Information Security Management - Payment Card Industry Data Security Standard (PCI DSS)

1 Design Outline

Since the inception of the Payment Card Industry Data Security Standard (PCI DSS), compliance with PCI DSS has steadily increased among organizations that store, process, and transmit cardholder data. The increase in PCI DSS compliance rates can likely be attributed to increased awareness of the standard, evolutions in card brand compliance programs and mandates, and an overall increase in the maturity of PCI DSS. However, despite these improvements, statistics show that most of these organizations still have yet to master ongoing PCI DSS compliance. 

If organizations want to protect themselves and their customers from potential losses or damages resulting from a data breach, they must strive for ways to maintain a continuous state of compliance throughout the year rather than simply seeking point-in-time validation. A study conducted by Verizon from 2011 to 2017, on organizations that had a data breach, showed that many of the organizations that were assessed as being non-compliant at the time of their breach had successfully complied during their previous PCI DSS assessment and had lapsed into non-compliance. Through a combination of people, processes, and technology, organizations must incorporate continuous security and compliance practices into their culture and daily operational activities.

The objective of this document is to provide guidance on best practices for maintaining ongoing compliance with PCI DSS. The focus is to provide organizations with recommendations to plan for continuous compliance as opposed to a point-in-time, annual assessment approach.

The information in this document is intended as supplemental guidance and does not supersede, replace, or extend requirements in any PCI SSC standards, nor does it endorse the use of any specific technologies, products, or services. This guidance is intended for organizations seeking to better understand how to maintain compliance with PCI DSS. Examples include merchants, service providers, acquirers (merchant banks), and issuers. This guidance assumes readers are familiar with the PCI DSS requirements, testing procedures, and scoping guidance, and possess a basic understanding of computer information systems, networking technologies, and general IT principles and terminology.

 

2. Threat

Reliance on the annual assessment may increase the risk of non-compliance between assessments and the risk of subsequent compromise. Establishing an approach and ongoing review processes of all security controls serves to support the organization’s continual compliance and reduces the risk of cardholder data compromise. The following eight key principles are provided in this Information Supplement to help implement and maintain compliance with PCI DSS:

1. Develop and Maintain a Sustainable Compliance Program – For a compliance program to be sustainable, it should be implemented into business-as-usual activities as part of the organization’s overall security strategy. This enables the organization to monitor the effectiveness of its security controls on an ongoing basis and maintain compliance between assessments. The ongoing security of cardholder data should be the driving objective behind all PCI DSS compliance activities—not simply attaining a compliant report.

Develop Program, Policy, and Procedures – A PCI DSS compliance program that includes people, process, and technology along with supporting policies and procedures should be implemented to help drive proper behavior and to maintain repeatable business and operational processes.

Define Performance Metrics to Measure Success − An effective metrics program can provide useful data for directing the allocation of resources to minimize risk occurrence and measure the business consequences of security events. The organization should carefully define the scope of its information-security measurement based on specific needs, goals and objectives, operating environments, risk priorities, and compliance program maturity.

Assign Ownership for Coordinating Security Activities – A specific management-level individual should be assigned responsibility for continuous compliance. Activities might include, but are not limited to, centralized coordination of resources, monitoring, projects, and costs associated with PCI DSS compliance.

Emphasize Security and Risk Management to Attain and Maintain Compliance – Compliance does not equal security. While PCI DSS provides a solid baseline of security controls, it should not be considered a single source for addressing all security needs. The focus should be on building a culture of security and protecting an organization’s information assets and IT infrastructure, allowing compliance to be achieved as a consequence

Continuously Monitor Controls − Organizations should develop strategies that align with their business and security goals to continuously monitor, test, and document the implementation, effectiveness, efficiency, impact, and status of controls and activities

Detect and Respond to Control Failures – Organizations should have processes for recognizing and responding to security-control failures promptly. Any control failure could constitute a formal security incident and require a more formal incident response. At a minimum, control-failure response processes should include: minimizing the impact of the incident, restoring controls, performing root-cause analysis and remediation, implementing hardening standards, and enhancing monitoring.

