Why are so many companies struggling to achieve PCI DSS compliance?
Jan Fry, head of PCI Services at pentesting consultancy Procheckup (which sponsors the PCI DSS UK User Group), said he has spotted some common mistakes companies make when starting a PCI DSS compliance program, and suggests the following:
Treat PCI DSS as a separate project.
Companies often try to fit PCI DSS around existing projects. If they have a new website going live or a new firewall to put in place, they will try to fit the compliance efforts around that.
That means the PCI compliance deadline is tied to that of the main project. The main project roadmap may be up to three years, but as long as the company can show that key areas are being addressed, such as encryption of credit card numbers, then the acquirers are usually quite satisfied with that.
Focus your PCI DSS efforts.
Some companies believe the standard needs to be applied across the whole infrastructure in the same way. In reality, you can apply stricter controls in important areas, and be less stringent in other part of the systems.
Restrict usage of credit card details.
Companies should exercise more control over the movement and usage of credit card data. Some companies will allow the marketing department or a third-party organisation to access credit card details. That just expands the scope of the PCI DSS compliance programme to the whole company and out to the third parties, so their project becomes huge.
If they assessed it more closely and asked, for instance, how much use marketing gets out of the credit card data, they could reduce the scope of their project and reduce cost as well. One of the best ways to tackle PCI DSS is to restrict the number of areas where card data is allowed to go.
To make that happen, organisations may need to redesign their business processes so that card data is controlled more tightly. The benefit then is to reduce the scope, cost and complexity of the compliance program while still remaining compliant.
PCI compliance is not enough.
Ticking all the boxes to become PCI DSS compliant may still not guarantee that you are secure, and one Qualified Security Advisor (QSA) may interpret the standard differently from another.
PCI DSS is not a complete solution, especially on internal security; it is not a bulletproof solution. The standard misses certain areas, and there are still ways to be compromised. For instance, there is no enforcement of encryption within a network for the transfer of credit card data. I always recommend not stopping once you have achieved compliance. There is always more that a company can do.
Return to the PCI learning guide.