PCI Compliance Is Broken. The “Business as Usual” Mindset Holds the Key to Fixing It.
February 10, 2017
By Dan Schroeder, partner-in-charge of Information Assurance Services
The typical approach to PCI compliance is high-drama, inefficient and ineffective.
You don’t have to look far for proof. Just look at the hundreds of data breaches every year befalling retailers, financial institutions and fintech companies. As organizations that store, process or transmit cardholder data, they each must demonstrate compliance with PCI Data Security Standards. So what’s happening? Why are these “PCI compliant” organizations falling victim to seemingly preventable attacks?
The root of the problem is the misguided notion that “compliance” should be focused on a specific point in time. The PCI Security Standards Council deserves some credit for attempting to dispel this misconception with its introduction of the concept of “Business as Usual” (BAU) activities, or activities that are “baked in” to an organization’s ongoing security strategy and operations.
But that BAU mindset still is not prevalent, and the typical approach to achieving that checkmark remains a once-a-year rush to compliance.
See if you recognize the following scenario: Your PCI Qualified Security Assessor shows up in the weeks just before your Report on Compliance expiry date with not enough time to understand your PCI cardholder data environment (CDE) in any meaningful way. The QSA identifies issues or concerns that should have been raised months ago and the report gets hung up in a quality assurance black hole, leaving you and those depending on your Attestation of Compliance biting your nails as the clock ticks toward your expiry date.
This fire drill drains your organization’s time and energy but does nothing to address the state of the cardholder environment during the other 10 or 11 months of the year. Even worse, you are communicating to all stakeholders that controls are only important as a way to achieve the “checkmark” of PCI compliance.
A better way: institutionalized risk management
Many information security professionals and business leaders have come to accept this dysfunction as the norm, but it doesn’t have to be. To break out of this flawed and drama-filled cycle, take a step back and incorporate PCI DSS requirements into the organization’s ongoing risk management.
Consider how your organization can put into practice the PCI Security Standards Council’s best practices for implementing PCI DSS into BAU activities. For example, review changes to the environment or to organizational structure before they are implemented, and then:
- Determine the potential impact to PCI DSS scope,
- Identify PCI DSS requirements applicable to systems and networks affected by the changes, and
- Update PCI DSS scope and implement security controls as appropriate.
We find that these scope changes are the culprit for much of the PCI compliance drama. Think about it: Your infrastructure is constantly changing, with new functionality, new connections and new types of data being brought online several times a year. In the absence of a BAU approach, those scope changes are sure to contribute to the fire drill that happens in the weeks just prior to the PCI compliance assessment. A BAU approach, on the other hand, means making these changes only with full knowledge of how they can contribute to vulnerabilities in the CDE or any other risks.
From high-drama to no-drama
Not only does BAU mean that your organization should be maintaining and monitoring controls on a continuous basis, but it also means that your auditors should be testing throughout the year. CPAs understand this. This BAU mindset is akin to the concept of “operational effectiveness” that is baked into CPAs’ attestation standards. At Aprio, we have extended this concept into an agile approach to auditing that parses testing throughout the year.
Organizations that schedule ongoing monitoring and testing of controls throughout the year—rather than engaging in a PCI compliance fire drill in the weeks leading up to the PCI audit—find that the process is more efficient and provides greater peace of mind. By starting as early as possible, they can prioritize areas that were deemed most risky by the organization’s risk assessment, giving plenty of time to remediate those issues.
With institutionalized risk management and agile auditing, PCI compliance transitions from a high-drama, anxiety-producing fire drill to essentially a non-event where the ROC is produced as a byproduct of ongoing monitoring and testing. This agile approach promotes maximum buy-in and awareness, gives the most attention to high-risk areas, builds risk into business decision-making 12 months of the year and creates minimal disruption to the company.