Maintain Security Awareness – Social engineering techniques are often leading to data breaches and exfiltration of critical data. Organizations should implement a formal security awareness process with content that is kept up to date with the latest trends in breaches.

Monitoring Compliance of Third-Party Service Providers – Often, organizations will rely on third-party service providers to implement and maintain security controls required to meet PCI DSS. Organizations should develop and implement processes to monitor the compliance status of its service providers to determine whether a change in status requires a change in the relationship.

Evolve the Compliance Program to Address Changes – Organizations should evolve their controls with the threat landscape, changes in organizational structure, new business initiatives, and changes in business processes and technologies to ensure these do not negatively impact the organization’s security posture.

 

3. Compliance with PCI-DSS Requirements

Many organizations, see the effectiveness of their PCI DSS security controls and their overall state of compliance decline after the assessment is completed. 4 Reasons for the decline include:

• Pressures to adapt to ever-increasing customer demands and emerging technologies and the resulting changes to an organization’s business goals, structure, and technology infrastructure.
• Organizational complacency, assuming what was good enough last year will be good enough in future years.
• Overconfidence in organizational practices, resulting in a lack of resources devoted to regular monitoring of compliance program effectiveness.
• Inability to assign the right people, tools, and processes, and lack of executive leadership commitment to maintaining compliance.
• Failure to accurately scope the organization’s cardholder data environment (CDE) as business practices evolve with the introduction of new products or services, or acquisitions.

Organizations that focus solely on annual PCI DSS assessments to validate the quality of their cardholder data security programs are missing the intent of PCI DSS to enhance cardholder data security, and likely see their PCI DSS compliance state “fall off” between assessments (see Figure 1). In order to maintain a consistent level of security and compliance, organizations should have a well-designed program of security controls and monitoring practices in place to ensure that the intent of PCI DSS is being met at all times.

 

 

 

 

 

 

 

Figure 1: Compliancy Curve

 

Too often organizations rely on the annual assessment and fail to establish effective long-term processes for maintaining the security of cardholder data. The ongoing security of cardholder data should be the driving objective behind all PCI DSS compliance activities—not simply attaining a compliant Report on Compliance (ROC). To ensure the continued viability of the entire payment ecosystem, all payment-industry stakeholders should remember that they must be good stewards of cardholder data if consumers are going to retain trust in using payment cards.

The next section offers a series of best practices that can help organizations maintain a more consistent state of security and compliance, avoid compliance fall-off, and protect themselves and their customers from the loss or improper disclosure of cardholder data.

 

4. CIS Critical Security Controls (v8)

4.1 Develop and Maintain a Sustainable Security Program

Ongoing compliance requires organizations to first understand the primary function of the PCI DSS is to protect cardholder data. This includes everyone in the payment chain - merchants, service providers, acquirers, issuers, payment brands, and consumers from damages resulting from the theft or improper disclosure of cardholder data. Cardholder data remains one of the easiest types of data to convert to cash and represents nearly three-quarters of all attacks on retail, hospitality, and food service companies.

It is recommended to store cardholder data and other consumer information only when necessary. Any cardholder data not deemed critical to business functions should be removed from the environment in accordance with the organization’s data retention policies. This helps reduce the complexity and costs associated with protecting this data. In addition, organizations should evaluate business and operating procedures for alternatives to retaining cardholder data.

4.2 Develop Program, Policy, and Procedures

A compliance program is a formalized set of policies, processes, and procedures with assigned accountability within an organization intended to ensure the organization's sustainable compliance with applicable and necessary standards and requirements. A formal compliance program allows an organization to monitor the health of its security controls, be proactive if a control fails, and effectively communicate activities and compliance status throughout the organization.

