Maintaining Sustainable PCI DSS Compliance

Complying with one of the most widely known stringent compliance standard of PCI DSS is a challenging task. There are numerous security controls and technical activities that go into achieving it for the first time. But the story doesn’t end there. By the time you are done celebrating your achievement, it’s time to maintain the compliance and sustain for the entire life cycle of next one year.

Few common points of failure in maintaining PCI DSS Compliance:

• Failing to achieve quarterly ASV passing scans. Remember, a failed scan report is not valid.
• Failing to complete quarterly internal vulnerability assessment.
• Bi-annual firewall and router rule review
• Did you scale up and forgot to implement applicable PCI controls on the new systems in scope?
• New systems added in scope not included in VAPT activity
• Wireless scan for detection of authorized and unauthorized wireless access points
• User access reconciliation – at least every 90 days
• Did you cross the defined retention period of cardholder data storage? Adopt a manual method or automated card data discovery tools / cron jobs to check presence of CHD beyond retention.
• Timely installation of critical patches within one month and non-critical ones within a defined time period.

What happens when you fail to maintain PCI DSS Compliance?

• You may miss your intended date of PCI re-certification
• Acquirers will constantly follow to submit those quarterly ASV scan reports
• Suffer business implications with your client as your business fails to meet contractual requirements
• Lessen consumer trust and Loss of customers: Customers may be hesitant to do business with a company that they do not trust to protect their personal information.
• Flagging or even removal from the Payment Brands listing of compliant companies (if listed)
• Monthly fines: The card brands (Visa, MasterCard, American Express, Discover, and JCB) can impose monthly fines on per monthly basis, depending for factors, for non PCI compliance.
• You may be having possibly vulnerable systems with weak or no controls, leading to data breaches
• Non-compliance can also increase the risk of a data breach, which can lead to financial losses, legal liability, and damage to your reputation.
• Suspension of your ability to accept credit cards: The card brands may suspend your ability to accept credit cards if you are not compliant with PCI DSS.
• Legal action: In some cases, non-compliance with PCI DSS may lead to legal action from customers or regulators

Source: Verizon 2015 PCI Compliance Report

For organization those who have been maintaining compliance over several years might very well know that one has to be very particular in completing the periodic activities. However difficult it sounds, but with good amount of planning and division of responsibilities in between your team, accomplishing this won’t be daunting.