It’s been five years since the PCI Council released the first “Best Practices for Maintaining PCI DSS Compliance” guidance document in August 2014. Since then, many prominent payment data breaches have occurred, with the finger often pointing to lapses in the affected organization’s compliance program for the PCI DSS. As the PCI Council notes in the 2019 update, many organizations see the state of their PCI DSS compliance decline or lapse entirely in the “down time” between assessments.
The traditional point-in-time approach to compliance downplays the need for ongoing maintenance and oversight of security programs, which often contributes to organizational difficulty with efforts to foster security across people, processes, and technology. By adopting a slightly different approach to compliance that treats it as part of the normal course of business (as opposed to a “crunch time” effort right before an annual assessment by a QSA), organizations should be able to mitigate or even eliminate the potential for a decline or lapse in their compliance posture throughout the year.
Below are some of the PCI Council’s 2019 recommendations that we believe are critical to enabling a compliance maintenance model:
- Develop and Maintain a Sustainable Security Program – Implement your compliance program into your overall security strategy in order to drive sustainable compliance practices.
- Develop Performance Metrics to Measure Success – Effective metrics provide data for the allocation of resources to minimize risk and measure the business impact of security events.
- Continuously Monitor Security Controls – Monitor, test, and document the implementation, effectiveness, efficiency, impact, and status of controls and activities.
- Quickly Detect and Respond to Security Control Failures – Create a process for recognizing and responding to security control failures promptly.
- Evolve the Compliance Program to Address Changes – Change is inevitable; create a visionary approach to identifying changes and address them in a timely manner.
Based on conversations we’ve had with our clients, we believe organizations must embrace the broader industry trend of real-time or near-real-time compliance monitoring and ongoing compliance management. This allows them to achieve a more mature security and compliance posture plus several other positive business outcomes:
- Considerable time and cost savings to maintain compliance.
- Elimination of “crunch time” and “down time” cycles that affect many compliance professionals.
- Increased productivity with time to focus on longer-term objectives, needs, and priorities.
These are all big wins for an industry that’s exposed to more sophisticated threats each year and is experiencing a substantial skills shortage that prevents an easy “headcount” solution to the problem.
At Coalfire, we’re addressing this challenge head-on by changing the way we deliver assessment and advisory services to our clients. We believe the traditional approach to PCI compliance has been largely driven by the industry’s focus on annual (point-in-time) assessments. But in today’s world of new technologies and emerging threats, we clearly see the benefits of ongoing, real-time compliance management to reduce risk and avoid data breaches.
We started a pilot program to provide clients with low-impact, ongoing PCI assessment and advisory services. These services provide a near real-time view of an organization’s compliance posture throughout the year. They also deliver timely, data-driven intelligence and guidance as an organization’s environment and posture changes, which minimizes the resource impact of the annual QSA assessment. We’re working with several clients to develop a proven approach to ensure tangible benefits and measurable security and compliance outcomes.
We plan to offer these services to all organizations in the coming months to help the payments community enter the next decade with a proven method for ongoing compliance management. This will help shore up organizations’ security and compliance posture and set up the entire community for success. Keep checking our blog posts in the months ahead…more to come!