Data security challenges and threat vectors vary according to business or industry context, but all data security standards and governing legislation have one thing in common: they are all, fundamentally, mechanisms or strategies for protecting specific data within a particular environment.
Be it payment or cardholder data (CHD), private healthcare information (PHI), or some other form of personally identifiable information (PII), every industry has a unique data security perspective from which focused, specific administrative controls and best practices are designed and continuously refined
Some view the cost of compliance as excessive or even prohibitive, but that's a short-sighted and typically fleeting perspective when compared to the alternative. Although an assessment does carry a substantial price tag, non-compliance is a potentially far more costly gamble considering the risk of accumulate, punitive fines that are levied after lack of diligence leads to a system breach or data theft incident. The combined cost of a damaged reputation, mitigation efforts, paying fines or penalties, and then (assuming the organization has not already gone out of business) working through an assessment after the fact would dwarf the original ‘prohibitive’ cost of proactive compliance in the first place.
Payment Card Industry (PCI) security standards govern data protection for payments and payment credentials, while both the General Data Protection Regulation (GDPR), and the Personal Information Portability and Electronic Documents Act (PIPEDA) define liability and specific expectations for protecting data in an organization’s custody, for anyone living in the European Union or Canada, respectively.
Achieving compliance with GDPR, PIPEDA, or PCI is like reaching a destination, but of the three,
They are similar to PCI in spirit, but neither GDPR nor PIPEDA describe how to actually manifest defined protection requirements or satisfy prescribed security expectations in the real world. PCI is more than a complex list of stringent requirements and expectations. It also defines a formal, objective method through which organizations can demonstrate and ultimately prove how sensitive data for card-based payments and payment credentials are handled securely.
Data is data, whether it’s CHD, PII, or PHI, and even though PCI is focused on payment data and credentials, a substantial portion of PCI requirements are based on proven best practices that would be just as effective for protecting any other data type. While daunting, a PCI assessment truly is an optimal introduction to compliance, and the best, easiest means for establishing sound data-security posture that can be adapted to or even exceed GDPR
So, how do organizations avoid risking noncompliance while reducing and minimizing the total cost and complexity of a PCI assessment? One popular strategy is to outsource responsibility for a portion of assessment requirements to an already compliant, external scope-reduction product or service. Many such tools are available to choose from, but
After deployment, a
Achieving formal compliance indicates an organization’s commitment to security and data protection expectations. When PCI requirements have been satisfied (regardless of outsourcing or scope-reduction), applicable data environments are thoroughly hardened, meaning subsequent compliance with GDPR