Many organizations struggle with the payment Card Industry Data Security Standard. Lockpath’s Dennis Keglovits outlines what organizations can do to get ready for the requirement now and to maintain compliance with PCI DSS going forward.
The Payment Card Industry Data Security Standard (PCI DSS) is a requirement for any entity storing, processing or transmitting customer cardholder data; essentially designed to help prevent fraud for both consumers and businesses. However, the guidelines have left many organizations struggling – not due to a lack of knowledge, but due to the comprehensive and far more technical nature of the requirement compared with industry standards.
PCI DSS pushes organizations to achieve six distinct goals in the aim of protecting payment systems and cardholder data. The typical organization is not prepared to manage the countless areas that need to be controlled across a payment IT infrastructure.
Specifically, the requirements supporting the objectives force organizations to manage, govern and integrate different departments within the organization, including IT, security, compliance, risk and incident response. Those managing PCI DSS compliance quickly realize the effort to effectively achieve the six goals requires PCI DSS to be a proactive, day-to-day part of their business.
Some of the more common challenges of PCI DSS include:
- Understanding your vulnerabilities– Assessing assets and applications for secure configurations, identifying outdated software and issuing security patches and addressing security flaws in custom applications often requires time and resources that are unavailable.
- Making sure everything is up to date– Requirements, business objectives, assets, incident response plans and other items vital to PCI compliance can change in an instant. Without effective governance and management processes, organizations don’t know when they are out of compliance.
- Confirming third-party service providers are compliant– Employing third-party service providers (TPSPs) can aid PCI programs; however, the organization is still responsible for how third parties handle their data. Gaining insights into TPSP processes and ensuring they are PCI compliant is a challenge in itself.
- Obtaining timely information – Creating reports for PCI compliance in a timely manner is always a challenge. This is especially true when different data types must be combined and communicated in a meaningful way to different audiences.
The following steps will help organizations effectively address common compliance challenges and better govern and manage PCI programs.
Conduct Risk Assessments
Risk assessments inform the organization of what is at risk; where it is vulnerable; and where controls, policies and procedures could mitigate risk. Organizations that comply with the regulation start their PCI program by conducting a risk assessment on their payment card system, which can identify broken or ineffective processes. Third parties that process or manage data should also be assessed on a regular basis. Assigning risk scores to findings enables the organization to assign appropriate mitigation plans and to better prioritize remediation efforts.
Continuously Monitor for Vulnerabilities
Many common vulnerabilities involve the misconfiguration of back-office systems and assets like web servers. One effective approach to mitigate vulnerabilities is continuously monitoring the configuration of IT assets and analyzing the collected data against industry standard benchmarks like CIS, ISO and NIST. This will help to not only decrease the chance of a breach, but also protect payment card data.
Review the Controls Environment
Having basic security controls is essential for payment card security. A lack of these controls is a top reason many organizations fail their interim compliance assessment. In an ever-changing threat environment, improving controls like security access provisions is challenging. Periodically testing controls will improve your ability to identify low-performing, redundant, conflicting and ineffective controls to keep the baseline set current.
Leverage Policies and Procedures
A well-run PCI DSS program requires participation and collaboration between all parts of the business. The trouble is, such a program often interrupts employees’ daily responsibilities. It creates an environment where needed actions fall through the cracks and produce more confusion. By including PCI requirements in company policies and procedures, employees can integrate compliance activities into daily operations and make PCI compliance business-as-usual.
PCI compliance involves many parts of the business, not just compliance. All parties have a different level of understanding of business needs, vendor relationships, compliance, IT and audit requirements, which creates challenges. The ability of an organization to adopt technology offering integrated risk management and continuous security monitoring can be an increasingly valuable service for complying with PCI DSS and adapting when the standard changes. The flexibility of technology can help mitigate the inevitable extra costs encountered when solving compliance issues.
Having an agile system in place is necessary to manage the challenges of PCI DSS compliance in 2020 and years into the future. The system integrates all the relevant data and activities from across the business; addresses the needs, roles, responsibilities and processes of all stakeholders involved in PCI DSS compliance; and helps effectively address the day-to-day, quarterly and annual activities required to achieve PCI compliance.