When we go out shopping, we have certain expectations. One of these is that our payment card data will be treated with a certain level of responsibility. Expecting our data to remain safe should be a foregone conclusion, but it isn't always. That's what the Payment Card Industry's (PCI) standards are out to help ensure. These are stringent standards, and for businesses, living up to those standards is seldom easy. Many businesses actually fail on some points, but shoring up those points can be a huge boost to revenue for the mid-market business.
Why Do Companies Fail PCI Compliance Testing?
Since PCI compliance is a complex process that requires success in a wide range of areas, there are many reasons why companies fail PCI compliance testing.
Lack of maintenance
While many companies achieve annual PCI compliance, as measured by the organization's Data Security Standard (DSS), around 89% of companies will fail to maintain that status throughout the year. A recent Verizon report made it clear: this lack of attention means that major security threats like data breach risks will pose significant vulnerabilities, and leave companies in a bad position when the next round of testing comes into play.
Partial compliance isn't compliance
That same Verizon study found that over 82% of companies were compliant with around eight in 10 requirements when annual assessments came around. These companies needed an average of three months to seal up the relevant gaps, which represents about three months that customer data is going without the fullest level of protection. So while companies are often close to PCI compliance, they're still lacking.
Several companies have particular problems when it comes to PCI compliance, the Verizon study found. Protecting data at rest was a common issue, as was overall security testing and monitoring security controls. Just detecting compromised systems was a frequent problem, as was the overall response. This is -- in a way -- good news, as when there are certain things that are regularly going wrong in a large body of users, it becomes that much easier to point out what to watch out for.
How Can Companies Fill in the Gaps to Better Achieve PCI Compliance?
Knowing what's wrong is unquestionably the first step to fixing the problem.
We've just seen from the Verizon study that companies tend to treat PCI compliance like it's an annual event, or a one-time function. PCI compliance is the kind of thing that should be addressed the whole year through. The better a job that companies can do in making their preparations ongoing, the better their chances of being not only PCI compliant this year, but PCI compliant next year.
Staging your own PCI compliance testing can be a help, especially between the annual compliance tests. Some suggest quarterly testing, and using a Qualified Security Assessor -- one who's been trained by the PCI Security Standards Council -- is an excellent way to help ensure that things stay up to snuff between tests.
Start with the network
The way the network is built has some direct impact on how it's protected, and whether or not it can live up to PCI compliance standards. Check the overall configuration of the network; is the firewall fully operational and running? Are there clear access control lists (ACLs) in place on the system's various devices? Consider also establishing a “PCI Only” network segment which encompasses all PCI-related devices. This helps ensure that the parts that actually need protection are, in fact, protected. Why put everything under PCI protection when not everything needs to be?
Look into encryption
While many security operations will focus on perimeter defense as the main focus—often to the exclusion of everything else—encrypting data helps make it much more secure. PCI compliance actually focuses on strong encryption for data in transit, and it also helps ensure that even if there is a breach of some kind, what's taken will be largely worthless without the necessary decryption key.
Sweat the small stuff
Many companies that run afoul of PCI compliance problems are often hit by simple issues. Check your controls on basic operating systems like Windows and Unix; think about password requirements, audit logging, and how you respond to failed logins to ensure your company's best chance at PCI compliance.
Check your policies
Achieving PCI compliance depends on, among other things, the establishment and use of an Information Security Policy. This policy needs to cover a wide range of fronts, including setting up documentation for network configurations, antivirus system introductions, physical security and beyond. All the processes that are subsequently carried out need to be documented as well, and the documentation must be reviewed annually to help ensure that things are sufficiently up to date.
Don't forget the boxes
While many issues of PCI compliance are related to software and network configurations, it's also important to remember the physical hardware on which said software and network is stored. Keep a close eye on how your servers are stored: if there are physical protection measures—badge-in requirements, a security-guard-manned desk, a physical key or, best of all, a combination of these—then you're more likely to be PCI compliant. Also, don't forget security cameras; these are a requirement as well.
How Do I Get Started Ensuring PCI Compliance?
Achieving PCI compliance is an ongoing process that takes a lot of time, effort and resources to make happen. But no company achieves this level of data protection without starting somewhere, and a great place to start is with us at UTG. We understand the unique concerns of mid-market businesses, especially as these relate to the pursuit of PCI compliance. Whether you need managed solutions, security help, or a general overview of how to reach the top of PCI compliance, start out by dropping us a line today.