When designing a compliance program, it is important to understand the differences between these terms and concepts:

• A program typically includes strategic objectives, roles and responsibilities, and a plan to achieve business objectives. For example, a vendor-management program defines the roles and strategy to properly procure, on-board, manage, and off-board third-party service providers.
• A policy typically includes a statement of management intent or rules that must be followed. e.g., a password policy defining strong passwords and the frequency with which they must be changed.
• A process/procedure typically outlines the step-by-step tasks that responsible personnel must follow to properly complete tasks that align with the program and supporting policies. e.g., listing the steps needed to encrypt sensitive information before e-mailing it to a service provider.

 

To facilitate ongoing and sustainable compliance with PCI DSS, the implementation of a compliance program should be supported with policies and defined procedures. Once completed and approved, policies and procedures should be disseminated to all appropriate individuals and business partners to ensure consistent understanding of strategic objectives and implemented processes.

4.3 Develop Performance Metrics to Measure Success

Organizations should have the capability to quantify their ability to sustain security practices and PCI DSS compliance by developing a set of metrics that summarize the performance of the implemented security controls and compliance program. Risk reduction is a key metric for illustrating overall security program effectiveness —but metrics can provide meaningful indicators of security status at other levels within the program as well.

Metrics may be used by compliance managers to prove the effectiveness of security initiatives, allocate resources appropriately, and demonstrate the efficiency and return on security investment to stakeholders. Metrics can be calculated from a combination of security-status monitoring, security control assessment data, and data collected from one or more security controls or technologies.

The collection of metrics alone does not directly result in the ability to maintain PCI DSS compliance. However, when these metrics are analyzed properly, they may provide mechanisms for determining whether sufficient controls are in place and whether they are operating effectively.

 

4.4 Types of Security Metrics

There are a range of frameworks and options for selecting metrics, however, it is essential that they adequately serve their intended purpose. The maturity of an organization’s information security program largely determines which types of metrics can be gathered. For example, NIST has proposed three types of security metrics: implementation measures, efficiency and effectiveness measures, and impact measures.

Implementation Measures Implementation measures are used to demonstrate progress in information security programs, specific security controls, and associated policies and procedures. Implementation metrics are usually described in percentages and may include such examples as:

• Percentage of information systems with password policies configured in accordance with policy
• Percentage of web servers configured in accordance with system configuration standards
• Percentage of organizational personnel that have received security training
• Percentage of system-level changes documented and approved by management

Upon initial implementation of a particular control, implementation measures will likely be less than 100%. As security controls mature and results begin to approach 100%, the compliance manager may conclude that systems have fully implemented the security controls addressed by this metric. At that point, any change to the measure (i.e., less than 100%) can be used as a trigger to indicate a failure in security controls.

 

5. Compliance with GDPR

5.1 Efficiency and Effectiveness Measures

Efficiency and effectiveness measures are used to determine whether systematic program level and individual security controls are designed and implemented correctly, operating as intended, and meeting the desired outcome. Control efficiency is a qualitative evaluation of a control environment or individual control to fully address the risk, including control complexity, segregation of duties, and the knowledge and competency of the personnel operating the control. Operating effectiveness, by contrast, evaluates and measures whether the control is consistent, complete, reliable, and operated in a timely manner.

These measures concentrate on the evidence and results of assessments and may require multiple data points qualifying or quantifying the degree to which controls are implemented and the effect(s) on the organization’s security posture. Risk mitigation is also a key metric for determining the overall impact of an organization’s information security program to its business objectives. When evaluating the operating effectiveness of the vulnerability-management program, an organization could measure.

5.2 Metric Reliability

While the establishment and collection of metrics is a key function of determining the capabilities and effectiveness of an organization’s security program, metrics are reliable only when the collection mechanisms or controls on which they depend are implemented correctly. Collecting metrics from poorly implemented security controls is equivalent to using a “broken or uncalibrated scale.” The interpretation of metrics data presumes that the controls directly or indirectly used in the metric calculation are implemented and working as expected. For example, if data output from file-integrity monitoring mechanisms is used to monitor and evaluate change management controls, the metrics data collected is dependent on the proper implementation of the file-integrity monitoring mechanisms. Without the proper implementation and ongoing management of those security controls from which metrics data is collected, it may be difficult or impossible to determine the root cause of any system or security control failures that may have occurred.

