Best practices for implementing PCI DSS into business-as-usual processes


The PCI Council advises that to ensure security controls continue to be properly implemented, companies should adopt a business-as-usual (BAU) approach as part of their overall security strategy.  Version 3 clearly states that compliance should not be seen as a point-in-time assessment to achieve annual certification, but rather be managed on a continuous basis and embedded into a company’s day-to-day operations.

This enables the company to monitor the effectiveness of their security controls on an ongoing basis, and maintain their PCI DSS compliant environment in between PCI DSS assessments.

The PCI Council issued the following best practices for implementing PCI DSS into business-as-usual processes in November of last year as guidance for implementing the 12 PCI DSS requirements.

Below is an extract from the PCI DSS Requirements and Security Assessment Procedures .

Examples of how PCI DSS should be incorporated into Business-As-Usual activities include but are not limited to:

  1. Monitoring of security controls

These include firewalls, intrusion-detection systems/intrusion-prevention systems (IDS/IPS), file-integrity monitoring (FIM), anti-virus, access controls, etc.—to ensure they are operating effectively and as intended.

  1. Ensuring that all failures in security controls are detected and responded to in a timely manner.

Processes to respond to security control failures should include:

  • Restoring the security control
  • Identifying the cause of failure
  • Identifying and addressing any security issues that arose during the failure of the security control
  • Implementing mitigation (such as process or technical controls) to prevent the cause of the failure recurring
  • Resuming monitoring of the security control, perhaps with enhanced monitoring for a period of time, to verify the control is operating effectively
  1. Review changes to the environment prior to completion of the change.

Examples include the addition of new systems, changes in system or network configurations.

The PCI DSS recommends organisations perform the following as part of the review:

  • Determine the potential impact to PCI DSS scope

For example, a new firewall rule that permits connectivity between a system in the CDE and another system could bring additional systems or networks into scope for PCI DSS.

  • Identify PCI DSS requirements applicable to systems and networks affected by the changes

For example, if a new system is in scope for PCI DSS, it would need to be configured per system configuration standards, including FIM, AV, patches, audit logging, etc., and would need to be added to the quarterly vulnerability scan schedule.

  • Update PCI DSS scope and implement security controls as appropriate.
  1. Changes to organisational structure should result in a formal review of the impact to PCI DSS scope and requirements.

For example, a company merger or acquisition.

  1. Periodic reviews and communications should be performed to confirm that PCI DSS requirements continue to be in place and personnel are following secure processes.

These periodic reviews should cover all facilities and locations, including retail outlets, data centres, etc., and include reviewing system components (or samples of system components), to verify that PCI DSS requirements continue to be in place—for example, configuration standards have been applied, patches and AV are up to date, audit logs are being reviewed, and so on.

The frequency of periodic reviews should be determined by the entity as appropriate for the size and complexity of their environment.

These reviews can also be used to verify that appropriate evidence is being maintained—for example, audit logs, vulnerability scan reports, firewall reviews, etc.—to assist the entity’s preparation for their next compliance assessment.

  1. Review hardware and software technologies at least annually to confirm that they continue to be supported by the vendor and can meet the entity’s security requirements, including PCI DSS.

If it is discovered that technologies are no longer supported by the vendor or cannot meet the entity’s security needs, the entity should prepare a remediation plan, up to and including replacement of the technology, as necessary.

In addition to the above practices, organisations may also wish to consider implementing separation of duties for their security functions so that security and/or audit functions are separated from operational functions.

In environments where one individual performs multiple roles (for example, administration and security operations), duties may be assigned such that no single individual has end-to-end control of a process without an independent checkpoint.

For example, responsibility for configuration and responsibility for approving changes could be assigned to separate individuals.

Whether your organisation is a merchant or a service provider, as a PCI QSA, IT Governance can help you to improve your cyber security resilience and comply with the contractual requirements of the PCI DSS in the shortest time frame and for the minimum cost.

Download our PCI brochure to discover our all-encompassing PCI business solutions.

Source: PCI DSS Requirements and Security Assessment Procedures.