Once a status of compliance has been successfully achieved the last thing an organisation wants is to drop its guard and lapse into a state of non-compliance the following year. This could be costly not only in terms of increased fees and fines from the Acquirer, but could also mean that the likelihood of a data breach is more possible.
Compliance clearly doesn’t equal 100% security guarantees, but if key processes and controls have lapsed to the extent that an organisation can’t prove they are working effectively, then this doesn’t bode well in terms of potential incidents and the overall security posture of the business.
In fact, as the Security Standards Council have quoted:
“research conducted by Verizon from 2011 through 2013, found that organizations that suffered a data breach were less likely to be compliant with PCI DSS than other organizations. In addition, the same research showed that many of the organizations that were assessed as being non-compliant at the time of their breach had successfully complied during their previous PCI DSS assessment and had lapsed back into non-compliance.”
So how do you reduce the risk of this happening?
There is no easy, magic wand to wave. What it comes down to is ensuring that security controls continue to be properly implemented by ensuring that PCI DSS is considered a business as usual (BAU) activity. This means that continuous security and compliance practices must be baked into the culture and daily operational activities of the company. Furthermore, it is a successful practice to integrate PCI DSS compliance with a larger security control framework, to allow security teams to focus on a single set of goals rather than trying to accommodate multiple, possibly conflicting, sets of security compliance requirements.
An annual PCI DSS assessment can only validate the state of compliance at the time the assessment is carried out. It is not necessarily a great indicator of how well the business is maintaining its PCI DSS controls between assessments. Although, with some of the newly mandatory 2018 requirements (see article “Raising the Bar”) this does appear to be moving in the right direction, with requirements for quarterly reviews by Service providers, to ensure policies and procedures are being adhered to (requirements 12.11 and 12.11.1); and ensuring that the CDE is kept up to date after significant changes (requirement 6.4.6).
Here are some questions that you should consider:
- Has PCI DSS security requirements been integrated into daily business and operational procedures? For example, does your change management procedure have an explicit reference to PCI DSS, to prompt thought and ensure the implementor doesn’t adversely impact on required controls?
- Is the effectiveness of security controls required by PCI DSS monitored on a continuous basis? For example, is your File Integrity Monitoring (FIM) working correctly? Are alerts from system logs being reviewed on a daily basis?
- Are there sufficient resources in place to sustain these processes?
- Has ownership for coordinating security activities and PCI DSS compliance been appropriately assigned? Is executive-level sponsorship also in place?
- Do you have risk reduction processes in place? For example, are metrics used to provide indicators of security control performance?
Company’s must guard against over confidence or potential complacency and make sure that sufficient resources are devoted to regularly monitoring the effectiveness of security controls and compliance programs.
PGI as a QSA company can provide support for this by carrying out regular, scheduled reviews of critical controls and processes. This can ensure that there are no shocks or surprises uncovered during an annual attestation exercise.
PGI believes that cyber security doesn’t need to be overly complicated, incomprehensible or vastly expensive. We specialise in delivering cyber security services and protection, and offer a range of training courses to upskill your staff to tackle cyber threats in-house.
Want to know more about our PCI Compliance Advice, PCI Gap Analysis, Testing and Monitoring or Audit and Compliance Reporting? Please get in contact via our online form, directly through our email at email@example.com or call us on 0207 887 2699.
Your free global geopolitical
PGI’s Risk Portal tool provides daily intelligence feeds, country threat assessments and analytical insights, enabling clients to track, understand and navigate geopolitical threats.
The Risk Portal gives users up-to-date information and analysis on global affairs.
The Risk Portal allows users to visualise information in a unique and instantly understandable way. Mapping filters enable the visualisation of incidents by threat category, time period, perpetrator and target type.
Risk Portal users can upgrade their accounts to include the Report Builder and Country Profile Generator features. The Report Builder allows users to select information, data and images from the Risk Portal and create bespoke reports and emails.
Subscribers to PGI’s Bespoke services receive tailored analysis on specific sectors and geographies of interest, delivered at a frequency they determine.
Making ongoing compliance easier for you and your business
GDPR is now in force. Make sure your business meets the necessary requirements, providing assurance for all of your customers and employees.
A full audit of your business to assess the level of your compliance against GDPR requirements.
Become GDPR compliant with minimal work. We will conduct an analysis, review, report and implement any necessary changes to your business.
We will conduct simple security assessments to help you understand and mitigate the potential risks to your business.
Get your business ready to face the cyber challenge.
We provide a full range of accredited, certified and bespoke services that assess the resilience of your cyber security posture.
PGI’s Qualified Security Assessors (QSA) will help you meet Payment Card Industry Data Security Standards (PCI DSS).
Find out more on PCI DSS
Demonstrate your commitment to cyber security by achieving and maintaining accreditation for the globally-recognised information security standard.
Find out more on ISO 27001
Understand the threats of phishing and malware to avoid being targeted.
Undertake our phishing vulnerability assessment to reduce your organisation’s risk of attack, by measuring the cyber awareness of your workforce.
PGI will conduct a tailored phishing campaign, using multiple methods, to identify realism and train employees where necessary to mitigate future attacks.
PGI monitor multiple metrics to identify the types of phishing, generate in-depth analytical reports and provide an informed decision to help improve your organisation’s level of security and awareness.
Prevent attacks, respond to breaches and protect your business.
Our bespoke range of cyber security services not only protect your critical assets but provide the education you need to keep your operations and data safe.
Implement this cost-effective cyber security measure launched by the government to prevent cyber-attacks, demonstrate information security commitment to your clients, and attract new business by being recognised as a secure organisation.
Find out more on Cyber Essentials Accreditation
The most effective way to identify how attackers target your organisation’s weaknesses is by evaluating your system, your network security, and reporting on any vulnerabilities that could have an impact on your business.
Find out more on Penetration Testing
If your business has experienced breaches, network compromises or operational disruption, our team of cyber security specialists can deploy quickly, and will begin the process of detecting and eliminating the threat efficiently.
Find out more on Data Breach Response & Recovery
Data Breach Response & Recovery
We prevent attacks, respond to security breaches, and protect your business
Our team of specialists can deploy quickly and efficiently to begin the process of detecting, eliminating and preventing future threats of a breach.
A vital part of the response process is making a copy of your data for safe forensic analysis. We will work with you to preserve and use this evidence to discover the extent of an intrusion.
Find out more on Digital Forensics
We will identify and minimise the risks, as well as the possibility of future risks to your business.
Consistent interaction with your management team and recommendations on how to approach all outcomes that need attention.
Subscribe to our Cyber Bytes Newsletter
Keep yourself in the loop with PGI by signing up to our Monthly Cyber Bytes email. You will receive updates, tips and narrative around what has been happening in the world of information security.