3 Things PCI Auditors Wish They Could Tell You
The best PCI programs are centered on security because you can be compliant with the letter of the standard and still have inadequate security. For example, in the vulnerability scanning area of PCI, companies are allowed to request waivers for things that don't meet the standard but also can't be fixed. It's tempting to just document areas of noncompliance to pass an audit, but this misses the bigger security picture.
The Payment Card Industry Data Security Standard (PCI DSS) has evolved substantially since the five major credit card holders got together to publish a consolidated security standard in 2006. The standard has been updated regularly with the most recent version, PCI DSS 2.0, released in October 2010.
PCI is here to stay, and the requirements are only going to get tighter. Every business that handles credit card transactions is required to demonstrate PCI compliance, even if it only handles one transaction per year. Fines for noncompliance can be as high as US$500,000, and repeat violators may be banned from processing credit card data completely.
PCI auditors see many companies with a "fix it and forget it" attitude toward PCI compliance, but this ad hoc approach rarely delivers optimal results. The standard was designed to secure card holder data and the systems that transmit and process it, so bringing your network into compliance once a quarter misses the overall objective.
It's not just about compliance; it's also about being more secure. Better security practices reduce the risk of a serious security breach with all its associated consequences: unhappy customers; notification and legal costs; and image and brand damage.
- Control/Minimize the Scope of Your PCI Network
PCI compliance is a lot of work, but you can make it easier by minimizing the "scope," or number of systems that process or store cardholder data. This is one of the very first steps you should take to keep costs and resource requirements down. Start by reviewing all your systems and get a good understanding of where the credit card data is stored or transmitted. Next, make the changes necessary to minimize the number of systems involved. Once you do this, you can focus your security and compliance efforts on those systems. This simple step reduces the scope of your PCI audit, requires fewer resources to maintain compliance, and delivers better, more secure results.
- Increase Your PCI Scan Frequency
The most recent update to PCI DSS requires you to scan your network after every significant change. Corporate networks are constantly changing -- every day new systems are added, passwords are changed, servers are reconfigured. In order to comply with this requirement, organizations have to run scans routinely, not just right before the PCI audit.
At first glance running scans after every major network change seems unrealistic, and the temptation is to do the bare minimum and hope it's enough to pass an audit. The reality is that routine scans are an excellent security practice for every organization. The challenge is to move away from an audit mentality and build PCI security requirements, including routine scans, into your business processes.
- Track Your Risk Trend
Once you have built security into day-to-day operations, be sure you are keeping track of the results. The documentation is important to provide proof to auditors, but the trend information is also a great tool to help refine your security program. If risk is increasing, even though you still may be compliant, you probably need to take a harder look at the source of the risk. You may still be compliant, but being able to pass an audit even though your security risk is higher probably isn't the business objective you had in mind.
The best PCI programs are centered on security instead of compliance because you can be compliant with the letter of the standard and still have inadequate security. For example, in the vulnerability scanning area of PCI, companies are allowed to request waivers for things that don't meet the standard but also can't be fixed.
It's important to take a hard look at any of these waivers to make sure that even though you are PCI compliant, the waivers don't compromise the level of risk your company finds acceptable. It's tempting to just document areas of noncompliance to pass an audit, but this misses the bigger security picture. Instituting regular reviews of all PCI waivers with an eye toward minimizing security risk is an excellent security practice.
Keep It Going
It's financially prohibitive to maintain PCI compliance without investing in some automation. When selecting tools, make sure candidates have the ability to alert on critical security control changes. It pays to spend some time making sure the tools under consideration are operationally efficient. For example, some tools require that software be installed on every system on the network. Tools that don't require this step are much easier to maintain and less time-consuming to deploy.
The best advice for anyone building a PCI-compliance program is to make it an ongoing process. Don't make is a surprise task that comes up every quarter. Assign someone to be responsible for the program. Measure and report on your compliance program and security risk regularly.
If you are doing your job well, every senior executive in the organization, regardless of size, will know the answer to the question "Are we PCI-compliant?" with enough depth to be sure your compliance program is delivering security.
Elizabeth Ireland is vice president of strategy for nCircle.