Many organisations struggle with meeting and maintaining compliance with the requirements of the PCI standards. Some vocal segments of the community claim that the requirements are too specific and burdensome. In 2013, Phil Kernick blogged about the Decline of the PCI empire. However, not all organisations see compliance as an unattainable goal. We have noticed some fundamental differences which allow some organisations to conquer the challenge of compliance.
2016 saw a change in direction by the PCI Standards Council and a move away from the massive changes that were noticed in the first versions of the standard. This shows a maturing and settling of the core controls which can only be good news to organisations struggling to play the catch-up game – they were having new requirements being created before they have been able to implement remediation for the previous version of the standard.
It is true that the PCI standards are prescriptive and wide reaching in their requirements. Compliance with the PCI standards requires your organisation to be aware and in control of information security. However, a key loophole is that the PCI standards only require you to protect the confidentiality of payment card data. This comes from the intent of the standards – to reduce payment card transaction fraud. It is outside the scope and intent of the PCI standards to provide a comprehensive security framework. (You should look towards broader standards such as ISO27001 for guidance for comprehensive management of security controls for your information assets, but that’s another post altogether.)
The two most important features we notice in organisations who are able to master compliance are:
1. Understanding of the Standards
The most important thing you can do to achieve and maintain compliance is to train your Information Security or Compliance management staff in the intent and requirements of the standard. We are often engaged to assist with a Self Assessment or perform an Onsite Review where it quickly becomes clear that the organisation’s key staff have not read or understood the Standard. All of these organisations struggle for compliance. It makes no difference if they outsource most of their transaction processing or perform it all in-house with bespoke development – they all struggle, and usually fail. In these cases, we try to close the training gap during the assessment process. When the key staff understand the intent and requirements, it is much easier to ensure that the controls are managed and you have suitably addresses the relevant risks.
2. A focus on being secure rather than being complaint
The cultural approach is a massive contributor to the “burden of compliance”. The perception that compliance is a “burden” starts the organisation off in a retreating stance. This goes hand in hand with the attitude that PCI compliance is “another thing” that the organisation has to do, or that discovering non-compliance’s is a bad thing.
The approach should start from the organisation’s own desire to stay in business and therefore to protect the information assets it manages and relies on for operation. Unless you are in a very fortunate monopoly, a data breach is often a near-fatal experience for an organisation. Firstly through direct impact and remediation costs and secondly through customer confidence and market share loss. All organisations already have some fundamental attention being paid to Information Security. If you really care about the security of your information assets, many of the requirements will be met by your existing policies and practices. In this case, the PCI Standards are neither a burden or “another thing” because you are already managing your risks.
The perception of non-compliance’s is the hardest attitude to address. No-one likes a red mark on their report card. However, by taking a risk focused attitude to your management of Information security and Compliance Management, it is possible to understand that a discovered non-compliance is not just another rule that was not followed, but a real-work threat that is not suitably mitigated. The PCI Standards are a list of mitigation for real-world threats and vulnerabilities exploited globally to practically achieve payment card transaction fraud. If you are going to avoid being one of the statistics, a company who disappeared due to a crippling data breach, you will focus on learning from other organisation’s errors and want to mitigate your own risk using their experience.
True compliance with any information security standards comes from making information security a function of your core business. A robust risk and vulnerability management programme, will identify and address many of the controls of popular Information Security Standards – including the PCI Standards.
Ensure you understand your risks and consider all your compliance requirements as ways to mitigate specific risks rather than burdens to satisfy a bureaucratic monster. In this way, you will find that it not only makes achieving compliance easier but it will make your business a safer place.
Principal Security Specialist