PCI compliance is considered to be a tough challenge in itself, however maintaining current compliance until the next PCI assessment takes place is much harder task.
Businesses who do manage to meet PCI compliance requirements at first, but fail at their next PCI compliance assessment, often remain unprotected and are at risk of a data breach, or may even receive various high impact security threats. This is due to the lack of management, or rather the continued management thereof, and the fact that it is treated as an annual event instead of a continuous effort throughout the year. We have seen many examples of the pitfalls of yearly exercises as opposed to continuous monitoring of the same controls within both the public and private sectors.
Standards or procedures created to increase control
Payment card/credit card processing organizations such as payment processors, financial institutions, merchants, and even service providers, have standards and procedures to abide by which help increase security and controls around the card owner’s data, leading to reduced credit card fraud. Companies such as Global Shield IS are able to understand an organization’s required standards and offer compliance assessment services, then create a Report on Compliance (ROC) to serve as a guide to uphold the set out standards for compliance going forward.
Too many businesses stop paying attention to ongoing PCI compliance activities. They often do not realize it should be seen as an ongoing effort. As an ongoing effort, businesses are able to continually mitigate various and arising risks.
We would say that if a business did meet the required PCI compliance standards, and failed, it is more likely they failed at the implementation of standards, or failed to continuously apply the defined standards.
Understanding the practice of continuous PCI compliance
Businesses can take control of their processes to unhold PCI compliance through practices such as:
- Monitoring access which may include the use of Active Directory, Lightweight Directory Access Protocol, antivirus software, firewalls, (hardware and/or software) other access control mechanisms, Etc.
- Ensuring security breaches or security control failures are detected and addressed in a timely manner
- Assessing how newly introduced systems or new developments impacts PCI compliance, and updating accordingly
- Assessing the impact on PCI compliance with acquisitions and mergers
Lack of resources to continue PCI compliance
Another challenge for businesses are the resources required to keep up with the demands of staying PCI compliant. Often resources are assigned to other duties or projects, allowing for compliance tasks to fall lower on the prioritization list. This more than likely happens after the initial, or annual PCI assessment/audits take place.
Businesses should conduct regular reviews with assigned resources, and strive to communicate the necessity of performing each task required to stay compliant. Regular reviews should cover tasks such as:
- Reviewing the necessary configurations, and make sure they are applied
- Reviewing any data centers and audit logs on a defined, periodic basis
- Verify the PCI requirements that need to continually be in place
- And so on…
The ongoing procedure to review and monitor processes that need to be in place for PCI compliance sets the necessary standard for performance. Achieving the necessary standard for security, should be considered as a business-as-usual act for any business large or small.