The PCI DSS’s additional guidance (released in June 2015) on maintaining business-as-usual compliance will help organisations assess and document how they maintain PCI DSS compliance on an ongoing basis. This guidance underscores the PCI Security Standards Council (PCI SSC)’s commitment to “continuous compliance”, as highlighted in version 3.1
The new guidance, the Designated Entities Supplemental Validation, or DESV, is aimed at organisations (designated entities) that might be at a greater risk of compromise, such as those that:
- store, process and/or transmit large amounts of card data;
- provide aggregation points for cardholder data; or
- have suffered repeated or significant data breaches.
The organisation’s acquirer or payment brand will identify such designated entities.
The PCI SSC points out that the guidance is not a new set of requirements, but rather additional criteria that any organisation can apply to establish whether they are meeting the PCI DSS’s encouragement of business-as-usual (BAU) compliance.
Best-practice guidance for maintaining business as usual
The DESV is intended to “provide greater assurance that PCI DSS controls are maintained effectively and on a continuous basis through validation of business-as-usual (BAU) processes, and increased validation and scoping consideration,” according to the FAQ section on the PCI SSC website.
The PCI SSC stresses that the DESV can be used to complement any entity’s PCI DSS compliance efforts, and encourages the adoption of DESV as best practice – even for organisations that are not designated entities.
More challenging, more costly
Experts reckon that these new requirements will place an additional compliance burden on designated organisations, while at the same time requiring a greater monetary investment.
For example, requirement 11.3.4 of the PCI DSS states that penetration testing must be conducted at least annually, or after changes to the infrastructure or applications. The DESV requires that such penetration testing be conducted at least every six months and after changes to segmentation controls or methods.
The new guidance consists of five control areas:
- Implement a PCI DSS compliance programme;
- Document and validate the PCI DSS scope;
- Validate that the PCI DSS is incorporated into BAU activities;
- Control and manage logical access to the cardholder data environment; and
- Identify and respond to suspicious events.
The DESV addresses risk management, governance, controls and process maturity, and holds the organisation’s leadership responsible for PCI compliance.
Requirement DE.1.1 requires executive involvement and responsibility:
- Executive management to “establish responsibility for the protection of cardholder and a PCI DSS compliance program”.
- Regular updates (at least annual) to be provided to executive management and the board of directors on PCI DSS compliance initiatives and issues.
Requirement DE1.2 requires a compliance programme to be in place that includes:
- Definition of activities for maintaining and monitoring overall PCI DSS compliance, including BAU activities;
- Annual PCI DSS assessment processes;
- Processes for the continuous validation of PCI DSS requirements; and
- A process for performing business impact analysis to determine potential PCI DSS impacts for strategic business decisions.
Requirement DE.1.4 requires annual training of skilled professionals
- Up-to-date PCI DSS and/or information security training must be provided to employees/contractors with compliance responsibilities at least annually.
The PCI SSC hopes that the DESV will help companies address specific challenges in maintaining ongoing security efforts to protect payment card data, through:
- effective compliance programme oversight;
- proper scoping of the cardholder data environment;
- effective detection of failures in critical security controls.
The PCI SSC advises that the “supplemental validation” of the DESV must be performed in conjunction with a full PCI DSS assessment, and provided through a supplemental ROC reporting template (S-ROC) and a supplemental Attestation of Compliance (S-AOC), in addition to the PCI DSS ROC and AOC.
Although the DESV is only mandatory for designated entities, the shift towards increasingly tight compliance requirements may push it towards business as usual for all organisations in the future.