Rodolphe Simonetti, managing director for PCI Consulting Services for Verizon Enterprise Solutions, says there is one common theme connecting all the various companies that have exposed cardholder data (CHD) in data breaches over the past five years: Not a single one was in full compliance with the Payment Card Industry Data Security Standard (PCI DSS) at the time of the breach.
"Compliance needs to be actively maintained. It's a year-round activity. It should be embedded in the normal business process."
-- Rodolphe Simonetti, Verizon Enterprise Solutions
"None of the breached companies were still PCI compliant at the time of their breach," Simonetti says. "Many of them were compliant once but were no longer compliant at the time of the breach. Most companies fail to maintain compliance and are no longer compliant just a few weeks or a month after their assessment."
While PCI is no guarantee that you won't experience a data breach, Simonetti says organizations should think of PCI compliance like a seatbelt: It won't prevent you from crashing, but it may well save you if you do.
PCI DSS is a set of international security standards created and maintained by the PCI Security Standards Council (SSC) in an effort to ensure that merchants and service providers appropriately protect CHD, whether from a debit card, credit card, store card or company purchasing card.
PCI DSS 3.0 is the current effective version of the standard. It replaced PCI DSS 2.0, on Jan. 1, 2014 and will be mandatory beginning Jan. 1, 2015. The 2.0 version of the standard consisted of six objectives broken down into 12 requirements and 289 controls and subcontrols that range from encrypting stored data to conducting vulnerability assessments and configuring access controls. PCI DSS 3.0 has more than 400 controls and subcontrols.
Achieving PCI compliance and maintaining it is often seen as an arduous, expensive and time-consuming task.
Verizon Enterprise Solutions PCI Consulting Services recently issued a detailed report on PCI compliance built on quantitative data gathered by Verizon's qualified security assessors (QSAs) while performing baseline assessments on PCI DSS 2.0 compliance between 2011 and 2013. The assessments spanned many industries and countries.
"According to our research, only around one in 10 organizations were fully compliant with PCI DSS 2.0 at the time of their baseline assessment," writes Ciske van Oosten, director of operations for the Verizon PCI Security practice and lead author of the report. "Despite the increasing maturity of the standard and organizations' understanding of it, attaining compliance remains far from easy--and so it should. Protecting cardholder data is important and the threats to it are very real."
Verizon's PCI Security practice recommends five key approaches to help organizations achieve and maintain PCI compliance and perhaps even derive ROI from compliance efforts:
- Don't underestimate the effort involved in staying PCI compliant.
- Make PCI compliance sustainable.
- Think of PCI compliance in a wider context.
- Leverage compliance as an opportunity.
- Focus on scoping.
1. Don't Underestimate the Effort Involved in Staying PCI Compliant
Staying compliant with PCI DSS is challenging. The CHD that you transmit, process and store may flow across hundreds of systems, via private and public networks, touched by customers and potentially hundreds or thousands of staff. There are 289 controls that must be implemented correctly as part of DSS 2.0--even more in DSS 3.0--and even some of the individual subcontrols can be difficult to implement properly.
"A majority of organizations accepting payment cards still fail to maintain PCI security compliance," says Simonetti says. "Only 11 percent of companies are PCI compliant during their first check. A lot of companies fail to maintain compliance totally."
Whether they're large enterprises with a complex cardholder data environment (CDE) or small or mid-sized organizations with relatively simple CDEs, Simonetti says the overwhelming majority of organizations that initiate a PCI program for the first time fail to fully appreciate the impact it will have in terms of scope, resources and time required.
First and foremost, coordination is essential. Simonetti says that it's fairly common for a mid-sized organization to have at least 20 to 30 PCI projects within the initial remediation phase of its overall program. Large organizations often have many more. To avoid costly mistakes and maximize ROI, each of those projects must be managed and centrally coordinated to ensure overall compliance success.
You need to develop the required configurations and policies, implement the required technologies and infrastructure and, most important, recognize the degree of process and cultural change involved in such remediation.
It is also imperative to understand the size of the task at hand. Many companies start down the road to PCI compliance only to discover weeks or even months later that they underestimated that amount of work required.
Simonetti suggests conducting a business impact analysis to understand the impact a PCI compliance program will have on your business and the amount of effort required to achieve compliance. As an added bonus, this information can be invaluable in securing board-level sponsorship for compliance projects and securing budget for them.
