Reasons Why Your PCI Compliance May Fail (and How to Fix It)

Starting without understanding the PCI Environment

Started the assessment with PCI checklist, Good!

But it can lead to disaster if assessment has been started without understanding the environment, business process, network infrastructure and most important – cardholder data flow.

• Understand the requirements: The first step to ensuring PCI DSS compliance is to understand the requirements. The PCI Security Standards Council (SSC) has published a set of 12 requirements that organizations must meet in order to be compliant.
• Implement a risk assessment: Once you understand the requirements, you need to conduct a risk assessment to identify the areas where your organization is most vulnerable to data breaches. This will help you to prioritize your compliance efforts.
• Implement appropriate controls: Once you have identified the risks, you need to implement appropriate controls to mitigate those risks. These controls could include things like firewalls, intrusion detection systems, and encryption.
• Test and monitor your systems: Once you have implemented the controls, you need to test and monitor your systems to ensure that they are working properly. This will help you to identify any gaps in your compliance and to make sure that your systems are up-to-date.
• Have a plan for responding to a breach: Even if you do everything right, there is always a chance that your organization will experience a data breach. It is important to have a plan in place for responding to a breach. This plan should include things like how you will notify customers, how you will investigate the breach, and how you will mitigate the damage.

“Payment Card Industry Data Security Standard is seen as a burden by half of security pros, and 59% don’t think it helps them become more secure, according to a study from Ponemon.”

PCI DSS (Payment Card Industry Data Security Standard) is well known term in industry. Most of the Industry experts treat PCI DSS as a compliance requirement that has to be followed because of their business mandates it. Let’s discuss the constraints for successful PCI DSS and how why PCI Compliance may fail.

PCI Compliance may fail due to inefficient PCI Scoping

• PCI DSS project completion timelines, cost in terms of efforts and money directly depends on scope and complexity of the environment. Inefficient scoping can lead to big time failure, it is better to get the scope validated by your QSA at initial stages to avoid eleventh hour surprises. Scoping is not a PCI DSS requirement but it is strong recommendation for getting PCI DSS implementation in efficient and optimal way. While decided the scope review assess all the location, application, database and system components, do not forget to review operations/ production support workstations.
• Very first question that QSAs are being asked during “When we will get the PCI DSS certificate”, Hold on! PCI DSS is not a ready made dish, PCI DSS compliance timeline and resources required can estimate after initial assessments and not before that.
• Account data stored everywhere, too good!!! A recent study shows that most of the organizations fail to meet the PCI DSS requirement 3 (protect the stored cardholder data). It is a sin to store the sensitive authentication data post authorization and direct non-compliance also. Cardholder data storage has to be minimized and must be stored only if there is critical business requirement for the same. Stored cardholder has to be stored untendered. So, what is the best option for rendering card number like truncating, hashing, tokenization or encrypting it, depends on why cardholder data is being stored.
• PCI DSS has around 250 requirements (including sub-requirements) that try to cover all layers of securities yet the threat vector is dynamic. Hackers are also aware with loopholes of compliance standard. There are certain risks that are specific to technology and business process, a checklist based audit without understanding the risk can be fatal and PCI compliance may fail.
• Misunderstanding of PCI DSS requirements can be costlier deal that can waste time, money and resources; even it can make your certification next to impossible. Getting expert QSA on board at right time can make your PCI DSS journey smooth and easy.
• Adopting new technology is key for business advancement and success, Implementation of latest technology in PCI DSS scope has to be evaluated well to address risk associated with particular technologies and their compatibility with PCI DSS requirements.
• Though PCI DSS accepts the compensating controls for requirements where business and technical constraints are there to meet the PCI DSS requirement, it does not means that have compensating control for all requirements.
• Outsourcing the cardholder data related activities and security operations to third parties without evaluating the security and compliance level of services provider can be a deadlock situation. After risk assessment, risk need to be mitigated with 4Ts – Treat, Terminate, Tolerate, and Transfer. If risk is being transferred to third party like service provider make sure that additional risk aroused and compliance requirements (PCI DSS – 12.8) has been addressed.

Objective should not be meeting merely PCI DSS checklist but PCI DSS requirements intend must be well understood and cardholder data environment has to be secured with due diligence.

How to avoid PCI DSS compliance failures?

• Set reminders and deadlines for completing the daily, weekly, monthly, quarterly, biannual and annual tasks
• Design a PCI compliance maintenance charter
• Clearly define responsibilities and divide tasks between the concerned department and stakeholders.
• Be extra vigilant about what you are adding into the existing scope of PCI DSS. Replicate applicable security controls on the new systems. Consult your information security team or QSA to be cent per cent sure.
• Choose your PCI Compliance service provider wisely. Chase the existing ones for demonstrating their compliance on time.
• Incorporate PCI DSS into business as usual so that it becomes a part of everyday business.
• Patch your systems on time. Not just the OS and network device firmware but also the applications.
• Don’t just collect logs. Review, analyse and take actions upon them.
• The standard will continuously evolve and get more stringent. Invest into security solutions foreseeing long term benefits.
• Use a qualified security assessment firm to help you to identify any gaps in your compliance and to make sure that you are on the right track.
• Stay up-to-date with the latest PCI DSS requirements. It is important to stay up-to-date with the latest requirements so that you can ensure that your organization remains compliant.

By following these steps, you can avoid PCI DSS compliance failures and protect your organization from the risk of data breaches.

PCI DSS compliance achieved, now sit back and relax!!! No, PCI DSS is an ongoing program where it has to be maintained throughout the year. There are daily, weekly, quarterly, half-yearly and annual activities to maintain the certificate. PCI compliance may fail if activities are not carried out in time-manner and action needs to be taken to maintain PCI compliance.