Assessing the Pros and Cons of PCI SCC | eWeek

PCI SCC Turns 10: A Look at Its Strengths and Weaknesses

PCI DSS
Sep 1, 2016
4 minute read
eWeek content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More


PCI DSS Turns 10: A Look at Its Strengths and Weaknesses

1 - PCI DSS Turns 10: A Look at Its Strengths and Weaknesses

Ten years have passed since the implementation of PCI DSS, designed to bolster security of payment cards. How effective is it?


Positive: Sets a High Bar

2 - Positive: Sets a High Bar

For an industry to assess how well it’s doing, there needs to be an objective standard against which to make that judgment. The PCI DSS has set that bar.


Positive: Establishes a Strong Starting Point

3 - Positive: Establishes a Strong Starting Point

The PCI DSS has served as an effective starting point for many organizations that are looking for a baseline to protect their customers’ payment card information. The process of identifying where payment card data lives, targeting vulnerabilities that could enable a compromise, remediating those vulnerabilities and reporting to acquiring banks and card brands is a fundamental aspect of a strong information security program.


Advertisement

A Plus and a Challenge: Constant Updates Need Constant Attention

4 - A Plus and a Challenge: Constant Updates Need Constant Attention

The PCI SSC constantly updates the PCI DSS so organizations can stay ahead of the latest threats and better protect their customers’ payment card data, even as their business environment becomes more complex. Since 2006, when the first version of the PCI DSS was released, the PCI SSC has updated it seven times. The constant change is necessary to keep up with the evolving technical and business environment; however, it also can pose a significant challenge, especially to smaller merchants who are struggling to keep up.


Positive: Quarterly Vulnerability Scans Are Important

5 - Positive: Quarterly Vulnerability Scans Are Important

The PCI DSS mandates that organizations perform quarterly vulnerability scans and report their remediation results to auditors. The scans are in addition to the comprehensive annual PCI DSS assessments. With or without these requirements, organizations should follow best practices on a continuous basis. For those that do not, at least customers are ensured that a minimal amount of attention is being paid to identify and remediate vulnerabilities a few times a year.


6 - Positive: Checks In on Weak Links

The latest version of the PCI DSS, PCI DSS 3.2, adds a requirement for third-party service providers—which, as demonstrated by the rash of high-profile breaches during the past few years, continue to be a weak link for information security. PCI DSS 3.2 mandates that service providers perform quarterly reviews to ensure personnel are following security policies and operational procedures. Providers are also required to perform penetration testing on segmentation controls at least every six months.


Challenge: Often Seen as ‘Check-the-Box’ Routine

7 - Challenge: Often Seen as 'Check-the-Box' Routine

Too many organizations still approach PCI DSS compliance with a check-the-box mentality, often going through the motions to meet the requirements and not practicing good cyber-security hygiene overall. Organizations need to approach cyber-security from a risk-based point of view, making cyber-risk management a continuous priority as they do all other operational risks.


Advertisement

Challenge: It’s Hard for Large Organizations to Stay Ahead of the Curve

8 - Challenge: It's Hard for Large Organizations to Stay Ahead of the Curve

Large organizations with distributed legacy environments (such as multiple generations of point-of-sale systems located in hundreds of stores, running on proprietary terminals) struggle to maintain compliance with the ever-evolving PCI DSS. When the standard is updated, organizations scramble to make sure their technologies and security controls are also updated to comply, which is a tricky task when the environment is distributed globally. If organizations implement strong cyber-security protections from the get-go, then they can stay ahead of the curve of PCI DSS compliance.


Challenge: Automation Must Replace Manual Process

9 - Challenge: Automation Must Replace Manual Process

For many organizations, reporting on compliance quarterly and annually is a time-consuming, manual task that involves extracting data into spreadsheets that are stitched together to present to auditors. Manually compiling cyber-risk information into various spreadsheets is a daunting, distracting, resource-intensive effort that forces security teams to take their eyes off the ball of protection. Cyber-risk reporting must be automated, not only for PCI DSS auditors but, more importantly, so that security executives, line-of-business application owners and boards of directors understand how well they are protecting their crown jewels.


Challenge: Errors, Bias Inevitably Get Into the Process

10 - Challenge: Errors, Bias Inevitably Get Into the Process

In addition to the effort and distraction of manually compiling PCI DSS compliance reporting, inevitably, errors and bias will creep into the data. In some cases, organizations run out of time to collect the data and, therefore, use outdated information from past reports. If organizations adopt automation for collecting, analyzing and reporting cyber-risk information, then all stakeholders will be working off the same set of data.


Challenge: Intra-Enterprise Process Coordination Necessary

11 - Challenge: Intra-Enterprise Process Coordination Necessary

The PCI-DSS compliance process requires coordination between compliance, security, IT and line-of-business application owners. Often, the dance between these many parties is broken, resulting in firefighting and last-minute reactive activity. To stay ahead of the game, line-of-business application owners should be made an integral part of protecting the applications and data that they own, and not just a peripheral sign-off along the way.

eWeek Logo

eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site's focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

Property of TechnologyAdvice. © 2026 TechnologyAdvice. All Rights Reserved

Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.