Author: Swati Sharma
“Payment Card Industry Data Security Standard is seen as a burden by half of security pros, and 59% don’t think it helps them become more secure, according to a study from Ponemon.”
PCI DSS (Payment Card Industry Data Security Standard) is well known term in industry. Most of the Industry experts treat PCI DSS as a compliance requirement that has to be followed because of their business mandates it. Let’s discuss the constraints for successful PCI DSS and how why PCI Compliance may fail.
Starting without understanding the Environment
Started the assessment with checklist, Good! It can lead to disaster if assessment has been started without understanding the environment, business process, Network Infrastructure and most Important- Cardholder data flow.
PCI Compliance may fail due to inefficient scoping
PCI DSS project completion timelines, cost in terms of efforts and money directly depends on scope and complexity of the environment. Inefficient scoping can lead to big time failure, it is better to get the scope validated by your QSA at initial stages to avoid eleventh hour surprises. Scoping is not a PCI DSS requirement but it is strong recommendation for getting PCI DSS implementation in efficient and optimal way. While decided the scope review assess all the location, application, database and system components, do not forget to review operations/ production support workstations.
Very first question that QSAs are being asked during “When we will get the PCI DSS certificate”, Hold on! PCI DSS is not a ready made dish, PCI DSS compliance timeline and resources required can estimate after initial assessments and not before that.
Account data stored everywhere, too good!!! A recent study shows that most of the organizations fail to meet the PCI DSS requirement 3 (protect the stored cardholder data). It is a sin to store the sensitive authentication data post authorization and direct non-compliance also. Cardholder data storage has to be minimized and must be stored only if there is critical business requirement for the same. Stored cardholder has to be stored untendered. So, what is the best option for rendering card number like truncating, hashing, tokenization or encrypting it, depends on why cardholder data is being stored.
PCI DSS has around 250 requirements (including sub-requirements) that try to cover all layers of securities yet the threat vector is dynamic. Hackers are also aware with loopholes of compliance standard. There are certain risks that are specific to technology and business process, a checklist based audit without understanding the risk can be fatal and PCI compliance may fail.
Misunderstanding of PCI DSS requirements can be costlier deal that can waste time, money and resources; even it can make your certification next to impossible. Getting expert QSA on board at right time can make your PCI DSS journey smooth and easy.
Adopting new technology is key for business advancement and success, Implementation of latest technology in PCI DSS scope has to be evaluated well to address risk associated with particular technologies and their compatibility with PCI DSS requirements.
Though PCI DSS accepts the compensating controls for requirements where business and technical constraints are there to meet the PCI DSS requirement, it does not means that have compensating control for all requirements.
Outsourcing the cardholder data related activities and security operations to third parties without evaluating the security and compliance level of services provider can be a deadlock situation. After risk assessment, risk need to be mitigated with 4Ts – Treat, Terminate, Tolerate, and Transfer. If risk is being transferred to third party like service provider make sure that additional risk aroused and compliance requirements (PCI DSS – 12.8) has been addressed.
PCI DSS compliance achieved, now sit back and relax!!! No, PCI DSS is an ongoing program where it has to be maintained throughout the year. There are daily, weekly, quarterly, half-yearly and annual activities to maintain the certificate. PCI compliance may fail if activities are not carried out in time-manner and action needs to be taken to maintain PCI compliance.
Objective should not be meeting merely PCI DSS checklist but PCI DSS requirements intend must be well understood and cardholder data environment has to be secured with due diligence.
About the Author:
Swati Sharma, PCI QSA, CISSP, CISM(Q) ISO 27001 LA, MS (Information Security and Cyber Laws –IIIT Allahabad). The author is Consultant at SISA Information Security. She has experience of PCI DSS and Information Security in different verticals like leading Banks, IT companies, Payment processors, e-commerce and BPOs, etc. can be reached at firstname.lastname@example.org