Let’s be honest: PCI DSS compliance is viewed as a pain in the neck. It is seen by management in many companies as a big fire drill to check the compliance box, but without real business value. They see the scramble to test, remediate and report to achieve compliance, but they often cannot connect it to improvements in their actual security posture. The lack of perceived value is the result of the prevalent “compliant but not secure” mode of operation.
The fire drill typically includes the following scenario: A large company with tens or hundreds of legacy systems, some of which store its most valuable information, is tasked with complying with PCI DSS requirements and validating compliance in quarterly tests and annual audits. The systems are siloed, owned by different line-of-business and application owners, sometimes with their own IT and security experts. Each application and associated infrastructure needs to be tested, scanned or otherwise validated to be in compliance. To minimize potentially negative impact on business critical applications, testing and scanning needs to be coordinated and scheduled with application owners. Results need to be communicated to those same owners and coordinated with IT administrators to apply the fix. After the fix is finally applied, the scans and tests need to be repeated to verify the exposure no longer exists. All of this information exchanging hands starts out in vulnerability scanning and governance, risk management and compliance tools, but most often ends up in spreadsheets and emails. Multiply those spreadsheets and emails by the number of components and stakeholders, and it is easy to see why the process overtakes the intended objective of cardholder data protection.
Meeting compliance requirements only on a quarterly and annual basis is like a CFO only reviewing and communicating financial numbers when formal reporting is required. In reality, CFOs watch their numbers carefully every day and communicate department-specific numbers to business managers so they can manage their piece of the corporate pie. As a result, when quarterly and annual financial reporting is required, it is a simple task to compile the data because it’s managed closely every day by every level of the organization.
A lot of ink has been spilled during the last decade talking about the concept of continuous compliance. Taking a step back, it’s really about continuous protection, which – if done well – results in seamless compliance. However, continuous compliance is easier said than done because, as described in the scenario above, it requires a tremendous amount of effort coordinating, assessing, remediating and reporting across potentially tens or hundreds of stakeholders. It involves a dance between the security team that’s concerned about vulnerability management, business owners who are concerned about their application’s performance and stability and IT administrators who are tasked with patching and fixing. Everybody is doing their best to get the job done, but the underlying focus ends up being satisfying auditors versus achieving a secure environment.
The best way to ensure that PCI DSS compliance is not a fire drill is to bake its requirements into your businesses’ daily processes and automate data collection and reporting. Specific cyber risk information should be put into each stakeholder’s hands (such as line-of-business application owners who govern businesses most valuable assets) to enable them to take prioritized action to minimize cyber risk while fulfilling PCI requirements related to the information they govern. They can then also be held accountable by senior management for monitoring their applications and data, doing their part to protect the organization.
For example, if the PCI DSS requires businesses to implement two-factor authentication, business stakeholders and IT administrators should be provided an automated view on a daily basis into which applications have two-factor authentication implemented, the percentage of users using it, required password resets and other related information so that they know what they need to do to fulfill the requirement by the stated deadline. As a result, when it comes time to report compliance, it is just a push of a button based on the information they have at their fingertips every day.
Achieving PCI DSS compliance does not need to be a fire drill. If businesses treat it as an enabling force to guide the protection of valuable information on a daily basis, they will not need to scramble at the last minute. Compliance will be baked in.