PCI DSS – Ensuring Ongoing Compliance


28 Feb 2018

PCI DSS – Ensuring Ongoing Compliance

Once a status of compliance has been successfully achieved the last thing an organisation wants is to drop its guard and lapse into a state of non-compliance the following year. This could be costly not only in terms of increased fees and fines from the Acquirer, but could also mean that the likelihood of a data breach is more possible.

Compliance clearly doesn’t equal 100% security guarantees, but if key processes and controls have lapsed to the extent that an organisation can’t prove they are working effectively, then this doesn’t bode well in terms of potential incidents and the overall security posture of the business.

In fact, as the Security Standards Council have quoted:

“research conducted by Verizon from 2011 through 2013, found that organizations that suffered a data breach were less likely to be compliant with PCI DSS than other organizations. In addition, the same research showed that many of the organizations that were assessed as being non-compliant at the time of their breach had successfully complied during their previous PCI DSS assessment and had lapsed back into non-compliance.”

PCI DSS

So how do you reduce the risk of this happening?

There is no easy, magic wand to wave. What it comes down to is ensuring that security controls continue to be properly implemented by ensuring that PCI DSS is considered a business as usual (BAU) activity. This means that continuous security and compliance practices must be baked into the culture and daily operational activities of the company. Furthermore, it is a successful practice to integrate PCI DSS compliance with a larger security control framework, to allow security teams to focus on a single set of goals rather than trying to accommodate multiple, possibly conflicting, sets of security compliance requirements.

An annual PCI DSS assessment can only validate the state of compliance at the time the assessment is carried out. It is not necessarily a great indicator of how well the business is maintaining its PCI DSS controls between assessments. Although, with some of the newly mandatory 2018 requirements (see article “Raising the Bar”) this does appear to be moving in the right direction, with requirements for quarterly reviews by Service providers, to ensure policies and procedures are being adhered to (requirements 12.11 and 12.11.1); and ensuring that the CDE is kept up to date after significant changes (requirement 6.4.6).

Here are some questions that you should consider:

  • Has PCI DSS security requirements been integrated into daily business and operational procedures? For example, does your change management procedure have an explicit reference to PCI DSS, to prompt thought and ensure the implementor doesn’t adversely impact on required controls?
  • Is the effectiveness of security controls required by PCI DSS monitored on a continuous basis? For example, is your File Integrity Monitoring (FIM) working correctly? Are alerts from system logs being reviewed on a daily basis?
  • Are there sufficient resources in place to sustain these processes?
  • Has ownership for coordinating security activities and PCI DSS compliance been appropriately assigned? Is executive-level sponsorship also in place?
  • Do you have risk reduction processes in place? For example, are metrics used to provide indicators of security control performance?

Company’s must guard against over confidence or potential complacency and make sure that sufficient resources are devoted to regularly monitoring the effectiveness of security controls and compliance programs.

PGI as a QSA company can provide support for this by carrying out regular, scheduled reviews of critical controls and processes. This can ensure that there are no shocks or surprises uncovered during an annual attestation exercise.

———————————————————————————————————

PGI believes that cyber security doesn’t need to be overly complicated, incomprehensible or vastly expensive. We specialise in delivering cyber security services and protection, and offer a range of training courses to upskill your staff to tackle cyber threats in-house.

Want to know more about our PCI Compliance Advice, PCI Gap Analysis, Testing and Monitoring or Audit and Compliance Reporting? Please get in contact via our online form, directly through our email at clientservices@pgitl.com or call us on 0207 887 2699.

 

author

By Paul Traill

Senior Infomation Security Consultant

Share this article

RISK PORTAL

Your free global geopolitical
risk dashboard

PGI’s Risk Portal tool provides daily intelligence feeds, country threat assessments and analytical insights, enabling clients to track, understand and navigate geopolitical threats.

The Risk Portal gives users up-to-date information and analysis on global affairs.

The Risk Portal allows users to visualise information in a unique and instantly understandable way. Mapping filters enable the visualisation of incidents by threat category, time period, perpetrator and target type.

Risk Portal users can upgrade their accounts to include the Report Builder and Country Profile Generator features. The Report Builder allows users to select information, data and images from the Risk Portal and create bespoke reports and emails.

Subscribers to PGI’s Bespoke services receive tailored analysis on specific sectors and geographies of interest, delivered at a frequency they determine.

