Once a status of compliance has been successfully achieved the last thing an organisation wants is to drop its guard and lapse into a state of non-compliance the following year. This could be costly not only in terms of increased fees and fines from the Acquirer, but could also mean that the likelihood of a data breach is more possible.
Compliance clearly doesn’t equal 100% security guarantees, but if key processes and controls have lapsed to the extent that an organisation can’t prove they are working effectively, then this doesn’t bode well in terms of potential incidents and the overall security posture of the business.
In fact, as the Security Standards Council have quoted:
“research conducted by Verizon from 2011 through 2013, found that organizations that suffered a data breach were less likely to be compliant with PCI DSS than other organizations. In addition, the same research showed that many of the organizations that were assessed as being non-compliant at the time of their breach had successfully complied during their previous PCI DSS assessment and had lapsed back into non-compliance.”
So how do you reduce the risk of this happening?
There is no easy, magic wand to wave. What it comes down to is ensuring that security controls continue to be properly implemented by ensuring that PCI DSS is considered a business as usual (BAU) activity. This means that continuous security and compliance practices must be baked into the culture and daily operational activities of the company. Furthermore, it is a successful practice to integrate PCI DSS compliance with a larger security control framework, to allow security teams to focus on a single set of goals rather than trying to accommodate multiple, possibly conflicting, sets of security compliance requirements.
An annual PCI DSS assessment can only validate the state of compliance at the time the assessment is carried out. It is not necessarily a great indicator of how well the business is maintaining its PCI DSS controls between assessments. Although, with some of the newly mandatory 2018 requirements (see article “Raising the Bar”) this does appear to be moving in the right direction, with requirements for quarterly reviews by Service providers, to ensure policies and procedures are being adhered to (requirements 12.11 and 12.11.1); and ensuring that the CDE is kept up to date after significant changes (requirement 6.4.6).
Here are some questions that you should consider:
- Has PCI DSS security requirements been integrated into daily business and operational procedures? For example, does your change management procedure have an explicit reference to PCI DSS, to prompt thought and ensure the implementor doesn’t adversely impact on required controls?
- Is the effectiveness of security controls required by PCI DSS monitored on a continuous basis? For example, is your File Integrity Monitoring (FIM) working correctly? Are alerts from system logs being reviewed on a daily basis?
- Are there sufficient resources in place to sustain these processes?
- Has ownership for coordinating security activities and PCI DSS compliance been appropriately assigned? Is executive-level sponsorship also in place?
- Do you have risk reduction processes in place? For example, are metrics used to provide indicators of security control performance?
Company’s must guard against over confidence or potential complacency and make sure that sufficient resources are devoted to regularly monitoring the effectiveness of security controls and compliance programs.
PGI as a QSA company can provide support for this by carrying out regular, scheduled reviews of critical controls and processes. This can ensure that there are no shocks or surprises uncovered during an annual attestation exercise.
PGI believes that cyber security doesn’t need to be overly complicated, incomprehensible or vastly expensive. We specialise in delivering cyber security services and protection, and offer a range of training courses to upskill your staff to tackle cyber threats in-house.
Your free Global Geopolitical Dashboard
PGI’s Risk Portal tool provides daily intelligence feeds, country threat assessments and analytical insights, enabling clients to track, understand and navigate geopolitical threats.
The Risk Portal gives users up-to-date information and analysis on global affairs.
The Risk Portal allows users to visualise information in a unique and instantly understandable way. Mapping filters enable the visualisation of incidents by threat category, time period, perpetrator and target type.
Risk Portal users can upgrade their accounts to include the Report Builder and Country Profile Generator features. The Report Builder allows users to select information, data and images from the Risk Portal and create bespoke reports and emails.
Subscribers to PGI’s Bespoke services receive tailored analysis on specific sectors and geographies of interest, delivered at a frequency they determine.
Subscribe to our Cyber Bytes Newsletter
Keep yourself in the loop with PGI by signing up to our Weekly Cyber Bytes email. You will receive updates, tips and narrative around what has been happening in the world of information security.