Most firms fall out of compliance within a year
According to the report, which examines the state of Payment Card Industry Data Security Standard (PCI DSS) compliance and its correlation to data breaches, most companies fall out of compliance within a year. Fewer than one-third were still fully PCI-compliant less than a year after being validated.
Security testing and firewalls – biggest weakness
Two key areas where organisations fall out of compliance include regular testing of security systems and processes, and maintaining firewalls.
Correlation between non-compliance and data breaches
The report reveals that none of the firms that suffered a data breach were fully compliant with the PCI DSS at the time of the breach.
PCI DSS – a check-box approach to compliance is wrong
PCI DSS v3.0, which came into force on 1 January 2015, stipulates that compliance monitoring should be an ongoing project. Merchants and service providers, who must comply with the Standard, are encouraged to wrap payment security into their day-to-day activities or they may face compliance issues.
I have addressed some of the major areas organisations should focus on when complying with PCI DSS v3.0 in a previous blog post (published in December 2014), but here they are at a glance:
Reduce the cardholder data environment
It has long been recommended that the scope of the cardholder data environment is reduced to simplify implementation of the PCI DSS. Scope reduction can be achieved through a number of methodologies, including network segmentation.
Develop a penetration testing methodology
PCI DSS v3.0 makes it clear that organisations need to test segmentation of their cardholder data on their network as part of internal penetration testing. Additionally, organisations are required to have a methodology for penetration testing based on industry-accepted approaches, and ensure that testing is conducted across the entire CDE perimeter and critical systems. Companies must specify retention of penetration testing results and the results of remediation activities.
Educate your employees
Ensure that your employees are aware of their responsibility to protect customers’ cardholder data and the procedures in place to do so. PCI DSS v3.0 clarifies the requirements for password education, in addition to changes in the requirements involving passwords and authentication. At the same time, new requirements on providing point-of-sale security training and education aim to improve the security of card transactions.
Clarify the relationship between merchants and service providers
Requirement 12.8.5 of PCI DSS v3.0 mandates maintaining information describing which PCI DSS requirements are managed by each service provider, and which are managed by the organisation itself. This means ensuring that the point where the responsibility for protection of cardholder details moves from the merchant to the service provider is recorded and agreed between both parties, reducing misunderstandings.
Call the PCI DSS experts
As a PCI QSA company, IT Governance is able to provide ongoing compliance support as and when you need it. Please email us or contact us on +44 (0)845 070 1750.
We can also take the pain away from transitioning to v3.0 of the PCI DSS through our bespoke PCI v3 Transition Consultancy service.