliant.

The PCI Data Security Standard, though judged harshly by some (usually those who are trying to getting compliant), is a good security standard.  Pretty specific, but if you’re following it, your security posture of your organization has improved.

The basics again:

  • Build and Maintain a Secure Network
  • Protect Cardholder Data
  • Maintain a Vulnerability Management Program
  • Implement Strong Access Control Measures
  • Regularly Monitor and Test Networks
  • Maintain an Information Security Policy

There are 200+ specific requirements under the above 6 headings.  You need to comply with ALL 200+ requirements to be considered compliant, or have compensating controls in place.

I too often hear, “We’re compliant.  We’re doing our quarterly scanning and completing our SAQ” (Self-Assessment Questionnaire).

Running some scans and checking some boxes does NOT make you PCI DSS compliant.