PCI DSS Compliance Isn’t a DIY Project
Any business that accepts credit card payments by any mechanism is subject to the Payment Card Industry Data Security Standard (PCI DSS). The PCI Security Standards Council offers a wealth of information, training modules and documentation that, in theory, can help organizations take a do-it-yourself approach to compliance.
That is rarely a good idea, however.
PCI DSS compliance can be a complicated, time-consuming process requiring a lot of ongoing effort and attention. Although the standards have existed since 2006, studies continually show that only about half of affected businesses comply. In many cases, companies that meet the standards fall out of compliance later.
Compliance is actually trending downward, according to the most recent Payment Security Report by Verizon. The company’s 2018 report found that full PCI DSS compliance dropped by nearly 3 percent to 52.5 percent. As a result, more companies are opening themselves up to cyberattacks, security breaches, fines and penalties.
The problem with the DIY approach is that PCI DSS isn’t a simple playbook. It’s a set of technical and operational security controls to be implemented by organizations that store, process or transmit payment card or authentication data. The rules include dozens of technical, physical and policy-based controls in 12 broad categories.
The standard reflects the traditional approach of cybersecurity by mandating firewalls, encryption, anti-malware and access controls, but staying on top of these disjointed processes is always going to be difficult. Here are some of the common mistakes and misconceptions that torpedo DIY compliance efforts.
- Businesses that outsource card processing and don’t store credit card information often assume that the standard doesn’t apply to them. That is not the case. The process of redirecting that information to a third-party provider can affect the security of cardholder data, which means your business falls under the scope of standard.
- Treating compliance as a one-off exercise or an annual event is a big mistake. Business processes are always changing, as are security threats. It is important to treat compliance as an ongoing process requiring regular assessments.
- Many businesses validate their compliance efforts by completing a self-assessment questionnaire (SAQ) from the PCI Security Standards Council. However, there are eight versions of the SAQ ranging in length from 22 questions to 329 questions. Too often, organizations simply choose the shortest version for simplicity’s sake. However, each version is designed for specific payment scenarios. Submitting the wrong version for your business could invalidate your compliance and expose your organization to greater risk.
- Another misconception is that passing a vulnerability scan validates compliance. However, these scans only address a subset of one of the 12 categories. Furthermore, scans must be conducted quarterly by a PCI-certified Approved Scanning Vendor (ASV).
- Failing to patch systems regularly is a big reason companies fall out of compliance. PCI DSS specifies that critical security patches must be installed within a month of their release. However, even enterprise organizations with well-staffed IT teams can quickly fall behind. For instance, the massive Equifax breach resulted from a failure to install a two-month-old patch for a web application.
- Another common error is failing to update firewalls. Many organizations consider their firewalls to be plug-and-play technology, but PCI DSS has specific requirements for regularly updating, reviewing and testing firewall configurations, rules and policies.
- The worst mistake businesses make with PCI DSS compliance is simply ignoring it. Because PCI DSS is not a federal law, some consider compliance to be optional. However, it is a contractual obligation if you plan on conducting transactions with Visa, MasterCard or other major card issuers.
Maintaining PCI DSS is more difficult than some analysts would have you believe. Credit card data is obviously an attractive target for cyber criminals, and few organizations are fully prepared to safeguard that data. SageNet has a long track record of helping customers secure, manage and audit payment card information. Give us a call to learn how we can help with your compliance efforts.
Assessments, Cybersecurity Consulting Services
Compliance, Cybersecurity Consulting Services
SageSECURE, Managed Security Services
Interested in what our experts had to say?
Learn more about our services - all driven by the changing technology landscape.