Visit the Risk Portal

GDPR Services

Making ongoing compliance easier for you and your business

GDPR is now in force – make sure your business meets the necessary requirements and assurance for all your customers and employees

PGI GDPR Services

A full audit of your business to assess the level of your compliance against GDPR requirements

Become GDPR compliant with minimal work – we’ll conduct an analysis, review, report and implementation of necessary changes to your business

We’ll carry out simple assessments of security to help you understand and mitigate the potential risks to your business

Find out more on GDPR

Compliance Services

Get your business ready to face the cyber challenge

We provide a full range of accredited, certified and bespoke services that assess the resilience of your cyber security posture

PGI GDPR Services

PGI’s Qualified Security Assessors (QSA) will help you meet Payment Card Industry Data Security Standards (PCI DSS)

Find out more on PCI DSS

Demonstrate your commitment to cyber security by achieving and maintaining accreditation for the globally-recognised information security standard

Find out more on ISO 27001

Expert assistance on the implementation and maintenance of governance requirements for personal data

Find out more on GDPR

Find out more on Compliance

Vulnerability Testing

Understand the threats of phishing and malware to avoid being targeted

Undertake our phishing capability assessment to reduce your organisation’s risk of of attack, by measuring the cyber awareness of your workforce.

Malware & Phishing Services

PGI will conduct a tailored phishing campaign, using multiple methods, to identify realism and train employees where necessary to mitigate future attacks

PGI monitor multiple metrics to identify the types of phishing, generate in-depth analysis reports and provide an informed decision to help improve your organisation’s level of security and awareness

Find out more on Vulnerability Testing

Cyber Security

Prevent attacks, respond to breaches and protect your business

Our bespoke range of cyber security services not only protect your critical assets but provide the education you need to keep your operations and data safe.

Malware & Phishing Services

implement the cost-effective cyber security measure launched by the government to prevent cyber-attacks, demonstrate commitment to your clients, and attract new business by being recognised as a secure organisation

Find out more on Cyber Essentials Accreditation

The most effective way to identify how attackers target your organisation’s weaknesses by evaluating your system and network security and reporting on any vulnerabilities that could lead to a business impact

Find out more on Penetration Testing

If your business has experienced breaches, network compromises or operational disruption, our team of cyber security specialists can deploy quickly, and efficiently begin the process of detecting and eliminating the threat

Find out more on Data Breach Response & Recovery

In the event of a computer security investigation, a vital part of the response process if making a copy of your data for safe forensic analysis. We will work with you to preserve and use this evidence to discover the extent of an intrusion

Find out more on Digital Forensics

Browse our Cyber Security services

Data Breach Response & Recovery

We prevent attacks, respond to security breaches, and protect your business

Our team of specialists can deploy quickly and efficiently to begin the process of detecting, eliminating and prevention of future threats of a breach.

Malware & Phishing Services

A vital part of the response process is making a copy of your data for safe forensic analysis. We will work with you to preserve and use this evidence to discover the extent of an intrusion

Find out more on Digital Forensics

We will identify and minimise the risks, as well as the possibility of future risks to your business

Consistent interaction with your management team and recommendations on how to approach all outcomes that need attention

Find out more on Data Breaches

Subscribe to our Cyber Bytes Newsletter

Keep yourself in the loop with PGI by signing up to our Monthly Cyber Bytes email. You will receive updates, tips and narrative around what has been happening in the world of information security.

Get in touch today

For more information on how we can help you or your business, please contact us via:

Related News

International Womens Day - Pioneering Women in Tec...

08 Mar 2017

Pioneering Women in Technology – Katherine JohnsonThe Oscar season has been and gone. The...

Read news article

Law Firms and why they need cyber security

07 Sep 2018

Why Law Firms need Cyber Security. Suffering a data breach can be devastating! From the experts at P...

Read news article

Content from the expert - GDPR and Cyber Governanc...

12 Jul 2017

Will there be a knock on effect regarding the General Data Protection Regulation (GDPR) after the UK...

Read news article
Back to the News Hub

+44 (0)207 887 2699
©2017 PGI - Protection Group International Ltd. All rights reserved.
PGI - Protection Group International Ltd is registered in England & Wales, reg. no. 07967865
Address: Unit 13/14, Swallow Court, Sampford Peverell, Tiverton, England, EX16 7EJ