Author: Himanshu Shewale
Complying with one of the most widely known stringent compliance standard of PCI DSS is a challenging task. There are numerous security controls and technical activities that go into achieving it for the first time. But the story doesn’t end there. By the time you are done celebrating your achievement, it’s time to maintain the compliance and sustain for the entire life cycle of next one year.
For organization those who have been maintaining compliance over several years might very well know that one has to be very particular in completing the periodic activities. However difficult it sounds, but with good amount of planning and division of responsibilities in between your team, accomplishing this won’t be daunting.
Some of the common points of failure are:
- Failing to achieve quarterly ASV passing scans. Remember, a failed scan report is not valid.
- Failing to complete quarterly internal vulnerability assessment.
- Bi-annual firewall and router rule review
- Did you scale up and forgot to implement applicable PCI controls on the new systems in scope?
- New systems added in scope not included in VAPT activity
- Wireless scan for detection of authorized and UNAUTHORIZED wireless access points
- User access reconciliation - at least every 90 days
- Did you cross the defined retention period of cardholder data storage? Adopt a manual method or automated card finder tools / cron jobs to check presence of CHD beyond retention.
- Timely installation of critical patches within one month and non-critical ones within a defined time period.
What could be possible repercussions of failing to meet some of the regular compliance maintenance activities?
- You may miss your intended date of PCI re-certification
- Acquirers will constantly follow to submit those quarterly ASV reports
- You may be having possibly vulnerable systems with weak or no controls
- Suffer business implications with your client failing to meet contractual requirements
- Lessen consumer trust
- Flagging or even removal from the Payment Brands listing of compliant companies (if listed)
Source: Verizon 2015 PCI Compliance Report
How not to fail maintaining compliance?
- Set reminders and deadlines for completing the daily, weekly, monthly, quarterly, biannual and annual tasks
- Design a PCI compliance maintenance charter
- Clearly define responsibilities and divide tasks between the concerned department and stakeholders.
- Be extra vigilant about what you are adding into the existing scope of PCI DSS. Replicate applicable security controls on the new systems. Consult your information security team or QSA to be cent per cent sure.
- Choose your new service providers wisely. Chase the existing ones for demonstrating their compliance on time.
- Incorporate PCI DSS into business as usual so that it becomes a part of everyday business.
- Patch your systems on time. Not just the OS and network device firmware but also the applications.
- Don’t just collect logs. Review, analyse and take actions upon them.
- The standard will continuously evolve and get more stringent. Invest into security solutions foreseeing long term benefits.
With that, best of luck in maintaining and sustaining compliance year after year.
Himanshu Shewale is a PCI certified QSA and working as Consultant at SISA Information Security.