The PCI DSS standards are designed to ensure that companies processing, transmitting or storing customer credit card information or companies that can affect the security of that information are protecting this data appropriately. The process for becoming PCI certified includes passing a yearly audit during which security controls are evaluated.
For many years that meant that a company that had controls in place during the audit could be deemed compliant even if those controls were not maintained for the remainder of the year. This left organizations not only scrambling every year to prepare to report PCI DSS compliance, but also potentially creating and fostering a vulnerable environment.
Beginning in version 3.0 in 2013, PCI DSS placed a strong focus on making compliance Business as Usual (BAU) rather than preparation for the annual audit. Seven years later, the COVID-19 pandemic has proven businesses should follow this advice.
In this post, we’ll discuss the steps that an organization can take to ensure that PCI compliance becomes part of its daily business.
PCI DSS BAU Recommendations
The PCI Security Standards Council encourages organizations to move from a focus on passing yearly audits to integrating PCI compliance practices into its daily operations. To help with this, the Council has provided six recommendations for implementing PCI DSS business-as-usual practices.
Monitoring Security Controls
The first recommendation for implementing PCI DSS as business as usual is to properly monitor the functionality of security controls. In order to be compliant with PCI standards, businesses are required to implement certain security controls to protect customer credit card information at rest and in transit within the network. Sample controls include firewalls, anti-virus, and access control functionality.
In order to pass audits and renew their PCI DSS certification, organizations must evaluate and update these systems on an annual basis. Making PCI DSS business as usual involves performing evaluations and updates on a regular basis to ensure cardholder data is appropriately protected throughout the year rather than just during the PCI DSS audit.
Related Reading: Community Bank Cybersecurity During COVID-19
Responding to Security Control Failures
No security is perfect. Even if every security control in your environment is regularly monitored and updated, there is still the possibility that something will fail. This best practice deals with the necessary steps that an organization needs to take in the event of the failure of one or more of their security controls. The current version of the PCI DSS standard recommends the following steps:
- Restoring the security control: The failed security control is an essential part of an organization’s PCI DSS compliance strategy and must be restored as soon as possible
- Identifying the cause of failure: Restoring the security control is pointless if it is left in a vulnerable state. The cause of failure needs to be identified and addressed.
- Identifying and addressing any security issues that arose during the failure of the security control: Failure of the security control leaves the data vulnerable and may have allowed other controls to be damaged or sensitive data to be stolen.
- Implementing mitigation to prevent the failure of the control recurring: Once the scope of the incident has been determined, steps need to be taken to prevent it from recurring.
- Resuming monitoring of the security control: Once the control is functional again, monitoring should resume, possibly at a higher level than normal for a while to ensure that the mitigations are effective.
The impact and cost of a security incident is directly correlated to the length of time between the initial intrusion and the response: Organizations that identify and quickly move to respond to an incident have lower losses.
Having a detailed incident response plan with assigned tasks and roles can help an organization identify and respond to an intrusion before it becomes a costly breach. The PCI DSS has added requirements for service providers to define and deploy processes to detect and report the failure of critical security controls and to restore them in a timely manner.
Related Reading: Restaurants, Be Aware of PCI DSS Requirement 3.2 During COVID-19
PCI Change Request Reviews
Organizational goals and structure change over time and the organization’s network needs to grow and adapt to meet these needs. The main concern when changing network architecture is the effectiveness of the associated security controls. Traditionally, this means building a strong perimeter and deploying monitoring and alerting solutions to report on anomalies on the network perimeter and internal devices.
With PCI DSS compliance, an additional consideration is how the cardholder data environment (CDE) is secured and related to the rest of the network.
Computers and network segments with access to cardholder data are required to have certain security controls mandated by the PCI standard. Changes to the network architecture, even as simple as modified firewall rules between the CDE and larger network, can change the PCI DSS scope, making it necessary to reevaluate security controls, vulnerability scanning targets, and other compliance-related activities.
Dated documentation can indicate that security efforts occur throughout the year, not just prior to the audit.
To ensure accurate and timely documentation integrate it into the process. For example, have a ticket created for a firewall review that is closed when the review and remediation is completed.
Organizational Structure Changes
Changes in organizational structure can impact the scope and requirements for PCI DSS compliance. For instance, mergers and acquisitions can bring in new sources of protected data or change the size and landscape of an organization’s CDE as new departments and capabilities are integrated into an organization’s environment.
Updating the organizational PCI DSS compliance plan after such an event can be a major undertaking and the groundwork for it should be laid well in advance of the event itself. Waiting until the modifications are in place to develop a plan for securing new and existing assets can put an organization out of compliance and payment card data at risk.
The fact that one or both of the organizations involved were PCI DSS compliant prior to the merger will do little for the company image if a post-merger breach reveals customer cardholder data.
Periodic PCI DSS Reviews
Developing a set of policies and procedures is only half the battle in meeting PCI compliance standards. If employees and service providers are not following policies or some procedural oversight has allowed new technology to be deployed and configured in a way that violates PCI DSS requirements, then the organization is not compliant and credit card data is not protected despite what corporate policy says.
The PCI Security Standards Council recommends periodic PCI DSS reviews as a best practice for making PCI DSS compliance business as usual. This review should include both making sure that the organization is currently in compliance and that all of the appropriate records are being retained in preparation for the annual compliance audit.
Hardware and Software Reviews
While hardware and software may have been capable of meeting PCI DSS and organizational security requirements at the time of purchase, this may not still be the case. Once hardware and software has reached end of life, vendors will cease providing security updates, making the devices potentially vulnerable to attack.
PCI best practices recommend that all software and hardware within the enterprise be checked on an annual basis to determine whether or not they are still supported by the vendor. If not, a remediation plan should be developed to either replace the unsupported components or to deploy additional security controls to maintain compliance.
Making PCI DSS Compliance Business as Usual
Performing compliance checks and mitigations solely on an annual basis may leave sensitive customer data vulnerable at times during the year. That vulnerability could be exploited resulting in a supposedly compliant company having to explain why customer data was exposed.
Ensuring compliance throughout the year is a win for all parties since customers’ data is appropriately protected and the workload of maintaining compliance is spread out over the entire year. The recommendations outlined by the PCI Security Standards Council are a great starting point for making PCI DSS compliance business as usual.
If you are unsure if your organization is subject to the PCI standards or need help adapting these recommendations to meet your organizational needs, Avertium’s PCI DSS QSAs stand ready to help your organization to become and stay compliant.
Don’t wait for the next crisis to prove you should make PCI DSS business as usual. Reach out to start the conversation.