Oh, PCI DSS, will we ever learn how to deal with you?
I think it’s about time to refer to PCI DSS as a rather mature and dissected standard. And I’m ready to bet that you heard at least once in your life the sentence “PCI only demands for common-sense security!” All true, still we keep on facing situations where organizations struggle to maintain compliance with PCI DSS. It seems that we do a pretty good job at covering PCI DSS requirements, but somehow neglect to drive an approach that would help organizations stay compliant and protect their business through their evolution.
PCI standard is based on a very simple yet effective equation: you need to protect a specific and well defined type of data and you must do it with a series of well-defined measures, most of them technological (PCI DSS is probably the standard that, more than any other, dares to get its hands dirty with technology) and many other procedurals... It’s all in there, a neat checklist of things to do and implement.
If you want to achieve PCI DSS compliance, then the infamous “checklist approach” is naturally the most straightforward solution: you have 12 very well detailed requirements, follow them to the letter and work with a QSA (Qualified Security Assessor) to get the stamp. If you are smart and savvy, you can deal with it through a prioritized approach, or you can pick requirement one and start from there.
Nice and easy, right? Not really. The checklist approach may work well on the first cycle, but year after year, it becomes an incredible burden because you will have to go through every single aspect over and over again… or just rely on the assumption that the controls and procedures are still valid the way they were implemented the year before (or the one before that, or the one even before…). A checklist approach is not a dynamic, consistent or on-going approach to compliance AND security, and it is unable to keep pace with the evolution of what is considered to be information, especially when it comes in the shape of cyber-data.
What organizations really need is a flexible compliance program, to encompass the initial checklist approach, with these 3 objectives in mind:
- Execute Cardholder Data Controls and Environment Change Controls: it may sound incredible, but requirement 3 “Protect stored CardHolder Data” is the main reason for failures to comply with PCI DSS (you can find plenty of reports online on the reasons why PCI DSS assessments fail), as if the whole standard wasn’t made purposely for protecting cardholder data. The compliance program must be able to track how data is being used and stored, monitor the data flows and understand what is going on with the data. At the same time, every change to the PCI Environment must be tracked, evaluated and controls adjusted. And this has to be an ongoing effort.
- Enforce Due-Diligence & Accountability: the efficacy of all the controls and procedures implemented must be assessed regularly. If you measure it, you can hold people accountable for it, and you can give them the tools to make decisions. This will also ease life when going through the next compliance-assessment, being able to show what works and what doesn’t, and why certain controls are more relevant than others.
- Simplify itself: yes, a compliance program should have the goal to make compliance easier, by evolving itself. Automating tasks, removing extra procedures that are not beneficial, and optimizing efforts, are all objectives of the compliance program and should be a metric of the success of the program. A compliance program that can’t demonstrate how being compliant becomes easier year after year, assessment after assessment, is simply not worth the effort.
In conclusion, in order to reach the compliance with PCI DSS in a sustainable way, we need an approach that covers both the implementation of the required controls (check out here how Symantec can help you with that) and a compliance program capable of monitoring data life-cycles and changes in the environment, assess efficacy and efficiency of controls implemented, hold people accountable for the results, and reduce the efforts of being compliant.
Are there valid approaches out there? Can technology play a key role and be seen as compliance-enabler?
I have some ideas and will share those with you later on. In the while, I would love to hear your take on this.