Congratulations, you have achieved PCI compliance!
Now comes the hard part, staying compliant. Remember, it was a great deal of work to get your environment where it needed to be for the Payment Card Industry Data Security Standard (PCI DSS). Organizations spend a fair amount of money getting systems, networks, and people exactly where they need to be for cardholder data protection.
The PCI Data Security Standard is not something that you complete once and you’re good forever. Instead, maintaining PCI compliance takes an ongoing commitment of people, process and technology. There are three things that organizations can do to stay compliant: dedicate the necessary resources to keep the information security program current, assess/test the information security environment perpetually, and invest in ongoing vulnerability management. It is only with the continued dedication that a PCI environment will stay in compliance and prevent data breaches.
Dedicate the necessary resources to the program perpetually
In order to continue to meet PCI DSS requirements, an organization needs to invest in information security. Resources leveraged for information security are typically comprised of either people, processes, and technology. A perpetual PCI compliant information security program invests in its people by making sure they have the most up to date training to maintain and enhance an environment.
Processes are essentially playbooks on how to install, maintain, troubleshoot, and execute tasks within an environment. As time goes on, processes need to be updated to account for changes in systems. Technology changes rapidly when it comes to information technology and information security. The trajectory of artificial intelligence and machine learning has information technology changing exponentially. Plan on refreshing and updating technology every few years, which will directly impact existing people and processes with new training and fine-tuning required.
Assess and test the information security environment
Many ask the question, “How do we know if our security environment and controls are working?”
The best answer is to assess and test your environment both from an internal perspective and an external perspective. Organizations that are truly ahead of the game leverage red teams (that acts like a hacker), blue teams (that defends against attacks), and purple teams (a blend of both red and blue teams). There are several important ways to assess and test the environment:
- Penetration testing
- Internal and external scanning
- Security awareness training
- Compliance review
- Risk assessment
Ongoing vulnerability management
The importance of ongoing vulnerability management cannot be overstated in an organization looking to maintain PCI compliance. Most of the breaches that have occurred in the last several years have one alarming similarity: The companies lacked mature vulnerability management programs.
The data breaches share several vectors like unpatched systems, weak passwords, and excessive access. Most of the data breaches of the past could have been prevented with basic vulnerability management and vulnerability scans, which focus on:
- Patching and patch management
- Firewall and router configurations
- Application security
- Data integrity assessment
- Review logs, alerts, and access permissions
PCI DSS compliance is focused on protecting the cardholder, payment card data, and both onsite and e-commerce transactions. While not the only data that needs to be protected, card data like Visa, Mastercard, American Express, Discover, and JCB is a primary focus of PCI.
The Self-Assessment Questionnaires are used by lower-level merchants (with fewer transactions) to perform a self-assessment of their compliance. There are multiple SAQs available, with the specific SAQ being used determined by how customers perform credit card transactions (i.e., card not present vs. card present, fully outsourced authorizations vs. partially outsourced authorizations). There are continuous annual requirements for organizations that qualify for the SAQ.
Maintaining compliance should include quarterly vulnerability scans where applicable and annual assessments like those conducted by a Qualified Security Assessor (QSA). An internal mock assessment is a great way to provide fine-tuning to the PCI requirement area that your organization may need to work on. Maintaining a compliant cardholder data environment takes work. The good news is that PCI DSS contains the best practices and testing procedures your organization needs to obtain and maintain PCI compliance on an ongoing basis.