PCI DSS requirements companies hate to implement, and why we should embrace them
Most organizations initially approach PCI DSS compliance because they have to. Perhaps a business partner, customer, or their acquiring bank requested an update on compliance status. Regardless of the reason an organization initially begins working toward PCI compliance, when dealing with PCI compliance efforts, organizations can rationalize their approach in different ways:
“Just pass the requirements to get certified now and fine-tune the program after,”
“Incorporate PCI compliance from the start to ensure we maintain compliance in the future”, or
“Map and Integrate current cybersecurity practices to PCI requirements.”
One significant hurdle in these situations is how to implement and meet the requirements with as little push back as possible, a.k.a. the human resistance to change. Not only does the compliance effort have to meet the PCI Council’s requirements, but compliance is also required to balance the effective implementation of the PCI controls with as little impact on system users as possible (the unspoken rule of compliance integration) while still ensuring the assessment is successful.