Making PCI DSS Business as Usual
Learn how to achieve PCI DSS Business as Usual as part of your compliance.
The PCI DSS standards are designed to ensure that companies processing, transmitting or storing customer credit card information are protecting it appropriately. The process for becoming PCI certified includes passing a yearly audit where security controls are evaluated, meaning that the minimum requirement for certification is ensuring that systems are compliant at the point of time of the audit.
The latest version of the PCI DSS places a strong focus on making compliance Business as Usual (BAU) rather than preparation for the annual audit.
In this post, we’ll discuss the steps that an organization can take to ensure that PCI compliance becomes part of daily business.
PCI DSS Business as Usual Recommendations
The PCI Security Standards Council is working to encourage organizations to move from a focus on passing yearly audits to integrating PCI compliance practices into a business’s daily operations. To help with this, they have provided six recommendations for implementing PCI DSS practices as Business as Usual (BAU).
Monitoring Security Controls
The first recommendation for implementing PCI DSS business as usual is to properly monitor the functionality of security controls. In order to be compliant with PCI standards, businesses are required to implement certain security controls to protect customer credit card information at rest and in transit within the network. Sample controls include firewalls, anti-virus, and access control functionality.
In order to pass audits and renew their PCI DSS certification, organizations must evaluate and update these systems on an annual basis. PCI DSS BAU involves performing evaluations and updates on a regular basis to ensure customer data is appropriately protected throughout the year rather than just leading up to a PCI DSS audit.
Responding to Security Control Failures
No security is perfect. Even if every security control in your environment is regularly monitored and updated, there is still the possibility that something will fail. This best practice deals with the necessary steps that an organization needs to take in the event of the failure of one or more of their security controls. The current version of the PCI DSS standard recommends the following steps:
- Restoring the security control: The failed security control is an essential part of an organization’s PCI DSS compliance strategy and must be restored as soon as possible
- Identifying the cause of failure: Restoring the security control is pointless if it is left in a vulnerable state. The cause of failure needs to be identified and addressed.
- Identifying and addressing any security issues that arose during the failure of the security control: Failure of the security control leaves the data vulnerable and may have allowed other controls to be damaged or sensitive data to be stolen.
- Implementing mitigation to prevent the failure of the control recurring: Once the scope of the incident has been determined, steps need to be taken to prevent it from recurring.
- Resuming monitoring of the security control: Once the control is functional again, monitoring should resume, possibly at a higher level than normal for a while to ensure that the mitigations are effective.
The impact and cost of a security incident is directly correlated to the length of time between the initial intrusion and the response: organizations that identify and quickly move to respond to an incident have lower losses. Having a detailed incident response plan with assigned tasks and roles can help an organization identify and respond to an intrusion before it becomes a costly breach.
Change Request Reviews
Organizational goals and structure change over time and the organization’s network needs to grow and adapt to meet these needs. The main concern when changing network architecture is the effectiveness of the associated security controls. Traditionally, this means building a strong perimeter and deploying monitoring and alerting solutions to report on anomalies on the network perimeter and internal devices.
With PCI DSS compliance, an additional consideration is how the cardholder data environment (CDE) is secured and related to the rest of the network. Computers and network segments with access to cardholder data are required to have certain security controls mandated by the PCI standard. Changes to the network architecture, even as simple as modified firewall rules between the CDE and larger network, can change the PCI DSS scope, making it necessary to reevaluate security controls, vulnerability scanning targets, and other compliance-related activities.
Organizational Structure Changes
Changes in organizational structure can impact the scope and requirements for PCI DSS compliance. Mergers and acquisitions can bring in new sources of protected data or change the size and landscape of an organization’s CDE as new departments and capabilities are integrated into an organization’s environment. Updating the organizational PCI DSS compliance plan after such an event can be a major undertaking and the groundwork for it should be laid well in advance of the event itself. Waiting until the modifications are in place to develop a plan for securing new and existing assets can put an organization out of compliance and put credit card data at risk. The fact that one or both of the organizations involved was previously PCI DSS compliant will do little for the company image if a post-merger breach reveals customer credit card data.
Periodic PCI DSS Reviews
Developing a set of policies and procedures is only half the battle in meeting compliance standards. If employees are not following policies or some procedural oversight has allowed new technology to be deployed and configured in a way that violates PCI DSS requirements, then the organization is not compliant and credit card data is not protected despite what corporate policy says.
The PCI Security Standards Council recommends periodic PCI DSS reviews as a best practice for making PCI DSS business as usual a part of your compliance. This review should include both making sure that the organization is currently in compliance and that all of the appropriate records and log files are being retained in preparation for the annual compliance audit.
Hardware and Software Reviews
While hardware and software may have been capable of meeting PCI DSS and organizational security requirements at the time of purchase, this may not still be the case. Once hardware and software has reached end of life, vendors will cease providing security updates, making the devices potentially vulnerable to attack. PCI best practices recommend that all software and hardware within the enterprise be checked on an annual basis to determine whether or not they are still supported by the vendor. If not, a remediation plan should be developed describing additional security controls that will be implemented to achieve compliance or replacement of the unsupported components.
Making PCI DSS Compliance Business as Usual
Performing compliance checks and mitigations solely on an annual basis potentially leaves sensitive customer data vulnerable throughout the year. This can be a burden as non-compliant activities can have effects that snowball into larger problems over time.
Ensuring compliance throughout the year is a win for all parties since customers’ data is appropriately protected and the workload of maintaining compliance is spread out over the entire year. The recommendations outlined by the PCI Security Standards Council are a great starting point for making PCI DSS compliance business as usual.
If you are unsure if your organization is subject to the PCI standards or need help adapting these recommendations to meet your organizational needs, Sword & Shield’s PCI DSS experts would be happy to help get you on the right track. We take the burden off you by providing expert Qualified Security Assessors (QSAs), security engineers, technical writers, and more to provide world class, competitively-priced PCI compliance services.
Contact us for a free consultation to get started!
Read “New PCI SSC Payment Security Tool Helps Small Merchants” to learn about the PCI DSS tool created to assist small merchants in fighting cybercrime.