For any enterprise that deals with customer payment card information, compliance with PCI DSS is critical. Noncompliance can result in heavy fines, and the data breaches that noncompliance makes more likely can severely damage both a company’s brand and its bottom line. It’s to be expected, therefore, that the vast majority of companies subject to PCI DSS are in compliance at all times—but, surprisingly, that’s not the case. A recent report from Verizon Communications shows that “four out of five companies fail interim compliance assessments for payment card data security,” as Steven Norton reported for WSJ.com.
How could that be, when complying with PCI DSS guidelines is mandatory for companies that accept payment cards from the major card issuers?
The biggest culprit may surprise you. It’s none other than that enterprise cybersecurity boogeyman, shadow IT.
Companies put strict controls around systems and processes [to ensure data security and PCI compliance], but even a slight change to those systems can render controls obsolete. For example, an employee may deploy an application that takes payment cards in a part of the business that falls outside the scope of a particular PCI control. Shadow IT practices can exacerbate those issues.
Thanks to the increasing changeability of enterprise IT environments, PCI compliance is a moving target at the best of times, BT Security president Mark Hughes observed for WSJ.com, and out-of-control shadow IT may make compliance a sheer impossibility. Unfortunately, shadow IT is a problem just about everywhere.
So what should organizations do to ensure that shadow IT and IT-sanctioned architectural changes don’t put them out of compliance?
The first step, of course, is to gain control of shadow IT using tools like CipherCloud for Cloud Discovery. Identifying and assessing the shadow IT applications in use at your organization is a critical step in the process of enabling secure cloud solutions that reduce employees’ temptation to adopt shadow IT applications.
In addition to controlling shadow IT, however, organizations must also implement a unified, centralized solution for protecting all data governed by PCI DSS. To help ensure continued PCI compliance, look for a cloud data protection solution that puts control of encryption keys exclusively in your organization’s hands, supports encryption key rotation, and enables easy, granular, and detailed activity logging and compliance auditing through features.
PCI compliance is a necessity and a useful first step towards cloud data security for organizations that handle customer payment card information, but though it may seem complex, the right tools and approach can make it much less of a headache than it would be otherwise.
To learn more about how CipherCloud enabled regulatory compliance in the cloud for 5 banks dealing with 10 laws in 20 countries, start by downloading our free whitepaper, “Best Practices for Cloud Information Protection in Financial Services,” today.