For enterprises which need to adhere to the Payment Card Industry Data Security Standard (PCI DSS), achieving compliance can be an incredibly strenuous exercise and is often, rightfully, celebrated.  Yet, according to the 2015 Verizon PCI Compliance Report, only 29% of reporting companies, successful at their last annual audit maintained full compliance at their next interim assessment. So how does an organization strive for and achieve continued PCI DSS compliance?  The first step is to not make compliance the goal!

To leverage a metaphor from academics, suppose you are a biology student who just aced your mid-term…   What is the best approach to take to ensure success on your final?  Would you focus on the questions asked on the mid-term?  Would you assume that since you were successful before, you should be successful again?  Would you focus on the test format?  No.  Your best course of action is studying and expanding your knowledge of biology!  Similarly, PCI DSS compliance is a measure of your company’s security posture and defines a baseline for end to end protection of Payment Card Information.  The best way to maintain compliance and pass the endless series of coming tests, as there is no “Final” in the real world, is to focus on and strengthen your IT security posture.

  • Build a Team

The first step towards increased security awareness and, by extension, continued PCI DSS compliance is the human factor.  Identify IT Security Leadership and assign responsibilities for maintaining and advancing enterprise IT security.  Of course, for this to work effectively, this persoDon't Fall Behind in PCI DSS Compliancen or group will need the tools, training and authority to identify and present security concerns at an operational level and a set of metrics to present these as a measure of Risk.   Performance metrics should be considered for implementation measures as well as effectiveness measures.

  • Create a standardized Control Framework

“When it comes to maintaining PCI DSS compliance, the most successful organizations develop their security programs based on security principles rather than on a particular industry or regulatory mandate.” As opposed to focusing on PCI DSS mandates directly, the more successful approach is to adopt a full-scale standardized control framework.  This allows the organization to focus on Risk and Security metrics while incorporating the PCI DSS directives as a part of the overarching control structure.  Already defined frameworks such as those from NIST, ISO or ISACA can (and should) be leveraged to help make maintaining PCI DSS compliance more practical.

  • Operationalize Security Processes

The goal for the security organization isn’t to build new and additional processes but to build security considerations as a discipline of existing processes.  Just as a mature Change Management review would identify other risks (network outage, data loss, etc) and devise a series of tests, success criteria and back-out plans; data security impact should become another review standard with its own set of tests and standards.  While annual compliance reviews will still be required, the primary objective should be to incorporate security review as part of the daily routine.  When these considerations are made part of the operational routine, it greatly increases the likelihood of maintaining compliance at review time.

  • Continuously Monitor the Organizational Security State

While the PCI DSS standard mandates specific review frequencies, the successful organization will consider these as a least frequent baseline.   The organization truly needs to cross reference these standards against their environment specifics to identify those systems requiring additional attention.  Factors such as security control volatility (the likelihood of change to existing controls), system impact and importance and existing control weaknesses must be incorporated when determining monitoring and review approach.  In larger environments, where interim full reviews may not be feasible, implement sampling procedures to test subsets of the full environment while being sure a viable sample group is selected (Don’t test one of 100 servers or consistently test the same 30 devices…) Finally, employ automation wherever possible but remember, the automation framework will need periodic review as well.

  • Reduce the PCI “Footprint”

While the previous steps stress the importance of focusing on overall IT security and not just PCI DSS compliance, the one specific strategy recommended is to identify, rationalize and reduce the volume of PCI data in the environment.   Identify all locations which store cardholder data, systems with transfer the information and the applications with use it and, when possible, reduce or eliminate them.  De-duplication of storage, using masks or truncated identification, employing tokens instead of Cardholder Data; all of these can be effective mechanisms for reducing the footprint of your PCI environment and, consequentially, easing the monitor and review process while increasing compliance capabilities.  Truly, this advice works in the reverse too as rationalizing and reducing the volume of ALL sensitive information allows for increased security and decreased risk within the organization.

  • Build a Process to Respond to Failures

While this document is focused on the work required to maintain PCI DSS compliance and to manage risk within the environment.  It is likely that at some point, some sort of failure will occur.  This may not indicate a full scale breach but at some point, it is likely that at least one Control will fail.  The time to devise a response is before this happens.  First, review your controls and develop processes to restore them in the event of failure.  Develop a process for failure cause analysis.  Identify controls/systems which might allow ‘leap-frog’ abilities and proactively assess the impact of the combined failure.  Define failure mitigation measures, especially for any controls where weaknesses have already been identified.  If or when a failure occurs, be sure to employ enhanced monitoring of the systems affected.

  • Expect and Adjust to Changes

In April of 2015, the PCI DSS standard migrated to version 3.1, only months after the full adoption of version 3.0 due to the vulnerabilities identified in the SSL and TLS 1.0-1.1 protocols.  For organizations just struggling to achieve and maintain compliance, this rapid and relatively unexpected update greatly complicated their status.  For organizations integrating their compliance metrics into a Risk based approach, the value jumped when the vulnerability was discovered.  All the PCI DSS version change did was acknowledge the ‘bar’ to determine passing had risen to match the change in the environment.  To be effective in managing this risk, an organization needs to expect and be able to adjust to these changes constantly.  The threat landscape continually evolves so the IT Security Organization needs to maintain constant awareness of the systems employed, the controls enacted and the ever changing capabilities of their advisories.  Organizations which recognize and develop strategies to address these variabilities are much more likely to effectively protect cardholder information and maintain PCI DSS compliance.