Thursday, Feb. 1, marked the deadline for businesses to adopt the new industry standard, PCI DSS 3.2, aimed at reducing cyberattacks and promoting a better response to cyberattacks that result in payment data breaches. It was announced in 2016, giving organizations almost two years to prepare for these increased requirements for compliance. Unfortunately, however, a significant percentage of businesses are still not prepared for the change.
One of the major changes inherent in this new standard is the requirement for evidence of continuous compliance, as opposed to the an annual pass-or-fail audit of the past. In an industry that has developed a culture of “compliance cramming”—treating PCI as an annual exam to be passed without working toward a culture of continuous compliance—this new requirement poses a challenge. In fact, according to Verizon’s PCI DSS Compliance report, only 29 percent of companies are compliant a year after validation. This means that many businesses are checking the boxes for PCI DSS compliance off their list, or even just implementing compensating controls, and then forgetting about it until the audit comes around again.
For businesses whose preparation falls into this “annual pass” group, PCI DSS 3.2’s requirement for continuous compliance evidence could be a rude awakening. While successfully demonstrating PCI DSS compliance to an auditor once a year is a big relief, it no longer will be enough, and for good reason. Put simply, it isn’t keeping your business—or your consumer’s card data —safe from security threats year round.
The primary requirements of PCI DSS 3.2 include the expansion of requirement 8.3 to include use of multi-factor authentication for administrators accessing the cardholder data environment and additional security validation steps for service providers and others, including the “Designated Entities Supplemental Validation” (DESV) criteria.
So, what can businesses that have been cramming for compliance audits do now to shift their culture and avoid the hefty fines if found non-compliant and a breach occurs?
Get rid of compensating controls: Ensuring businesses comply with PCI DSS 3.2, not to mention the upcoming GDPR legislation, will include phasing out the use of compensating controls. Many businesses will inquire as to why they should get rid of the controls, as these solutions have been working well for them to date. Because these band-aid solutions aren’t going to work for them long term and could be ineffective after months of working, ensuring compliance is the best way to pass these new standards.
Make compliance a priority: This culture of cramming compliance was created because it wasn’t a priority within businesses to ensure the regulations were followed. PCI DSS isn’t designed to be painful for businesses to implement, but rather to protect customers and businesses. With the increase in data hacks and new compliance standards, it makes sense to bring compliance into the company goals for the CIO, or perhaps even hiring a Chief Security Officer tasked with making sure both consumer information and the business’s reputation are protected. Brands should be adjusting budgets to make sure compliance is included as a defense against future income loss. If a hack occurs and the business isn’t compliant, the fines could be severe—even without the loss of potential business.
Take it a step at a time: If not done already, companies should review the requirements and perform an assessment to see where there are weaknesses or evidence of non-compliance. Next, businesses need to work through the six milestones to achieve all 12 PCI DSS requirements and their sub-requirements. These include:
Remove sensitive authentication data and limit data retention.
Protect systems and networks, and be prepared to respond to a
Secure payment card applications.
Monitor and control access to your systems.
Protect stored cardholder data.
Finalize remaining compliance efforts, and ensure all controls are in place.
It will be impossible to be compliant overnight, but companies need to start making headway on these milestones to move towards full and continual compliance.
Being PCI-compliant is a constant process. The annual assessment has, to date, only been able to check that the correct processes are in place—and even then, many companies have struggled to ensure continuous compliance. Data taken from a 2017 report found that at the time of data breach, the average merchant was not compliant with almost half (47 percent) of current PCI DSS requirements. PCI DSS 3.2 will change that approach, requiring evidence that device inventories and configuration standards are kept up to date, and security controls are applied where needed.
Companies should no longer rely on outdated workarounds such as pause-and-resume. The recent spate of high-profile security has thrust this issue into the spotlight but this new standard will ensure it stays front of mind for the industry at large.