Getting compliant to PCI DSS is not an easy task. It requires dedication, some inspiration and certainly a lot of perspiration. During the annual assessment, we witness the many hours of work spent by various teams in order to achieve or maintain compliance. But we also see often that compliance is seen as a one-off task that attracts momentum around the visit date for the onsite audit and slips away after passing the annual assessment. There is a lot of danger in that and we believe that continuous compliance makes life easier and puts you in a better position to pass a next-years audit in a breeze.
PCI compliance continues when the QSA leaves the building
The main challenge is to integrate PCI compliance is fully into the organization’s “business-as-usual” dynamic. It means that the processes and procedures of PCI DSS should be implemented in a feasible way.
During the initial assessment, QSA-led audits are based on a point in time when the organization being assessed must prove compliance as of the date of the AoC. From that point forward, however, things change. With the year-two assessment and all subsequent years, all ongoing operating controls that are mandated by the PCI DSS must have been maintained (and the organization must maintain and provide records of performance for support of the QSA assessment).
Here are the operating controls we find to be most often overlooked:
- Vulnerability Scanning, both internal and external
- Semi-annual review of firewall configuration and rules
- Consistent application of change management processes (for both infrastructure and software changes)
- Performance of an annual risk assessment
- The latest controls for service providers (which became mandatory as of 2/1/2018):
- Semi-annual segmentation testing
- Quarterly reviews to verify the consistent performance of security policies and operating procedures
- Root cause analysis of in-scope security mechanism failures
Tips on continuous Compliance
The PCI Security Standards Council (SSC) has recognized the problem of businesses failing to develop and execute a plan for continued PCI compliance. They released a guidance document called “Best Practices for Maintaining PCI DSS Compliance” in January 2019. The key issues with maintaining compliance is that organizations miss some of the PCI DSS Compliance Program activities. The PCI SSC requires that businesses develop a PCI Charter and that they assign responsibility for “overall accountability for maintaining PCI DSS compliance.”
PCI DSS requires activities to be carried out daily, weekly, monthly, quarterly, biannual and annually, which can sometimes be forgotten about during the year following a completed assessment. There are many reasons why this can happen; however, the most common reason is a lack of resourcing. Often, it will not be the employees’ primary job to carry out these activities. Ideally, maintaining compliance activities should be the core responsibility of an employee or team of employees.
Another recommendation is that the organization implements a PCI Board that meets on a monthly basis. During this meeting, the PCI DSS Compliance Program activities should be tracked to ensure they are being carried out. This meeting can also be used to discuss any new projects that may impact upon the cardholder data environment or the way payments are carried out.
We offer continuous PCI DSS compliance as a service. It is a subscription-based model where we guide you through the periodic tasks, keep track of them and are available during the compliance period to deal with any issues or questions that come up. This model is based on a fixed monthly fee, so you can budget the PCI DSS project during the start of the cycle.