Last month, CSA Cyber’s very own senior consultant and compliance expert Sam Greaves presented his talk, “Streamlining PCI Compliance in a Cloud-Native & Serverless World”, at PCI London 2025. Filled with vital information for all companies that process, store, or transmit credit card information, Sam covered everything from the implementation of continuous compliance to leveraging cloud-native solutions. For those who did not attend the talk, this blog covers the key takeaways to ensure PCI compliance is not just a tick-box exercise.
PCI DSS 4.01 compliance deadline approaching (31st March 2025)
The PCI Council began drafting the latest version of their Data Security Standard (PCI DSS), known as version 4.0, in 2019 with the completed set of standards being announced in 2022. A transition period began, where these standards were officially labelled as best practice, with some transitioning to requirements in March 2024 and the remainder becoming requirements at the end of March 2025.
All businesses that process payment data must comply with the new PCI DSS requirements, of which there are dozens. Important examples include the implementation of automatic processes to detect and protect personnel against phishing attacks, the mandatory authorisation of all payment page scripts, and the implementation of a change and tamper detection mechanism for payment pages.
The pitfalls of an “annual compliance” approach
Compliance is not many people’s idea of fun, and a common view is that it is something only worth thinking about when they absolutely need to. Many organisations only focus on compliance when an audit is near, leading to "compliance chaos" due to the implementation not being factored into long-term planning.
This reactive approach often results in:
- Emergency fixes that disrupt business operations.
- Duplicated efforts when addressing multiple standards (e.g., PCI DSS, ISO 27001, Cyber Essentials).
- Increased costs due to last-minute remediation efforts.
Continuous compliance as a solution
An alternative approach to only dealing with compliance tasks on an annual basis is to implement a continuous compliance strategy. This essentially involves always have compliance standards in mind when carrying out any activity, rather than doing activities first and then later making them compliant when it is time for an audit.
There are several benefits to taking a continuous approach:
- Integrating compliance into daily operations reduces the burden of annual audits.
- Continuous compliance helps businesses proactively identify and remediate security vulnerabilities.
- Required evidence is more readily available when utilising continuous compliance, eliminating last-minute scrambling.
Addressing compliance across multiple standards
One of the challenges with compliance is that businesses are often subject to multiple standards depending on their industry, location, and organisational structure. Not only does this mean that there are potentially hundreds, if not thousands, of individual rules to follow. Further complicating matters is the fact that many frameworks such as PCI DSS, ISO 27001, and Cyber Essentials, share overlapping requirements. For example, policies relating to data protection can be found in a variety of different frameworks.
A continuous approach to compliance allows organisations to tackle these simultaneously, reducing duplicated work. As an example, two different compliance frameworks, with audits at slightly different times of the year, may require almost identical reports on a subject to be written. A continuous compliance approach makes it more likely for these duplications to be spotted, so that the same report can be used to cover both compliance requirements.
Complexity of cloud compliance
Technological advancements always impact compliance. In many ways compliance has been made easier thanks to digital technologies, due to not having to rely on access to physical documents that could be misplaced, for example. However, technology also provides challenges. A prime example is cloud computing, which is used to some degree by most businesses.
The main centre of the complexity related to cloud computing is the fact that it often means that an organisation’s data is hosted by third-party providers. This blurs the line between compliance responsibilities. The Shared Responsibility Model divides compliance tasks between cloud providers and customers, between “security of the cloud” (e.g. infrastructure) and “security in the cloud” (e.g. updates, backup, and password management) respectively.
As opportunities of confusion abound, organisations must ensure they meet their specific obligations within cloud environments. Public cloud providers (AWS, Azure, Google Cloud) offer Attestations of Compliance (AoCs) but do not cover an organisation’s own responsibilities.
Leveraging cloud-based compliance tools
The cloud may bring an added dimension of complexity to compliance, but it should not be written off, as it can in fact simplify and automate compliance in a variety of ways. Different providers have their own features and associated benefits. As an example, Microsoft Azure Policy provides:
- A unified dashboard to track compliance gaps.
- Insights into which responsibilities belong to the cloud provider versus the business.
- Automated policy enforcement to ensure continuous compliance.
With so many organisations using cloud computing, there is no reason that they should experience the complexity without also obtaining the benefits, by exploring the full features that these providers have to offer.
Beyond compliance – strengthening security
As previously stated, compliance should not just be about checking boxes. Rules and regulations may appear burdensome, but there is always a logic to them. In the case of PCI DSS, the goal is to protect the payment data of customers and organisations. However, when an organisation only takes the annual compliance approach, they are leaving the door open to cyber threats by only doing the bare minimum of protection.
Compliance should enhance an organisation’s overall cyber security posture, and the continuous approach more readily achieves that. Continuous compliance enables real-time monitoring of security risks and proactive threat mitigation, meaning the regulations that groups like the PCI Council set out are achieving their goal, rather than just being another hoop to jump through.
Strategic Implementation is Key
Technology is clearly essential for continuous compliance, such as through the implementation of automation tools to streamline processes. However, technology alone isn't enough, as organisations need expertise and a clear strategic vision to successfully implement continuous compliance.
These need to be present through every stage of the process, which should begin with an assessment of their current compliance gaps and security risks. Expert guidance should also be sought to ensure compliance without disrupting business operations, which is one of the big barriers to switching from an annual mindset to a continuous one. Compliance standards should also be constantly reviewed in order to anticipate upcoming changes, in order for new regulations to be incorporated into operations well before they become mandatory.
Getting Started with Continuous Compliance
Successfully implementing continuous compliance, whether it be for PCI or any other framework, can be daunting. The regulations need to be implemented but the fear of making a mistake can result in avoiding making decisions at all. Fortunately, you do not need to go through it alone.
CSA Cyber, in partnership with FluidOne, offers tailored solutions for PCI DSS, ISO 27001, and Cyber Essentials Compliance Consultation. Our in-house experts can assess your current status and your goals, develop a long-term strategy, and provide implementation advice. Through utilising our consultancy services, compliance regulations will serve their intended purpose and strengthen your cyber security posture. To find our more, reach out to our experts.
