The importance of ongoing/continuous PCI DSS compliance processes as an effective means to curb security breaches at a merchant’s site is being touted by many experts in the PCI field lately. Verizon's recommendations also mention this importance in it’s recently released report on state of PCI DSS compliance, based on the findings from PCI DSS assessments conducted by Verizron’s team in 2008 and 2009.
However, if one goes through the document titled ‘Ten Common Myths of PCI DSS’ by the PCI Security Standards council, the aforementioned 'importance' is already mentioned there. The document clearly states, while clarifying one of the myths, that PCI compliance efforts should be considered as a continuous process of assessment and remediation to ensure the safety of cardholder data from everyday security breaches.
As we already know, PCI DSS lays out certain requirements to help organizations securely process and protect cardholder data. The effectiveness of the requirements in curbing security breaches can also be realized from the recently released Verizon compliance report, which mentions that most of the organizations that suffered data breaches are less likely to be compliant with PCI DSS requirements.
However, with deadlines imposed by various card brands for merchants to comply with these requirements, most of the merchants are considering the compliance as list of requirements that need to be ticked off within a specific time frame. Therefore, merchants resort to quick fix measures or take monthly/quarterly/yearly approaches to compliance with these requirements. But, these quick fix measures or point in time approaches are unable to effectively protect organizations against data breaches, because security vulnerabilities can pop up at any point in time, leading to potential data breaches.
Thus, merchants and organizations should recognize the true intent/purpose behind a PCI DSS requirement and employ that intention as a best security practice in day to day operations, protecting themselves effectively against data breaches and achieving compliance at the same time.
This can be illustrated by taking an example of a PCI DSS requirement in context with wireless security that necessitates a quarterly wireless scan at a merchant’s site to detect and eliminate rogue wireless devices. In view of this requirement, a merchant can choose to arrange a bare minimum scan, once in a quarter as required for compliance, but in doing this, they forget that rogue WiFi devices can come up at any point in time, thereby threatening the security of cardholder data. However, understanding the true intent of this requirement, which basically aims at detection and prevention of rogue wireless devices, if a merchant opts for 24x7 wireless (WiFi) monitoring and prevention systems/services, then they will be able to effectively protect the business from security threats arising due to rogue devices at any point in time. Thus, they will be able to achieve sustained compliance to a PCI DSS requirement.
Treating PCI DSS compliance as an ongoing process requires the right set of automated and centralized tools and somewhat more effort, discipline and planning in the initial phases. But, it is certain that after a hectic initial implementation phase, to ensure the continuity of best security practices forming the basis of PCI DSS requirements, the journey ahead will be a smooth one without the fears of data breaches and non-compliance.
Here is a white paper titled “Five Challenges to Continuous PCI DSS compliance”, shedding more light on challenges for an ongoing PCI DSS compliance process.