The Payment Card Industry Data Security Standard (PCI DSS) helps organizations and businesses secure their credit card data by preventing attackers from identifying ways to compromise the environment that stores sensitive cardholder information. PCI DSS is not just aimed at service providers; the principles behind the standard can be used to protect all types of sensitive data. Compliance is not a one-time task. The new requirements are a critical step towards not only tightening the security of communications and access, but helping organizations ensure ongoing compliance.
The importance of PCI DSS compliance
Compliance provides multiple benefits. It mitigates business risk, reduces costs and liability exposure, and helps ensure that an organization's environment is secure against a breach in a quantifiable way. The business risk of a breach includes the decline in the organization's credibility, the increasingly high costs incurred in protecting the environment after the fact, or the cost of rebuilding data if it has been breached. Regulatory compliance can reduce insurance costs, and may even lower the penalty incurred from a liability lawsuit. Regulatory compliance also provides a framework for measuring the level of conformity with best practices.
According to a recent study, 67 percent of company board members felt that cybersecurity is a problem that is evenly balanced between being a business risk and a technical issue. Regulatory compliance offers a response to both concerns.
Many organizations view PCI DSS compliance as an annual exercise, and do not have processes in place to ensure that compliance is continuously enforced. These organizations treat compliance like an exam: “we passed our compliance test last week, so we don't have to cram again until next year's compliance exam.” If organizations are not compliant for even a short period of time, they can potentially give attackers a window of opportunity to hack into the environment and steal or destroy sensitive data.
According to a recent report published by Verizon, fewer than 30 percent of organizations remain compliant for one full year between audits. Don't let security fall by the wayside between audits. Implementing change management guarantees ongoing compliance, and ensures that data always remains protected and secure.
Implementing any changes into the corporate culture can be challenging, and implementing PCI DSS compliance is no different. Some of the challenges organizations may face are:
- Allocating the necessary time
- Finding manpower with the proper skill set
- Correctly mapping the PCI environment
- Ensuring the organization embraces the change
However, it doesn't have to be a compliance jungle. There are steps organizations can take to ensure ongoing compliance with the new regulations.
How to maintain ongoing compliance
- Have a clearly defined change process in place.
- Changes in a PCI environment cannot be ad-hoc. A clearly defined process must be in place to ensure that any change made does not break compliance. The change process should be reviewed and updated regularly to make sure it is sufficient for the current PCI environment.
- Train all relevant employees regarding the change process and ensure that the change process is followed.
- Human error is one of the most common causes of a data breach. Ensure that employees are aware of the change process, and more importantly, that they're following the process.
- Document every change in the PCI environment, including information such as who, when and why for each change.
- The documentation trail helps to maintain operational continuity when future changes are made to the PCI environment. For example, it provides visibility into why a certain app needed access to a restricted server, or why a service was enabled on a specific port. The documentation also provides an audit trail in case an incident occurs, showing how to close gaps in security.
Cramming for the compliance test is not sufficient for ensuring ongoing data security. IT managers must view the change process as an organic activity that evolves as the company changes, and not as a yearly assessment which will only temporarily correct the problem. Using the right automation tools is key to lowering both the time needed and skill set required for implementing PCI DSS compliance. An automated process can help lower the response time from weeks to days, or possibly even hours. Responsiveness will instill employee confidence in the change process, and encourage employees not to bypass this practice.
Now is the time for organizations to embrace the necessary steps towards continuous compliance.