Payment Card Industry Data Security Standards (PCI-DSS) compliance encompasses 12 areas, which address the technical and human aspects of protecting payment data. While each of these different areas is critical to compliance and risk mitigation, organizations are more likely to struggle with certain aspects of PCI. Expert Chief Information Security Officers (CISOs) may appear to "care" about several compliance standards more than the others, which can be a natural by-product of the heightened risk or difficulty of certain PCI requirements.
It's important to note that PCI compliance shouldn't be a "mad dash" in the weeks before your annual final report on compliance (FRoC) is due. PCI compliance is a moving target, and a year-round effort. Just 29% of companies are fully compliant with PCI DSS standards just one year after receiving an initial certificate of compliance, according to Verizon research.
There are a number of common PCI pitfalls which can introduce significant risk of data breach. Join us as we review the areas of PCI DSS compliance that can raise your chances of a data breach or may be hardest to implement.
1. Testing Security Systems
PCI requirement #11 states that vendors are required to "regularly test security systems and processes." According to Verizon, the only area where industry compliance averages fell was with meeting testing requirements, which dropped from 40% to 33%. Though compliance levels are at a low, information security expert Kevin Beaver notes this requirement has "always been a challenge for enterprises."
Ultimately, the primary objective of PCI DSS compliance is to protect your customers from unauthorized access, theft, and data breaches. Regular penetration testing, in accordance with PCI requirements, is the act of simulating an external cyber crime attack. This allows organizations to identify dangerous vulnerabilities in their network.
Another critical component of testing security systems falls under file integrity monitoring, which is specifically addressed in PCI 10.5.5 and PCI 11.5. File integrity monitoring should be performed on at least a weekly basis. Maintaining the integrity of critical files can reduce vulnerabilities and facilitate the early detection of attempted cyber crime attacks. By meeting or exceeding file integrity monitoring requirements, organizations can ensure they're not at risk due to modification of log data or other critical system files.
Ultimately, testing should occur more frequently than an annual or even quarterly basis. Updates to network configuration, security software layers, or any other aspect of your technology can introduce new vulnerabilities into your system. Optimally, organizations should strive to continually perform PCI compliance testing and monitoring.
2. Maintaining Security Standards
PCI requirement #6 states companies must "develop and maintain secure systems and applications." CISOs are often aware that the act of "developing," or implementing secure systems, is an entirely different beast than security maintenance. Maintenance and access monitoring are two areas of non-compliance discovered at every organization who suffered a data breach, according to Verizon.
As illustrated by research, the vast majority of organizations who achieve PCI compliance fail to maintain this standard (80%), based on interim report on compliance assessments. Verizon's research cites a lack of processes and controls as common reasons that companies may struggle to maintain compliance in between annual final report on compliance (FRoC) assessments.
Continuous monitoring and proactive identification technologies can be crucial to understanding whether your network's security standards have slipped since your last FRoC assessment.
3. Policy Creation
The final PCI requirement, #12, requires that organizations "maintain a policy that addresses information security." This necessitates that you not only create, but "maintain a body of policy documentation stating how to address DSS requirements" within your organization's unique structures. Policy is always a challenge to CISOs at companies of all sizes because policy is a human-driven discipline, and may require collaboration with human resources, legal counsel, and other members of the leadership team.
Effective policies address more than IT workflows and procedures. They should also cover HR, physical security, management, and more. Policy should address, with specificity, how your organization will meet each of the other 11 requirements of PCI compliance. It should also address how you will train and educate your employees on security best practices, and emphasize the responsibility of all employees to protect cardholder data.
4. Tracking and Monitoring Network Access
PCI requirement #10 states that companies must "track and monitor all access to network resources and cardholder data." Much like maintaining security standards, failing to meet this PCI compliance requirement has a complete correlation with experiencing a data breach. Reviewing network activity and user logins can allow organizations to quickly detect unauthorized access, and mitigate risks of attacks in real-time.
The PCI Compliance Guide puts this requirement in simple terms: its the need to "determine the “who, what, where and when” of users accessing your data processing resources." Your organization must also have the ability to detect attempts to modify your log data to cover access trails, with file integrity monitoring. Regardless of whether your company suffers an internal or third-party attack, being able to monitor administrative and user logs can allow CISOs and their teams to identify an attack quickly and the source of the risk.
5. Practice Access Governance
Requirement #7 of PCI dictates that organizations "restrict access to cardholder data by business need-to-know." Per Diana Kelley and Ed Moyle of TechTarget, this encompasses two components of access governance:
- Policy and processes to restrict access
- Technical systems to support access restriction
Organizations rarely fail on both parts, particularly as technology to support access governance has become common. This requirement may also be difficult to accomplish at smaller and midsized organizations who lack dedicated access governance teams.
Most commonly, CISOs discover that their organizations lack the human aspects of access restriction, specifically policy and processes. In order to ensure compliance, CISOs should implement strong password protocols, including rules and repercussion for shared logins and periodic password changes. If your organization has effective technologies to restrict access, your policy and processes should work to support and enforce these requirements.
Additional PCI Compliance Requirements
While these requirements are not the only activities required to achieve and maintain PCI compliance, they're among the most likely to actively concern CISOs. While specific organizational requirements can vary according to PCI level, additional high-level requirements include:
- Install and maintain a firewall
- Avoid the use of default passwords
- Protect stored cardholder data
- Encrypt data transmissions on public networks
- Use updated antivirus software
- Assign unique user identification credentials
- Restrict physical access to data
Meeting each of the 12 requirements in entirety is crucial for organizations to avoid the costly financial penalties associated with non-compliance.
Technology and Process
While organizational structures can vary drastically, it's clear that PCI compliance will always be a moving target. Companies must strive year-round to meet the most challenging aspects of PCI compliance. By implementing the right technologies and processes to support file integrity monitoring, testing, access restriction, and other aspects of compliance, you can significantly reduce your risk of a data breach.
To learn more about Cimcor's solutions for PCI-compliant file integrity monitoring, click here.
April 7, 2016