PCI DSS: Ensuring ongoing compliance
Paul Traill, Senior Information Security Consultant
Once a status of compliance has been successfully achieved, the last thing an organisation wants is to drop its guard and lapse into a state of non-compliance the following year. This could be costly not only in terms of increased fees and fines from the Acquirer (link to terminology post), but could also mean that the likelihood of a data breach is more possible.
Compliance doesn’t equal 100% security guarantees, but if key processes and controls have lapsed to the extent that an organisation can’t prove they are working effectively, then this doesn’t bode well in terms of potential incidents and the overall security posture of the business.
In fact, as the Security Standards Council have quoted:
…research conducted by Verizon from 2011 through 2013, found that organizations that suffered a data breach were less likely to be compliant with PCI DSS than other organizations. In addition, the same research showed that many of the organizations that were assessed as being non-compliant at the time of their breach had successfully complied during their previous PCI DSS assessment and had lapsed back into non-compliance.
How can you maintain PCI DSS compliance?
There is no easy, magic wand to wave. What it comes down to is ensuring that security controls continue to be properly implemented by ensuring that PCI DSS is considered a business as usual (BAU) activity. This means that continuous security and compliance practices must be embedded into the culture and daily operational activities of the company. Furthermore, it is a successful practice to integrate PCI DSS compliance with a larger security control framework, to allow security teams to focus on a single set of goals rather than trying to accommodate multiple—possibly conflicting—sets of security compliance requirements.
An annual PCI DSS assessment can only validate the state of compliance at the time the assessment is carried out. It is not necessarily an accurate indicator of how well the business is maintaining its PCI DSS controls between assessments. Although, with some of the requirements that became mandatory in 2018 (see our article, ‘Raising the Bar‘) this does appear to be moving in the right direction, with requirements for quarterly reviews by Service providers, to ensure policies and procedures are being adhered to (requirements 12.11 and 12.11.1); and ensuring that the CDE is kept up to date after significant changes (requirement 6.4.6).
Here are some questions that you should consider:
Have PCI DSS security requirements been integrated into daily business and operational procedures? For example, does your change management procedure have an explicit reference to PCI DSS, to prompt thought and ensure the implementor doesn’t adversely impact on required controls?
Is the effectiveness of security controls required by PCI DSS monitored on a continuous basis? For example, is your File Integrity Monitoring (FIM) working correctly? Are alerts from system logs being reviewed on a daily basis?
Are there sufficient resources in place to sustain these processes? Has ownership for coordinating security activities and PCI DSS compliance been appropriately assigned? Is executive-level support also in place?
Do you have risk reduction processes in place? For example, are metrics used to provide indicators of security control performance?
How PGI can help
Companies must guard against over confidence or potential complacency and make sure that sufficient resources are devoted to regularly monitoring the effectiveness of security controls and compliance programs.
PGI – as a QSA company—can provide support for this by carrying out regular, scheduled reviews of critical controls and processes. This can ensure that there are no shocks or surprises uncovered during an annual attestation exercise.