10 Best Practices and 3 Core Strategies for Maintaining PCI DSS CompliancePublished March 3, 2020 by Alan Gouveia • 5 min read
Achieving compliance with the Payment Card Industry Data Security Standard (PCI DSS) is difficult, requiring as much as a year’s work or even more.
Organizations spend much money and time ensuring that their security systems and networks secure credit card data and provide a high level of cardholder data protection that being PCI DSS-compliant requires.
But continued compliance with the PCI Data Security Standard requires ongoing care and maintenance.
The PCI Security Standards Council (PCI SSC), a consortium of major credit card brands, has listed 10 essential steps for maintaining PCI compliance:
- Develop and Maintain a Sustainable Compliance Program. Fold in your compliance program with your organization’s overall security strategy. Then, you can monitor the effectiveness of your security controls on an ongoing basis, and maintain compliance between assessments. The ongoing security of cardholder data should be the driving objective behind all your PCI DSS compliance activities—not simply attaining a compliant report.
- Develop a Program, Policy, and Procedures – A PCI DSS compliance program that includes people, processes, and technology along with supporting policies and procedures (such as an information security policy) will help ensure that people do the right things to guard digital and physical access to payment card data and to maintain repeatable business and operational processes. The council defines these terms this way:
- A program typically includes strategic objectives, roles and responsibilities, and a plan to achieve business objectives. For example, a vendor-management program defines the roles and strategy to properly procure, onboard, manage, and off-board third-party service providers.
- A policy typically includes a statement of management intent or rules that must be followed⎯-such as a security policy stating how often to update anti-virus software or a password policy defining the frequency with which system passwords must be changed.
- A process/procedure typically outlines step by step how to properly perform program tasks and supporting policies, such as the steps for proper firewall configuration, how to test security systems or procedures to be followed for proper transmission of cardholder data, such as how to encrypt sensitive data before e-mailing it to a service provider.
- Define Performance Metrics to Measure Success. A good metrics program can provide useful data to help allocate resources to minimize risk and measure the business consequences of security events. Your organization should carefully define the scope of its information-security measurement based on its needs, goals and objectives, operating environments, risk priorities, and compliance program maturity.
- Assign Ownership for Coordinating Security Activities. A manager should be assigned responsibility for your enterprise’s continuous PCI DSS compliance, to oversee the centralized coordination of resources, monitoring, projects, and costs.
- Emphasize Security and Risk Management to Attain and Maintain Compliance. Compliance does not equal security although it helps. While PCI DSS provides a solid baseline of cybersecurity controls, it doesn’t address all security needs. Instead, focus on building a culture of security and protecting your organization’s information assets and IT infrastructure from such threats as data breaches and malware, and letting compliance with the PCI standards happen as a result.
- Continuously Monitor Controls. Continuously monitor, test, and document the implementation, effectiveness, efficiency, effects, and status of your security controls and PCI compliance activities.
- Detect and Respond to Control Failures. Follow processes for promptly recognizing and responding to security-control failures. Any control failure could constitute a formal security incident, and require a more formal incident response. At a minimum, control-failure response processes should include:
- Minimizing the impact of the incident
- Restoring controls
- Performing root-cause analysis and remediation,
- Implementing hardening standards
- Enhancing monitoring
- Maintain Security Awareness. Social engineering techniques can lead to data breaches and the exfiltration of critical data. To prevent social engineering, implement a formal security awareness process with up-to-date content that addresses the latest trends in cybercrime.
- Monitor Compliance of Third-Party Service Providers. If a third party maintains your PCI DSS security controls, develop and implement processes to monitor its compliance and know whether a change in its status requires a change in your relationship.
- Evolve the Compliance Program to Address Changes. Change your controls to ensure continued security as new threats emerge and as your enterprise’s organizational structure, business initiatives, and business processes and technologies change.
Three Core Strategies
These PCI DSS compliance steps essentially fit into three core strategies: resource allocation, assessment and testing, and vulnerability management.
- Dedicate program resources perpetually.
You must invest in information security to continue to meet PCI DSS requirements. Doing so includes updating your technologies often, including system components, and training your people in how to use them securely.
- Assess and test your information security environment.
How can you know if your security environment and controls are working? Assess and test.
Organizations that are truly ahead of the game use red teams to try to attack your systems, blue teams, which defend against attacks, and purple teams (a blend). Ways to important ways to assess and test your environment include
- Penetration testing
- Internal and external vulnerability scanning
- Security awareness training
- Compliance review
- Risk assessment
- Shore up your vulnerability management program.
To avoid non-compliance with PCI DSS, you must manage the vulnerabilities to your system, networks, and data. Doing so is essential to maintaining a secure network.
Most breaches in the last several years share an alarming similarity: The breached companies lacked mature vulnerability management programs.
Breaches are often the result of unpatched systems, weak passwords, or the lack of strong access control measures to ensure that data only gets viewed by someone with a legitimate business need.
Many data breaches could have been prevented with basic vulnerability management and vulnerability scans, which focus on:
- Patching and patch management
- Firewall and router configurations
- Application security
- Data integrity assessment
- Review logs, alerts, and access permissions
To be PCI compliant, you may need to have your systems and networks regularly scanned for vulnerabilities by an approved scanning vendor (ASV).
Being PCI compliant means protecting credit card payment security at every step of payment processing. it ensures protection of payment card data, sensitive authentication data, and onsite and e-commerce transactions. Protecting the data of the five major credit card companies- Visa, Mastercard, American Express, Discover, and JCB–is a primary focus of PCI.
Which PCI requirements your organization must meet depends largely on its compliance level, determined by the number of transactions it processes each year, and from which cards. Each level — 1, 2, 3, and 4 — has different criteria and requirements.
Self-Assessment Questionnaires are used by lower-level merchants (with fewer transactions) to report their compliance. Which SAQs you use depends partly on they types of credit card transactions you process (i.e., “card not present” vs. “card present,” “fully outsourced authorizations” vs. “partially outsourced authorizations”).
Organizations that qualify for the SAQ must meet continuous annual requirements to maintain their PCI DSS report on compliance.
These requirements may include quarterly vulnerability scans, where applicable, and annual assessments conducted by a Qualified Security Assessor (QSA).
Maintaining a compliant cardholder data environment takes work. The good news is that PCI DSS contains the best practices and testing procedures your organization needs to obtain and maintain PCI compliance on an ongoing basis. And the even better news is this: You don’t have to go it alone.
ZenGRC, our governance, risk management, and compliance software as a service, simplifies the task of PCI DSS compliance. Our self-audit feature lets you see in a few clicks where you comply, and where you fall short. Our color-coded, user-friendly dashboards show clearly what you need to do to get compliant as well as who’s doing which tasks and where they stand.
Worry-free PCI compliance is the Zen way. Contact us today for your free consultation, and embark on the path to PCI DSS nirvana.