Importance of Governance in PCI Compliance

The Payment Card Industry Data Security Standard (PCI DSS) is a set of security standards that organisations adhere to in order to accept, process, store, or transmit credit card information. PCI DSS has recently released version 4.0 of its standards, which aims to provide increased security and flexibility for organisations handling payment card data. This article marks the first in a series that will provide an in-depth exploration of the areas that would help organisations with the transition and implementation of the new controls.

The new standards aim to address the evolving threat landscape and ensure that businesses are able to protect sensitive payment data from breaches and cyber attacks. The implementation timeline for PCI DSS v4 is set for 31st March 2024 with some controls allowed to be implemented by 31st March 2025. Organisations are encouraged to start preparing for the changes now.

One thing most organisations do not appropriately implement are the governance controls to manage, maintain and ensure compliance with the standard. Governance is a key component of PCI compliance and helps organisations maintain a secure environment for sensitive payment card data. By implementing effective governance practices, organisations can demonstrate their commitment to security and build trust with customers and other stakeholders.

Here are some reasons why we review the governance principles and the organisational behaviour when we are helping organisations with PCI compliance:

  • Establishing a clear chain of command and accountability helps ensure that everyone understands their role in maintaining PCI compliance and can take the necessary steps to protect sensitive data.
  • Developing and maintaining a strategy and roadmap for compliance helps the senior management to measure, track and monitor the progress of implementation of the security controls against defined targets and timelines. This would increase the accountability and improve the implementation process where required.
  • Ensuring and enforcing policy adherence through regular security audits, regular software updates, and mandatory employee training on acceptable security and practices for handling cardholder information directly or through the contracted third party.
  • Maintaining documentation of the necessary security artefacts such as security processes, policies, procedures, and audit trails is complete, up-to-date, and easily accessible.
  • Continual improvement through regular monitoring and tracking areas for improvement to implement necessary changes, and track progress over time aligned to the strategic objectives and the roadmap.

We have noted several instances where organisations have faced serious consequences due to the lack of appropriate governance and absence of a strategy for PCI compliance. Some of the major consequences are:

Fines and penalties due to unidentified areas of non-compliance

This can result in substantial fines from card brands and financial institutions, and the costs can quickly add up.

Loss of reputation and customer trust

A data breach or a security incident that results from a lack of governance can damage an organisation's reputation and cause customers to lose trust. This can result in a loss of business and a decrease in revenue.

Legal liabilities

Organisations that fail to protect sensitive payment card data can be held liable for any losses incurred as a result of a security breach resulting in costly lawsuits and settlements.

Technical issues

Without proper governance, organisations may not know that they do have the necessary systems, processes, and procedures in place to detect and respond to security incidents in line with PCI requirements.

Reactive security measures

Without a strategy and a roadmap for transitioning to the new standards, an organisation would struggle to promptly assess their third parties’ security controls and their own security controls in line with the new requirements set by the Council.

In summary a lack of governance and strategy for PCI compliance can result in a wide range of negative consequences for an organisation. By implementing effective governance and a comprehensive compliance strategy, organisations can reduce their risk, protect sensitive data, and maintain a secure environment for customers and stakeholders. Ultimately, the aim is to continue to promote the right behaviours through your governance principles and compliance arrangements.

For further information on our latest cyber security insight, please visit our homepage. If you would like to talk to us about how we can help inculcate good governance practices within your organisation and help you with your compliance arrangements, please reach out to Karthik Prabakaran (UK)


Contact us

Karthik Prabakaran

Karthik Prabakaran

PCI DSS Lead, PwC United Kingdom

Tel: +44 (0)7802 660601

Follow us