Dodge Data Breaches with Real-Time PCI Compliance

Aaron Reynolds, VP, Cyber Assurance – Payments, Coalfire

It’s been five years since the PCI Council released the first “Best Practices for Maintaining PCI DSS Compliance” guidance document in August 2014. Since then, many prominent payment data breaches have occurred, with the finger often pointing to lapses in the affected organization’s compliance program for the PCI DSS. As the PCI Council notes in the 2019 update, many organizations see the state of their PCI DSS compliance decline or lapse entirely in the “down time” between assessments.

The traditional point-in-time approach to compliance downplays the need for ongoing maintenance and oversight of security programs, which often contributes to organizational difficulty with efforts to foster security across people, processes, and technology. By adopting a slightly different approach to compliance that treats it as part of the normal course of business (as opposed to a “crunch time” effort right before an annual assessment by a QSA), organizations should be able to mitigate or even eliminate the potential for a decline or lapse in their compliance posture throughout the year.

Below are some of the PCI Council’s 2019 recommendations that we believe are critical to enabling a compliance maintenance model:

  1. Develop and Maintain a Sustainable Security Program – Implement your compliance program into your overall security strategy in order to drive sustainable compliance practices.
  2. Develop Performance Metrics to Measure Success – Effective metrics provide data for the allocation of resources to minimize risk and measure the business impact of security events.
  3. Continuously Monitor Security Controls – Monitor, test, and document the implementation, effectiveness, efficiency, impact, and status of controls and activities.
  4. Quickly Detect and Respond to Security Control Failures – Create a process for recognizing and responding to security control failures promptly.
  5. Evolve the Compliance Program to Address Changes – Change is inevitable; create a visionary approach to identifying changes and address them in a timely manner.

Based on conversations we’ve had with our clients, we believe organizations must embrace the broader industry trend of real-time or near-real-time compliance monitoring and ongoing compliance management. This allows them to achieve a more mature security and compliance posture plus several other positive business outcomes:

  1. Considerable time and cost savings to maintain compliance.
  2. Elimination of “crunch time” and “down time” cycles that affect many compliance professionals.
  3. Increased productivity with time to focus on longer-term objectives, needs, and priorities.

These are all big wins for an industry that’s exposed to more sophisticated threats each year and is experiencing a substantial skills shortage that prevents an easy “headcount” solution to the problem.

At Coalfire, we’re addressing this challenge head-on by changing the way we deliver assessment and advisory services to our clients. We believe the traditional approach to PCI compliance has been largely driven by the industry’s focus on annual (point-in-time) assessments. But in today’s world of new technologies and emerging threats, we clearly see the benefits of ongoing, real-time compliance management to reduce risk and avoid data breaches.

We started a pilot program to provide clients with low-impact, ongoing PCI assessment and advisory services. These services provide a near real-time view of an organization’s compliance posture throughout the year. They also deliver timely, data-driven intelligence and guidance as an organization’s environment and posture changes, which minimizes the resource impact of the annual QSA assessment. We’re working with several clients to develop a proven approach to ensure tangible benefits and measurable security and compliance outcomes.

We plan to offer these services to all organizations in the coming months to help the payments community enter the next decade with a proven method for ongoing compliance management. This will help shore up organizations’ security and compliance posture and set up the entire community for success. Keep checking our blog posts in the months ahead…more to come!

Aaron Reynolds


Aaron Reynolds — VP, Cyber Assurance – Payments, Coalfire

Recent Posts

Post Topics



Accounting Agency AICPA Assessment assessments ASV audit AWS AWS Certified Cloud Practitioner AWS Certs AWS Summit bitcoin Black Hat Black Hat 2017 blockchain Blueborne Breach BSides BSidesLV Burp BYOD California Consumer Privacy Act careers CCPA Chertoff CISO cloud CMMC CoalfireOne Compliance Covid-19 credit cards C-Store Culture Cyber cyber attacks Cyber Engineering cyber incident Cyber Risk cyber threats cyberchrime cyberinsurance cybersecurity danger Dangers Data DDoS DevOps DevSecOps DFARS DFARS 7012 diacap diarmf Digital Forensics DoD DRG DSS e-banking Education encryption engineering ePHI Equifax Europe EU-US Privacy Shield federal FedRAMP financial services FISMA Foglight forensics Gartner Report GDPR Google Cloud NEXT '18 government GRC hack hacker hacking Halloween Health Healthcare heartbleed Higher Education HIMSS HIPAA HITECH HITRUST HITRUST CSF Horror Incident Response interview IoT ISO IT JAB JSON keylogging Kubernetes Vulnerability labs LAN law firms leadership legal legislation merchant mobile NESA News NH-ISAC NIST NIST 800-171 NIST SP 800-171 NotPetya NRF NYCCR O365 OCR of P2PE PA DSS PA-DSS password passwords Payments PCI PCI DSS penetration Penetration Testing pentesting Petya/NotPetya PHI Phishing Phising policy POODLE PowerShell Presidential Executive Order Privacy program Ransomware Retail Risk RSA RSA 2019 Safe Harbor Scanning Scans scary security security. SOC SOC 2 social social engineering Spectre Splunk Spooky Spraying Attack SSAE State Stories Story test Testing theft Virtualization Visa vulnerability Vulnerability management web Wifi women XSS