2. Make PCI Compliance Sustainable
Simonetti says many companies treat PCI compliance as a goal that can be attained and then checked off--a one-off annual scramble owned by the security team. Companies that treat their PCI compliance programs this way often lapse in compliance within days or weeks of their latest assessment, Simonetti says. After all, all it takes is one new uncontrolled Wi-Fi access point, unprotected admin account or unencrypted drive.
"Compliance needs to be actively maintained," Simonetti says. "It's a year-round activity. It should be embedded in the normal business process."
In other words, maintaining PCI compliance must become your "business as usual." And that means recognizing that it's not just about technology, Simonetti says, it's about your business processes and staff education. A key element of embedding PCI compliance into your everyday is to build compliance into your corporate change-management program: Make PCI compliance reviews an item in your weekly change control meetings and allocate time to track all changes to every compliance environment.
You should also stress that maintaining compliance is not a task for your security team alone. It involves application developers, system administrators, executives and customer-facing staff in stores and call centers.
3. Think of PCI Compliance in a Wider Context
It's important to think of PCI compliance as a piece that should be integrated into a wider security program, not a blueprint for security. Think of PCI DSS as the minimum standards for what you should be doing, not as a checklist.
Simonetti notes that you should seek to understand the intent of each requirement you implement.
"In particular, each control should be understood in the context of how it helps prevent a data breach by eliminating one of the three elements that form any data breach --data, access and egress (the "data breach triangle")," van Oosten writes. "For example, by limiting what is stored, you reduce the amount of data that could conceivably be breached. By identifying and closing system vulnerabilities, you can block the number of routes an attacker could use to gain access. By implementing DLP solutions, you can make the egress (exfiltration) of data harder."
"The best thing you can do to simplify your PCI compliance workload is to put your PCI compliance strategy within the organization's larger governance, risk and compliance (GRC) strategy," van Oosten adds. "It's essential to ensure that your PCI compliance efforts support a broader control environment, and for all activities in the compliance program to be properly specified and governed in line with your unique operational environment and risk profile."
4. Leverage Compliance as an Opportunity
While PCI compliance can feel onerous, Simonetti says it is more effective to stop looking at it as a cost of doing business and instead view it as an investment. You have to map all CHD flows across your systems and processes to understand what you need to protect. While you need that understanding for compliance purposes, it's also incredibly valuable for providing insight into your business.
Verizon notes you could use that information to identify opportunities to accomplish the following:
- Consolidate systems, allowing you to reduce scope while cutting software licensing, maintenance and facilities costs.
- Rationalize your list of suppliers and clarify roles and responsibilities.
- Transform or streamline outdated processes and reduce staffing.
- Improve system performance and uptime by better applying patches and configuration best practices.
- Consolidate existing merchant contracts with your acquiring banks and payment processors to achieve better transaction fees.
In fact, it's well-worth taking the step of calculating the ROI you'll get from your PCI compliance programs in addition to calculating the TCO, Simonetti says. Doing so will help you understand the overall impact of your compliance program, which you can leverage into real support from the business for your efforts.
5. Focus on Scoping
An effective PCI program is built upon a clear definition of the systems, processes and people that store, process or access CHD, according to Verizon. If you focus on scope, you can reduce the scale of the task at hand and make it much more manageable.
"We still see too many companies not applying one very simple step for reducing scope," Simonetti says. "If you don't need it, don't store it. Storing the data, especially when it's not required, is just taking a risk that's not worth it."
By reducing the scope of the environment to be validated, you can achieve the following:
- Reduce risk. By keeping the spread of CHD across your organization to a minimum, you can limit the risk of data leaking or being stolen. And if you will minimize the scale of any data breaches that do happen. Verizon recommends creating designated "compartments" between the various networks within your organization to help categorize and securely contain business data.
- Reduce workload. Keeping the amount of data you need to protect to a minimum also helps you significantly cut your compliance workload. Any system validated as "out of scope" doesn't need to be assessed.
- Control operating costs. While you're making changes to your infrastructure to reduce scope, you may find opportunities to consolidate systems and restructure environments, providing savings on hardware, software licenses and management.
Thor Olavsrud covers IT Security, Big Data, Open Source, Microsoft Tools and Servers for CIO.com. Follow Thor on Twitter @ThorOlavsrud. Follow everything from CIO.com on Twitter @CIOonline, Facebook, Google + and LinkedIn.
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.