TheSupe87 - Fotolia

Manage Learn to apply best practices and optimize your operations.

What advice does the PCI Special Interest Group have for compliance?

A new PCI Special Interest Group document gives advice to enterprises on staying PCI DSS compliant after audits. Expert Mike Chapple highlights the key takeaways.

What are the most important pieces of advice you suggest taking out of the new PCI Special Interest Group guidance document on maintaining PCI DSS compliance?

In its recent guidance, the PCI Security Standards Council seeks to address the issue of PCI DSS compliance "fall-offs" that occur between the annual assessment cycles required by merchant banks. It uses the diagram shown below to illustrate how compliance begins to fall off in many organizations immediately after an assessment (see image below).

The document itself is full of good advice on building a robust, sustainable compliance program. Here's the quick rundown of the seven steps it encourages compliance-minded organizations to take:

  • Maintain the proper perspective. Remember, the driving objective is to protect sensitive cardholder information from unauthorized disclosure and use. Everything else in the compliance program is designed to achieve that goal.
  • Assign ownership for coordinating security activities. Simply put, if someone specific isn't in charge, then it's not going to get done. Identify a compliance manager to keep the focus on compliance year-round.
  • Emphasize security and risk, not just compliance. Organizations shouldn't be designing for compliance. Instead, they should be designing for security and achieving compliance as a consequence.
  • Continuously monitor security controls. A security program requires daily attention, and it should generate evidence that illustrates ongoing compliance.
  • Detect and respond to security control failures. Things go wrong. Design the security program so that when they do, the appropriate personnel are made aware of the failure and can take immediate remediation action.
  • Develop performance metrics to measure success. Use a combination of implementation, effectiveness and impact measures to monitor the status of the security program over time.
  • Adjust the program to address changes. Businesses change regularly. Monitor changes in your organization, business processes and technologies to evaluate the ongoing effectiveness of security controls.
PCI Security Standards Council PCI DSS compliancy curve
PCI Security Standards Council PCI DSS compliancy curve

This new guidance document provides some great common-sense ways to improve a compliance management program. The advice it contains should be required reading for anyone responsible for security or compliance in an environment handling any type of regulated data.

Ask the Expert!
Got a vexing problem for Mike Chapple or any of our other experts? Ask your enterprise-specific questions today! (All questions are anonymous.)

Next Steps

Is your company ready for mandatory PCI DSS compliance in 2015?

Could open source security software solve PCI DSS compliance problems?

This was last published in February 2015

Dig Deeper on PCI Data Security Standard