Why Is PCI DSS So Hard?

Sushim Mukul Dutta4/4/2023 5 Min Read

From the Official PCI Security Standards Council


The PCI Data Security Standard (PCI DSS) applies to all entities that store, process, and/or transmit cardholder data. It covers technical and operational practices for system components included in or connected to environments with cardholder data. If you accept or process payment cards, PCI DSS applies to you.


In laymen terms, any system, storage or data transfer architecture which deals with cardholders data, has to abide by PCI DSS.

This may sound simple and can be accounted for, however, in actual practice, achieving PCI-DSS becomes a notoriously difficult task for many organisations for the following reason(s)

  • Missing data visibility and accountability--- This fundamentally becomes one of the biggest challenges with achieving PCI-DSS today. Security practitioners have close to zero or no visibility as to where the data lies. Even when they do, they rely heavily on DevOps teams to understand the data context.


  • Difficulty in Mitigation and Remediation due to lack of understanding--- Once the data context has been explored, the next phase of problems lies with the data ownership and remediations. While Security Practitioners have the data insights, mitigating cardholder data handling remediations have been a classic problem for them. In many cases, practitioners know the problem, but not how to fix them, and rightly so, as there is no "one shoe that fits all" types of remediations, which can be applied to all cardholder data problems.


  • At the same time, Security Practitioners are not supplied with enough understanding of the data flow, or engineering guidance to remediate the issues. These end up creating a lot of dependency on Data Engineering teams to assist the practitioners with the insights they need and further apply the remediations.


  • The disconnect happens, largely due to knowledge barriers. While Security Practitioners knows the issues, but not how to remediate them; the Data Engineers knows the fixes but not the problem itself. And even the Data Engineers are not supplied with adequate information to remediate the issues highlighted by the security practitioners.


  • Difficulty in validation and lack of continuity post-implementation--- After the application of recommendations, validating the alterations is the next hurdle to cross. Once you have secured the cardholder data, how does one know that it will continue to remain secure? Furthermore, if it's not secure, the practitioners are in the dark, till the problem is surfaced to them because of incidents like data breaches and hacks. Simply put, PCI DSS is a continuous process and to remain compliant, the process has to be repeated over cycles.


  • Scale and Lack of Automation --- All the problems listed are largely impacted by the scale of operations. Just to put things in perspective, a South-Asia HQ'ed ride-hailing organisation, handling more than 10 PB of data monthly, with roughly 18k engineers; has a team of merely 10 security practitioners to maintain compliance!


  • There has been a massive boom in e-commerce, especially with new-age payment mechanisms. With most of the process of achieving PCI DSS being manual, the resource crunch adds to the problem. Midscale organisations end up allocating more than a quarter of their annual cycle to achieve PCI DSS. Moreover, the process has to be flexible enough to adapt to the new resources being allocated every day, new backend services spun up across all new business verticals, thereby inducing delays in every step.


At Borneo, as Prithvi Rai mentions here, we have exhaustively interviewed security practitioners at all levels, to understand the gaps and build to solve the above problems.

Unlike traditional ecosystem compliance solutions, Borneo's PCI DSS Assistant helps practitioners get started within minutes of provisioning. With the help of the following features, Borneo's PCI DSS Assistant


  • Step by step guidance --- Borneo's PCI DSS Assistant guides you with your setup of the system, and constantly monitors your progress throughout the journey. The assistant provides you with intelligence insights and nudges to keep you focused on track of achieving PCI DSS.
  • Size doesn't matter --- Irrespective of how big your data footprint is, Borneo's platform uses its intelligence-driven algorithm to get you insights about your priority data stores and helps focus on the most important problem to solve. Post going through the onboarding flow, the user receives actionable insights within the hour!



  • Actionable Insights --- All the incidents reported have enough engineering context on how to remediate the issues. Not just that, with support for multiple integrations like Jira, Splunk and Slack, these incidents are assigned to the owners of the system, automatically.


PCI DSS Priority focused incidents, helps isolate signals from the noise


Borneo Incidents Capture enough data context with suggested remediations for mitigating the issue


Borneo Incidents are directly integrated into the developer workflows like JIRA


  • ROPA Report ready --- Borneo's PCI DSS provides a Record of Processing report which can be shared with the PCI auditors with a click of a button.


PCI Compatible ROPA report with security posture and data insights for every data source


  • Continuous Observability --- Borneo constantly runs in the background without impacting business outcomes, and observes for changes in security or data posture impacting PCI DSS.


Continuous Monitoring of Security and Data Posture impacting PCI DSS


With Borneo's PCI Compliance Solution, organisations gain continuous PCI DSS compliance, within days instead of months, without impacting business.

Want to see Borneo's PCI Solution in action? Request for a quick demo with us!




What is Borneo?

Borneo helps security & privacy teams achieve continuous compliance and data protection through accurate & actionable data discovery.

Want to watch Borneo in action? Request a demo here and we will get back to you soonest.

Similar Posts

Remote Work @ Borneo (from day 1)

Teck Wu3/28/2023 - 6 Min Read

10x Engineer — Learning your tools and other hacks

Teck Wu4/3/2023 - 7 Min Read

Privacy Observability — Why Is It Needed Urgently?

Teck Wu4/4/2023 - 4 Min Read

Choose real-time data protection. Choose Borneo.

Manage risk, increase trust, and accelerate innovation across your entire data ecosystem.