5.3 Emphasize Security and Risk Management to Attain and Maintain Compliance

PCI DSS provides a minimum set of security requirements for protecting payment card account data. PCI DSS controls alone may not be sufficient to adequately mitigate all the risks associated with other types of sensitive data organizations may possess, and should therefore not be used as a comprehensive checklist for addressing all security needs. It is likely that additional controls may be needed depending on the size, complexity, and business model of an organization.

Compliance with industry standards or regulations does not inherently equate to better security. Organizations that focus solely on compliance often do so to the detriment of security. A more effective approach is to focus on building a culture of security and protecting an organization’s information assets and IT infrastructure, and allow compliance to be achieved as a consequence. Using a risk-based approach for selecting security controls allows organizations to tailor specific security controls to meet varying levels of organizational risk.

5.4 Risk Assessments

The requirement for annual risk assessments in PCI DSS Requirement necessitates that organizations “implement a risk assessment process that is performed at least annually and upon significant changes to the environment; identifies critical assets, threats, and vulnerabilities; and results in a formal risk assessment.”

Risk assessments provide valuable information to help organizations determine whether or not additional controls may be necessary to protect sensitive data and other important business assets, and to better understand risks and their impact on key business objectives. The output from risk assessments can enable organizations to prioritize risk-mitigation efforts to address the most critical, compliance-impacting gaps first. Organizations need to be diligent in performing risk assessments to maintain an effective PCI DSS compliance program. However, organizations generally seem to misunderstand the importance of a proper risk assessment. This requirement is among the most often failed controls when assessing PCI DSS compliance.

When conducted regularly and upon any significant change, risk assessments allow organizations to keep up to date with pertinent business-process changes and also provide mechanisms to evaluate those changes against the evolving threat landscape, emerging trends, and new technologies.

Entities should perform a risk assessment as a pragmatic process when the potential for risk arises such as in the case of a data breach, a new technology implementation under consideration, or any significant change. The risk assessment process should be aligned with organizational vulnerability-management and change-management policies and procedures.

The PCI Security Standards Council has published the Information Supplement PCI DSS Risk Assessment Guidelines, which provides further guidance on implementing a formal process to identify threats and vulnerabilities that could impact the security of cardholder data.

 

6. Conclusions and Recommendations

The frequency of the risk-assessment function is often a determining factor in how effectively an organization can respond to significant changes in business or technological processes. An effective means for conducting risk assessments, beyond the annual risk assessment required by PCI DSS, is to build a risk analysis into daily that informs management when events exceed pre-defined risk tolerances. Similarly, risk-assessment discussions should be included as part of business planning, execution, and evaluation meetings.

Incorporating risk analysis into operational-level activities enables risk assessment to become an integral part of a process rather than an additional overhead. Furthermore, continuous risk analysis enables organizations to respond more quickly to changing threats.

In an age in which efficiency is considered a main goal, many organizations may find it is necessary to articulate the benefits of improved security in terms that business leaders understand. Unfortunately, most organizations continue to focus on security program cost reduction as the primary metric to define the effectiveness or success of an information security program. At the same time, organizations may also find it difficult to quantify the cost benefits of security efforts; it is a difficult task to calculate the return on security investment in terms that are material to the business without understanding the impact security investments have on achieving the organization’s business goals.

Risk quantification is a much more effective measurement for describing how security efforts contribute to an organization’s bottom line. When risk is used to measure the impact that security efforts have on the achievement of the organization’s key business objectives, it becomes much easier for business leaders to understand how security expenditures provide value. Articulating security in terms of risk reduction, particularly over time, is a more useful method for illustrating the effectiveness of an organization’s information security program. Maintaining compliance with PCI DSS requires resources and financial investment. Using risk as the basis for measuring security effectiveness can make it easier for security teams to justify the expenditures necessary for building a comprehensive security and compliance program.