PCI DSS for Large Organizations: A Coalfire Perspective

As organizations grow, PCI DSS responsibilities become more complex. Logically, they gain more interconnected relationships internally and with third parties. Multiple payment channels, complex network architectures, and large inventories of devices in scope require preparation before performing assessments or maintenance. As a result, large organizations need to evolve their approach to PCI DSS awareness and compliance management across the entire organization so that security becomes business as usual.

While the buzz around PCI DSS 4.0 was still active last fall, Coalfire was participating in a particularly important Special Interest Group (SIG) that recently released its final report for the payment card industry. The PCI DSS for Large Organizations report is the result of work by the SIG to codify experience and learning from large enterprises that manage PCI compliance as part of their overall compliance efforts. The findings are useful for large and medium-sized organizations looking to improve risk and compliance management.

In this blog post, I’ll share some key points from the report, put them in perspective from Coalfire’s experience working with large enterprises, and illuminate how the PCI DSS 4.0 will raise the bar.

Multiple Assessments are the Norm
It’s rare when an enterprise doesn’t need to meet multiple regulatory requirements. For service providers, SOC and ISO are practically table stakes. Entities that provide cloud services to the United States federal government are responsible for complying with FedRAMP, and soon with Cybersecurity Maturity Model Certification (CMMC). When privacy laws (e.g., GDPR and CCPA) and regional standards (e.g., BSI C5) are added, the effort escalates rapidly.

One successful approach to integrating multiple disparate compliance objectives is to map them to a framework-neutral set of controls. If chosen carefully, these internal controls will see little change over time, even as frameworks evolve. This mapping must be owned and managed to be effective. The PCI DSS for Large Organizations SIG adopted the specific recommendation for centralized management of compliance, which brings me to my next point.

Centralized Compliance Management is Recommended
Managing and tracking compliance across a diverse set of standards is not possible in a distributed model. Centralized compliance management provides a common set of tools and processes to enable efficient compliance efforts. Several PCI requirements regarding explicit management of compliance highlight the importance of PCI program management. For large organizations, the need is even greater.

Efforts to accomplish centralized compliance management should include a comprehensive understanding of where knowledge exists within the organization. These subject matter experts will complement the compliance expertise to form a matrix team. The PCI DSS for Large Organizations SIG recommends using a Responsible, Accountable, Consulted, Informed (RACI) matrix to track these roles and responsibilities.

Unlike modern computing architectures, effective compliance management calls for centralization of control. Certain edge cases, however, call for a more nuanced approach. The PCI DSS for Large Organizations SIG identified multiple areas of concern – where extra efforts are needed to identify and manage PCI compliance.

Third-party risk
Vendor risk management is a trending topic due to compromises of software supply chains. Large organizations are not going to pull back from outsourcing, but accountability for security breaches is expected to increase, not decrease. The interconnected nature of modern enterprises leads to challenges in managing third-party risk. This area is expected to get greater scrutiny in PCI DSS 4.0.

Mergers and acquisitions
Due diligence is like washing your hands: a best practice under normal conditions, but especially important when handling new things. Whether an acquisition is intended to keep a separate identity, or be assimilated into the acquiring entity, cataloging its existing compliance posture is required to properly determine how to proceed. This is especially true for the new set of third-party service provider requirements and business-as-usual obligations.

New and emerging technologies often require the integration of subject-matter expertise with centralized standards of compliance, especially where those technologies can test existing processes and tools. Using common standards and policies that are faithfully implemented in relevant (but divergent) ways is an approach that can scale across multiple divisions of a large organization. Here too, a RACI chart is useful for documenting how key personnel participate in the common work.

Coalfire Experience: Coordinated Assessments for Controlled and Reduced Total Cost of Compliance
By coordinating efforts across audits and assessments, organizations can minimize time spent on compliance. A single audit that supports multiple certifications or attestations helps avoid redundant data requests and interviews to evaluate the same set of controls for different security standards. By helping customers align compliance efforts with business priorities, we have seen more effective use of compliance to reduce risk and unlock new markets while freeing internal resources.

Impact of PCI DSS 4.0
PCI DSS 4.0 is still under development with one round of comments received. As SIG members, we cannot discuss the draft in detail, but the consensus opinion is that 4.0 will include broader and deeper control coverage. This will usher in new requirements and more detailed expectations with associated challenges and opportunities.

Coalfire expects that the PCI DSS 4.0 experience will be a disruption of PCI “normalcy”. For many organizations, there will be new people involved with little or no “muscle memory”. The expected phased implementation of the new standard will also result in increased effort to manage control matrices. On the positive side, we believe PCI DSS 4.0 will offer better opportunities for synergy with other frameworks. One tangible result of the PCI DSS for Large Organizations SIG was an official mapping of NIST 800-53 to PCI 3.2.1 (and other frameworks).

We urge you to read the full report to identify challenges that large organizations face and implement guidance and techniques for overcoming them.

How can we help?