Leveraging Risk Strategy to Move Beyond Check-Box PCI Compliance

Merchants often put compliance spending at the top of their list for budgeting purposes because the consequences of non-compliance can be expensive. Fear of increased processing fees from acquiring banks, penalties from credit card companies and the risk of brand and reputational damages can be quite compelling. 

However, compliance does not always equal security. Merchants can be 100 percent complaint and still be breached. The time has come to think beyond the Payment Card Industry (PCI) requirements and embrace a unique, holistic Secure Payment approach. Leveraging existing PCI compliance foundations and technology investments, while incorporating leading cyber security best practices, enables merchants to secure their entire payment lifecycle.   

The increasing popularity of simplified payment methods, such as PayPal, Apple Pay and Venmo, amplifies the importance of data privacy and the need to protect an organization – in addition to its customers. The attack surface continues to expand with the explosive growth of Point of Sale (POS) types and related applications creating more end points on-premises and in the cloud. As applications move to the cloud, exposure spreads – requiring different security techniques.   

Time for change. 

Merchants have a decision to make. Continue to invest budgets and resources in PCI compliance, leaving parts of the business vulnerable, or shift the paradigm and leverage those investments to secure the entire payment lifecycle. Continuing to add to existing technology debt is not sustainable in the long run. However, merchants need to evolve with new POS endpoints, launch new applications, expand loyalty programs and pursue digital transformation – all while protecting data and meeting compliance requirements. 

Transitioning to a focus on securing the entire payment lifecycle with risk-based decision making, rather than maintaining a laser focus on PCI compliance requirements and check-box compliance, can help merchants reduce priority juggling and optimize compliance spending. PCI compliance will become an intrinsic outcome of security instead of a separately funded and managed function. Tighter alignment of security and compliance means merchants can: 

• Protect cardholder data at rest and in motion  
• Identify, assess, qualify and manage risk in a prioritized manner 
• Secure applications across the payment lifecycle 
• Achieve security and compliance agility 

It’s time for merchants to consider risk beyond PCI requirements. A successful and comprehensive risk strategy considers risk inside and outside the cardholder data environment (CDE). Learn how to achieve a holistic payment security program by reading our white paper.