The key finding from the 2011 Verizon Payment Card Industry Compliance report was organizations that meet compliance quickly fall out of compliance. Our company does as well, but in our defense, it seems virtually impossible to remain PCI compliant at all times without making it the chief focus of the entire company, which isn’t practical. Is it theoretically impossible to remain PCI compliant continuously?
The finding from Verizon’s PCI report that illustrates their instantaneous failure to remain PCI compliant is quite telling, as many companies struggle immensely with the notion of maintaining PCI compliance. To be fair, there are so many policies, procedures and processes that have to be continually changed, updated and assessed in order to truly maintain PCI compliance.
Even amid that reality, companies should strive to commit their best efforts to achieving ongoing compliance with all aspects of the 12 core requirements within the Payment Card Industry Data Security Standards (PCI DSS) initiatives. A risk assessment approach should be taken whereby organizations address and ultimately assess areas that are considered susceptible to breaches of cardholder data; this usually starts with the data at rest. With that said, are sufficient encryption and key management initiatives in place for protecting the cardholder data? It is then safe to move on to many of the other areas that have a high risk of being compromised due to their association with the cardholder data environment (CDE)?
It’s arguable that it's theoretically "possible" to stay PCI compliant with a risk assessment model that continually assesses system components within and around the CDE. The best way to be continually PCI compliant is to NOT use a start and stop process for compliance, whereby you implement all necessary requirements, walk away, and revisit the same requirements a year later. Security teams must constantly interact with all system components and personnel responsible for their compliance on a routine basis. It's challenging indeed, but it has to be done. Furthermore, continuous compliance is possible, technically speaking, as organizations commit large resources for short periods of time for meeting annual PCI compliance, via on-site by a QSA or an in-house self-assessment. Unfortunately, if an organization is retested, it’s common to uncover many PCI violations even though the enterprise in question was "technically" granted certification previously. Even if it is challenging and daunting, maintaining PCI compliance continuously is achievable and worthwhile.
This was first published in December 2011