PCI Compliance: Security GapsVerizon's Thapar on 2015 PCI Report's Key Findings
Over the past few years, payments-related data breaches have caused CEOs to resign, customers to flee and stock prices to tumble. The importance of compliance with the Payment Card Industry Data Security Standard cannot be overstated. However, the recent 2015 PCI compliance report finds that organizations find sustaining their compliance to be a challenge.
"Four out of five companies are failing their PCI compliance in the interim assessment, indicating they have failed to sustain the security controls they put in place," says Ashish Thapar, executive consulting partner and head of professional services, Asia, for Verizon Enterprise Services.
India is a unique market where card usage is expected to grow at a very high pace, he says. The government's stand on de-incentivizing cash and incentivizing card payment to keep tabs on the prevalence of black money and off-the-books transactions is going to contribute to this trend.
In the majority of cases, companies that have fallen victim to breaches were found to be non-compliant at the time of compromise, according to Verizon's study. Thus, compliance is increasingly being discussed at the senior-most levels in Indian organizations. PCI compliance is considered good hygiene, and, in some cases, even marked as a qualifier in some bidding processes and proposals in India. Awareness is at an all-time high, thanks to efforts by regulators, such as the Reserve Bank of India.
"Indian organizations need to mature and recognize that compliance is not something that should be treated as your end objective, but rather a by-product of strong governance and risk management practices," Thapar says.
In this exclusive interview with Information Security Media Group, Thapar discusses the key findings and insights from the 2015 Verizon PCI compliance report and its implications for the region. He also shares insights on:
- The state of compliance in Indian organizations and the challenges;
- Recommendations on the approach to compliance in India;
- Some predictions for the Indian card ecosystem.
Thapar has almost 13 years of experience in IT and information security, providing industry-leading services and support for both enterprise and government/PSU organizations. He is a PCI Qualified Security Assessor, and his domain experience spans across designing, implementing and managing information security management system for multiple organizations.