Maintaining PCI (Payment Card Industry) compliance is kind of like teaching your kids to clean their room regularly says George Stewart. The longer between cleans the more likely you’ll face a lot of screaming, crying and temper tantrums. Leave it long enough and you’ll need to do it for them.
My colleague Bernie Ryan previously penned a piece on why ICT security assessments are a waste of time if you’re only ticking the compliance box . Bernie surmises that true business value comes when you ask important questions from the outcomes of said assessments. It appears that many organisations do not take this next step.
Verizon has released a report detailing the compliance status of a sample of its organisations that have undergone PCI assessments in the 2015 financial year. A key finding of the report is that 80 percent of companies failed their interim PCI assessment, having passed the assessment the previous year. Rather than cleaning their room every week, they’re doing it once a year and it gets pretty expensive, especially when breached.
Here are five tips to minimise the ongoing cost of compliance and recertification:
Tip 1: Fewer toys – less to worry about
It seems rather obvious, but keeping the scope of your assessment as small as possible is one of the most important things in minimising the cost of ongoing compliance. The smaller it is, the simpler it is to clean and the less effort required. Keep your data stored in the minimum number of locations.
Tip 2: Put your toys back in their box
By designing your business processes to include ongoing security compliance requirements, you can minimise the impact of organisation change on security. Keeping the delta small and cleaning up after yourself means that when audit time comes around there will be little, if any, clean up to do.
Tip 3: Sometimes the screaming isn’t worth throwing away that toy
Some things you really need to keep in scope, not because they’re immediately required for processing or storing your data, but because separating them would cost the business too much. This could be because systems are tightly integrated, there are limitations to your network architecture or you just don’t understand the implications of removing a system from scope. The costs and the risks of keeping / removing a system in-scope should always be considered.
Tip 4: Keep an eye on things
Set up processes and infrastructure to monitor your compliance status and map this to a dashboard. By maintaining visibility on what’s happening in your organisation you’re less likely to be surprised by a gap.
Tip 5: Teach the kids to be honest
Sometimes bad things happen: in order to get things done quickly, procedures aren’t followed; mistakes and competing priorities mean that security can take a back seat. Encourage a culture of honesty and transparency rather than one of retribution and concealment. People are more likely to admit to mistakes if they’re not shamed for them and the sooner you can identify a shortcoming the easier it is to rectify.
Once the kids have been trained, here are some “adult” tips about Penetration Testing.