Information security maturity model: A best practice driven approach to PCI DSS compliance

Abstract

A successful of PCI DSS implementation depends on the capability of the organization's information security in providing the effective safeguard of their information asset, while cardholder data security is the main concern. Many organizations failed to comply with the standard, and this eventually results in fines or even termination of the ability to process credit cards. Clearly, an evaluation mechanism or tool used to measure the current state of the organization's information security is needed. In this paper, an Information Security Maturity Model for PCI DSS (ISMM-PCI) with four maturity level - None, Initial, Basic and Capable - was proposed. The ISMM-PCI utilizes the use of quantitative and qualitative analysis, enhancing the PCI DSS to ISO/IEC 27001 mapping, and focuses on improving the quality of people, process and technology. The model assists the organizations to easily identify the key success factors and gaps (point of weaknesses), provides the guideline to better manage information security and formulate the best strategy for the enhancement, improving the overall information security state by selecting the best security countermeasures (controls) to protect their information assets from the emerging cyber-attacks, while achieving PCI DSS full compliant. The main advantage of ISMM-PCI over other ISMMs is its ease of use. The comparative analysis of the case results affirms the statement. ISMM-PCI may be used by a wide range of organizations regardless of the size.