The PCI Security Standards Council has enforced continuous compliance, and according to experts one of the ‘primary objectives of PCI DSS version 3.0 is to require companies to maintain adequate security controls to protect payment card data at all times, not merely to pass an annual assessment’. But, this is not easy. Unless a defined process for PCI compliance is developed and integrated without disruption to the daily activities of a business, continuous compliance might end up being a constant struggle.
The Verizon report hints at requirements 1 and 11 — firewall compliance and security testing being the main problem areas for continuous compliance. Reviews of firewall rules are not conducted regularly meaning every six months, as required by the PCI DSS. One of the experts said to Search Security that, “in large or complex organizations, key firewalls that are subject to PCI can have hundreds of rules that must be reviewed. It can be difficult and very time-consuming for busy security professionals to understand which rules are still valid and which rules need to be removed/disabled. Plus, firewall admins are afraid that turning off a firewall rule might ‘break something.”
Requirement 11 states, ‘regularly test security systems and processes.’ Verizon report of 2014 pointed out that even organizations following most of the standards were not meeting requirement 11 completely. In PCI DSS 3.0 there is an added mandate which requires organizations to ‘implement a formal pen testing methodology’. This refers to regular monitoring, scanning, intrusion detection and prevention and file integrity monitoring.
Continuous compliance is a challenge. However, organizations should aim to take necessary precautions and do all they can to help themselves first, and then their customers.
Omega ATC can help you. We have expert Security Strategists to hand hold you through the process, and Information Security Policy experts to help you create the policies for your organization to follow. Call 636-557-7777. Or, email firstname.lastname@example.org. Or, reach us via our contact page.