7 Services for Helping to Achieve and Maintain PCI DSS Compliance

The Payment Card Industry Data Security Standard (PCI DSS) mandates a strong security framework for businesses that store, transmit or process credit card information. Some 16 years after it was launched, a new study finds that only about 1 in 5 U.S. companies are in full compliance with the standard.

According to Verizon’s 2019 Payment Security Report, only 20.4 percent of U.S. companies have achieved “effective and sustainable” compliance. The numbers aren’t much better globally, with only 36.7 percent of organizations in compliance.

Surprisingly, these numbers represent a precipitous recent drop in compliance. Verizon reported a 52.5 percent global compliance rate just two years earlier. Analysts say the drop suggests that too many organizations are treating compliance as a one-off task rather than an ongoing process.

The timing of this downward trend is troubling. The standard is meant to ensure the security of customers’ credit card information, yet shrinking compliance is occurring at a time of heightened risk. Nearly 8 billion records, including credit card information, were exposed through data breaches in 2019, making it the worst year on record for data breach activity.

The key to compliance is treating it as an ongoing process. Verizon finds that most companies fall out of compliance within a year after being validated. This indicates that companies are either unwilling or unable to keep up with the ongoing effort.

SageNet has built a portfolio of cybersecurity services designed to help customers achieve and maintain compliance with as little effort as possible. All these services map directly to the 12 specific PCI DSS compliance requirements. Here’s a summary of our seven key compliance services:

1. Managed Firewall and Switch Services. We offer design, deployment, and ongoing management of network infrastructure.  We work with our customers to design a segmented network to minimize PCI scope and PCI certify our services to support all firewall and switch management requirements.
2. Managed Remote CDE Access and Authentication. We offer a software-defined perimeter that creates a “zero trust” or micro-segmented network for your retail environment with multiple authentication integrations to support all business and risk requirements. This service specifically addresses PCI DSS requirements for restricting access to the cardholder data environment and supports multi-factor requirements as well.
3. SIEM-as-a-Service. Security information and event management (SIEM) solutions collect, aggregate and analyze log data from a wide range of infrastructure devices including POS devices, security devices, and relevant applications. This is one of the essential PCI DSS requirements, but few organizations have the manpower or expertise to implement, manage, and support a SIEM in an effective way. SageNet’s trained security engineers and architects have designed a SIEM infrastructure that utilizes automation and cloud services in a way that makes it affordable and simple to deploy to our customers. As defined by requirement 10, SageNet performs log collection, storage and reporting required for PCI compliance. As part of this SIEM offering, we’re also able to add on analysis and investigation services at the customer’s request, performed by our in-house, 24/7 SOC.
4. Security Operations Centers-as-a-Service. With an in-house, 24/7 SOC, SageNet is able to provide the necessary certifications to fulfill most of PCI requirement 10. Following such a certification, all that remains is the customers’ responsibility to prove response to any escalations shown in the CDE. Security analysts in the SOC continuously monitor, investigate and escalate security events. This service includes the full SIEM serviceas well.
5. Penetration Tests. PCI requires they are done on an annual basis. These tests simulate attacks and help organizations determine the effectiveness of the technical, operational and physical controls they have in place. Testing capabilities include internal, external, web application, mobile, physical and social engineering. Testing requirements depend on the scoping of the CDE per customer.
6. Vulnerability Scanning. PCI requires a minimum pass once a quarter for external ASV scans and a regular internal vulnerability scanning program as well. SageNet teamed up with an Approved Scanning Vendor, Clone Systems, to provide required external ASV and internal scanning capabilities.  The network scans are designed to identify known vulnerabilities that exist in your environment, the risk to your environment, and provide remediation assistance.
7. Security Risk Assessments. PCI mandates that a Risk Assessment is revisited at least once per year. SageNet’s security consultants evaluate your organization’s security posture and review policies and procedures to derive actionable results for enhancing the program based on the framework. These assessment services are based on standard security frameworks of ISO 27001/27002, NIST 800-53 and PCI DSS. In a PCI mandated environment, many times the focus is strictly PCI, but corporate environments have been known to affect the CDE and are thus incorporated where possible.

PCI DSS compliance is essential for any company that handles cardholder data. Noncompliance can be expensive, with organizations facing fines between $5,000 and $100,000 per month as well as potential legal costs and client compensation. In extreme cases, noncompliance could put you out of business. Banks and payment providers have the option of terminating their relationship with offending companies, making it impossible for them to accept card payments. That’s just not a practical way to do business today.

To achieve sustainable PCI DSS compliance, issues must be addressed regularly and modified frequently. Give us a call and let us show you we can help you achieve and maintain compliance.