One important step in maintaining compliance with the Payment Card Industry Data Security Standard, he says, is to make compliance part of day-to-day business practices.
"PCI often is seen as a project with a beginning and an end," Simonetti says during this interview with Information Security Media Group. "But PCI compliance is ongoing."
Simonetti suggestions for continuing to improve compliance include:
- Properly allocate resources, such as money, time and people;
- Actively maintain compliance year-round;
- Bake compliance into the overall security program;
- Leverage compliance as an opportunity to realize a return on investment; and
- Focus on scoping compliance to reduce the scale: "Make compliant what really needs to be compliant," he says.
Too many organizations get hung up on focusing time and attention on the wrong things, Simonetti adds. "Only a specific part of the IT should be compliant," he says." Segregating the PCI environment would help."
Improving Card Security
Verizon's newly released 2014 PCI Compliance Report is based on findings from hundreds of PCI-DSS assessments conducted by Verizon's team of PCI Qualified Security Assessors from 2011 through 2013.
But the new Verizon report finds that PCI compliance rates actually have improved. The average compliance rates for such factors as firewall configuration, for example, increased in 2013, Simonetti says.
The U.S. probably has fewer payment card breaches than other parts of the world; it's just that breaches in other markets often are not reported, Simonetti says. "There is a big difference between the U.S. and other parts of the world," he says. "Many, many countries don't have to notify consumers when there is a breach."
But the use of legacy mag-stripe card technology in the U.S. is clearly a weak point, Simonetti says, and a shift to chip cards that use the EMV standard would boost security for in-person transactions. He adds, however: "As the trend moves to more online transactions, even to new channels such as secure online payments, the need for EMV might be lower in the future."
EMV is not part of the PCI Data Security Standard, although it has been recognized by the PCI Security Standards Council as a complementary card security technology.
During this interview, Simonetti also discusses:
- How PCI compliance can provide a return on security investments;
- Three areas where retailers struggle when it comes to PCI compliance; and
- Opportunities banking institutions have to offer their customers services that will help them maintain ongoing PCI compliance.
Simonetti is the managing director of the PCI practice at Verizon Enterprise Solutions.