alphaspirit - Fotolia
The industry group behind the Payment Card Industry Data Security Standard has released new guidance to not only help organizations maintain PCI compliance after they achieve it, but is also sending a clear message that PCI compliance won't be getting any easier.
The PCI Security Standards Council today released a new guidance document, Best Practices for Maintaining PCI DSS Compliance Information Supplement, which provides specific recommendations to help organizations ensure cardholder data is secure at all times, not just at the time of their PCI assessments.
Troy Leach, chief technology officer for the PCI SSC, acknowledged that according to Verizon's 2014 PCI Compliance Report, only about one in 10 organizations were fully compliant with PCI DSS at the time of their baseline assessments, and many organizations that achieve PCI compliance quickly fall out of compliance.
When looking for evidence of how difficult it is to maintain the security controls necessary to be PCI compliant, one need look no further than recent high-profile data breaches. Target Corp., which suffered a massive data breach last year involving the loss of data of up to 70 million customers, was believed to be PCI compliant at the time of the breach, as was Neiman Marcus prior to the 2013 discovery of a compromise involving 1.1 million payment cards.
"We're looking at the ways we can minimize the cost and maintenance challenges with PCI DSS," Leach said, adding that the guidance is just the latest effort in the SSC's ongoing campaign to promote continuous adherence to PCI best practices. "This document outlines a lot of different ways you can maintain those security controls throughout the year, focusing on the security and risk associated with those controls, rather than on compliance."
Seven best practices for maintaining PCI compliance
The new information supplement is centered on seven best practices that cover common areas of difficulty for organizations when maintaining PCI compliance, including assigning ownership for coordinating security activities, continuously monitoring security controls, detecting and responding to security control failures, and adjusting the PCI compliance program to address changes. The document also includes two appendices -- one highlighting security frameworks that support PCI compliance, and another detailing standard roles and responsibilities during a PCI assessment.
Mike Villegas, a QSA who participated in the two-year effort to produce the new information supplement, said too many organizations that he and his fellow assessors visit aren't prepared for their PCI assessments because they don't commit to the necessary security controls on an ongoing basis.
"Whether it be a first-time PCI assessment or a recurring one, once the assessment is completed and the ROC or self-assessment questionnaire is filled out, invariably they wind up regressing the following year," said Villegas, a vice president with K3DES LLC, a Houston-based consulting firm. "Some are good at keeping it up for six months, but when I'm not there to keep bugging them, they wind up having to redo their work all over again."
Though Villegas emphasized the importance of the best practices throughout the guidance document, he said arguably the most important set of recommendations involve continuous monitoring. The SIG recommends that organizations have well-defined monitoring processes that include establishing manual control reviews, monitoring frequencies based on organizational risk factors and implementing sampling instead of a full system inspection in some cases to save time and reduce costs.
The overarching message though, according to Villegas, is that organizations must take ownership of their continuous monitoring controls, and not wait until a security problems arise to ensure those controls are being met.
"One of the benefits of PCI is that it forces clients to not only deploy but also monitor the effectiveness of those security controls," Villegas said. "But when the QSA is gone, they need to continue to do that."
Derek Brink, vice president and research fellow with Boston-based Aberdeen Group Inc., said it's hard to argue with most of what the PCI SIG recommends, highlighting the key theme that being deemed PCI compliant does not mean an organization is fully secure at any given point in time.
Brink said Aberdeen research has shown that organizations that focus on security over compliance have fewer gaps in security processes and controls than those that adopt a compliance-centric security model.
"I think this guidance gets it right when it says that the driving objective should be the ongoing security of cardholder data … not simply obtaining a positive report on compliance at a point in time," Brink said.
However, Brink expressed some dismay at the tone of the guidance document, which, like other SSC publications, seems to infer that merchants are being forced to bear an unequal burden for payment card data security, when in reality they are just one group in a larger ecosystem -- banks, payment processors, card issuers, the card brands and others are also impacted.
"It's like that old slogan, 'The beatings will continue until morale improves,'" Brink said. "All of this time and expense and lack of success is fundamentally caused by the way the payment card system is designed -- and those who try to call attention to the imbalance of who in the payment ecosystem benefit, and who in the payment card ecosystem are paying the price, are not wrong."
Maintaining PCI compliance: It's supposed to be hard
Bob Russo, general manager of the PCI SSC, said while the new information supplement is meant to help organizations move away from the "pass and forget" mentality that lends itself to poor ongoing card data security processes, there's no getting around the reality that PCI compliance is hard, and it's supposed to be.
"We have to let people know that they have to make security business as usual. It has to be part of their day-to-day DNA," Russo said. "Otherwise we're going to see the kinds of exploits we've seen lately, 85% to 90% of which are very simple exploits."
Russo admitted that the increased complexity of security technology, and in turn the added rigor in PCI DSS 3.0, makes security a more challenging task for merchants, but that the SSC is working to foster greater collaboration within the PCI community. The SSC is also striving to identify emerging threats and effective defense tactics more quickly -- as noted by its statement Wednesday about the Backoff point-of-sale malware that may have infected as many as 1,000 organizations.
"Bruce Schneier says security should be a process, and any process is inherently boring," Leach said. "We have some interesting behavior challenges with security and we recognize we need to change the equation."
Matthew Pascucci, a security engineer who supports the PCI compliance process for a New York-based online retailer, said his organization has had success using PCI DSS as a tool to add rigor to its security program.
Pascucci said his employer, which he asked not be named, has employed three different PCI QSAs in the past three years in an effort to try to find every possible security issue that could threaten cardholder data. While recognizing that approach isn't yet the norm and makes the PCI compliance process more difficult, he said it ultimately strengthens security controls and ensures they can be met year-round.
"We don't see PCI as a checkbox, and I don't think anyone should," Pascucci said. "I think if you see it as just checking a box, you've got a lot of problems."
Pascucci said that in the wake of the Target breach, continuous PCI compliance is more difficult because QSAs aren't willing to take any security attestation at face value and risk signing a ROC for a company that may cut corners on security. That means organizations like his must make an extra effort to proactively mitigate problems that could surface in next year's PCI assessment.
"We'd show some of our application developers and Linux administrators some of the vulnerabilities we found, and they say they're not a big deal," Pascucci said. "And we'd say, 'We know, but they're in our PCI reports, and that makes them a big deal.' Until people around you have an understanding of what you're trying to accomplish, it can be challenging."
In addition to the topics covered in the new information supplement, Pascucci hopes to see future guidance maintaining compliance as it related to virtualization and mobile devices.
Read about the recently released PCI guidance for third-party provider compliance.
Learn about other pending and upcoming PCI special interest groups.