For businesses that store, process or transmit cardholder data, or could affect the security of that data, complying with the Payment Card Industry (PCI) Security Standards Council’s Data Security Standard (DSS) is a steep mountain to climb. The PCI DSS — which has strict requirements to protect cardholder data — now lists more than 250 requirements.
But just meeting those requirements is not even the hardest part. Many recent data breaches occurred in organizations that once met PCI DSS requirements, but couldn’t maintain their systems, processes and technology over time.
That’s one of the reasons the Council recently issued a revised version of its 2014 handbook, Best Practices for Maintaining PCI DSS Compliance. This edition focuses on long-term compliance for companies in all industries and service groups within the DSS scope, and it outlines the 10 best practices for maintaining an effective PCI DSS compliance program for the long term.
The free handbook (available at pcisecuritystandards.org) provides detailed suggestions for implementing these 10 best practices:
- Develop and Maintain a Sustainable Compliance Program
Effective compliance must be built into daily activities, with a focus on continuous cardholder data protection as part of an overall security strategy. Your business has to look beyond achieving compliance for a single report.
- Develop Program, Policy, and Procedures
Data protection relies on well-trained people and strong processes, not just technology. Ask yourself: How can you drive behaviors and create repeatable processes necessary to protect customers?
- Define Performance Metrics to Measure Success
It’s a truism, but what gets measured gets better. Carefully define the metrics you need based on your individual needs, goals, environments, risks, and compliance program maturity.
- Assign Ownership for Coordinating Security Activities
Someone must be responsible for overseeing ongoing compliance details — coordinating resources, monitoring, managing projects and tracking costs.
- Emphasize Security and Compliance Awareness
“Compliance does not equal security,” the manual emphasizes. PCI DSS alone is not the complete solution; businesses must develop a culture focused on information security.
- Continuously Monitor Controls
Once you have developed controls and activities, you have to keep monitoring, testing and documenting them to make sure they don’t get forgotten or ignored.
- Detect and Respond to Control Failures
Once you start monitoring, you’re likely to detect security control failures. How will you respond to small process failures? What if you have a breach? Have a detailed response plan ready and practice it.
- Maintain Security Awareness
Some of the most common, and most serious, breaches occur via social engineering, such as persuading someone to reveal a password. Make sure you have a formal security awareness program that addresses both old and new hacking trends.
- Monitoring Compliance of Third-Party Service Providers
If you rely on third-party service providers to maintain PCI compliance, how can you monitor their compliance status? What will you do if they’re not in compliance, or have obvious security weaknesses?
- Update the Compliance Program to Address Changes
Your controls must evolve to keep up with external threats, as well as your internal organization’s process and technology changes.
While these recommendations seem straightforward, navigating the waters of PCI DSS compliance can be daunting for any organization. Weaver has experience providing PCI Report on Compliance (ROC), PCI Self-Assessment Questionnaire (SAQ) and PCI consulting services for clients, ranging from Fortune 50 cloud providers to small merchants. To find out how we can help your organization achieve and maintain PCI DSS compliance or help strengthen your security program, visit weaver.com or contact Brian Thomas for more information.