PCI SCC Turns 10: A Look at Its Strengths and Weaknesses

Ten years have passed since the implementation of PCI DSS, designed to bolster security of payment cards. How effective is it?

For an industry to assess how well it’s doing, there needs to be an objective standard against which to make that judgment. The PCI DSS has set that bar.

The PCI DSS has served as an effective starting point for many organizations that are looking for a baseline to protect their customers’ payment card information. The process of identifying where payment card data lives, targeting vulnerabilities that could enable a compromise, remediating those vulnerabilities and reporting to acquiring banks and card brands is a fundamental aspect of a strong information security program.

The PCI SSC constantly updates the PCI DSS so organizations can stay ahead of the latest threats and better protect their customers’ payment card data, even as their business environment becomes more complex. Since 2006, when the first version of the PCI DSS was released, the PCI SSC has updated it seven times. The constant change is necessary to keep up with the evolving technical and business environment; however, it also can pose a significant challenge, especially to smaller merchants who are struggling to keep up.

The PCI DSS mandates that organizations perform quarterly vulnerability scans and report their remediation results to auditors. The scans are in addition to the comprehensive annual PCI DSS assessments. With or without these requirements, organizations should follow best practices on a continuous basis. For those that do not, at least customers are ensured that a minimal amount of attention is being paid to identify and remediate vulnerabilities a few times a year.

The latest version of the PCI DSS, PCI DSS 3.2, adds a requirement for third-party service providers—which, as demonstrated by the rash of high-profile breaches during the past few years, continue to be a weak link for information security. PCI DSS 3.2 mandates that service providers perform quarterly reviews to ensure personnel are following security policies and operational procedures. Providers are also required to perform penetration testing on segmentation controls at least every six months.

Too many organizations still approach PCI DSS compliance with a check-the-box mentality, often going through the motions to meet the requirements and not practicing good cyber-security hygiene overall. Organizations need to approach cyber-security from a risk-based point of view, making cyber-risk management a continuous priority as they do all other operational risks.

Large organizations with distributed legacy environments (such as multiple generations of point-of-sale systems located in hundreds of stores, running on proprietary terminals) struggle to maintain compliance with the ever-evolving PCI DSS. When the standard is updated, organizations scramble to make sure their technologies and security controls are also updated to comply, which is a tricky task when the environment is distributed globally. If organizations implement strong cyber-security protections from the get-go, then they can stay ahead of the curve of PCI DSS compliance.

For many organizations, reporting on compliance quarterly and annually is a time-consuming, manual task that involves extracting data into spreadsheets that are stitched together to present to auditors. Manually compiling cyber-risk information into various spreadsheets is a daunting, distracting, resource-intensive effort that forces security teams to take their eyes off the ball of protection. Cyber-risk reporting must be automated, not only for PCI DSS auditors but, more importantly, so that security executives, line-of-business application owners and boards of directors understand how well they are protecting their crown jewels.

In addition to the effort and distraction of manually compiling PCI DSS compliance reporting, inevitably, errors and bias will creep into the data. In some cases, organizations run out of time to collect the data and, therefore, use outdated information from past reports. If organizations adopt automation for collecting, analyzing and reporting cyber-risk information, then all stakeholders will be working off the same set of data.

The PCI-DSS compliance process requires coordination between compliance, security, IT and line-of-business application owners. Often, the dance between these many parties is broken, resulting in firefighting and last-minute reactive activity. To stay ahead of the game, line-of-business application owners should be made an integral part of protecting the applications and data that they own, and not just a peripheral sign-off along the way.