Organizations’ compliance programs have had to evolve over recent years to incorporate new ways of working, new technologies, and new changes in the threat landscape. However, the fundamental requirements to achieve and maintain compliance have not. Organizations are still required to demonstrate that they have effective compliance programs that mitigate risk, maintain a robust security posture and demonstrate compliance with regulatory and legislative requirements. With changes in the regulatory and legislative landscape approaching for many organizations, Craig Moores, Risk Advisory Senior Director, delves into some of the challenges surrounding PCI DSS compliance and explains how businesses can prepare for the upcoming fourth version.
PCI DSS is a mandatory requirement for any organization that accepts payment card transactions. It’s a piece of legislation that provides insurance of data security and more specifically, cardholder data. However, if you think about compliance programs more widely, they naturally appeal to all sorts of data security. Often organizations will have multiple requirements, particularly if they are operating in different jurisdictions and geographies. PCI DSS provides an important baseline that establishes clear technical and governance structures, and it also increases customer confidence that we are protecting their data. Overall, though, it really aims to reduce the likelihood and potential costs of a data breach.
But complying with PCI DSS can mean different things for different organizations. Whether your primary focus is achieving and maintaining compliance just because you have to; whether you’re doing it to reduce the likelihood of a data breach; or whether you’re using the DSS and its structure to really help focus where security governance and security controls are benefiting your security practice.
Let’s take a look at the three levels, or tiers, of business management and the compliance objectives connected to each of those tiers. The majority of cardholder data management or compliance management would happen at the operational level, the bottom tier let’s say. The operational stakeholders are there to deliver the day-to-day business activities, they manage the operational environment, including third parties, and manage the organizational compliance activities. The middle or tactical tier manages the implementation of compliance initiatives while the top, strategic level sets the goals and objectives for corporate compliance and provides budget, resource and oversight.
Strategic stakeholders often expect return on investment (ROI) for compliance activities and therefore will allocate the minimum required to maintain it. However, when you’re looking at it from a tactical level, you require a level of budget and resource to make sure that you’ve got the right focus and right initiatives to implement and maintain compliance, regardless of what the benefits are for achieving it. While down at the operational level, things are often seen as tick-box or one-off activities. Unfortunately, we’ve got conflicting objectives there but it’s really important that there is synergy, especially for PCI compliance which requires all levels to work together.
The traditional model of the operational, tactical and strategic organization is very much people-driven. The idea of continuous control monitoring gives you a greater opportunity to join up the various things that you do for managing compliance, keep up with evolving needs and ensure that you’re not just doing things for compliance’ sake. Likewise, leveraging automated testing, monitoring and reporting technologies will make this easier and will also be less people and labour intensive. It’s key to look at these things, as we can really simplify operational processes and target reductions in our compliance scope.
As we move forward, particularly with version four of the DSS, one of the things that we’ll see more of is compliance-by-design. This is essentially designing compliance activities around the business. Organizations have always been guilty of trying to over-engineer security into a process retrospectively. It’s one of the shortfalls in the traditional model, where businesses are moving quickly and security isn’t always considered from the beginning. When we try to retrofit security into an existing process, it often creates more of a barrier than it does if you design it into the process from the start.
Version four of the PCI DSS is expected to be released in Q1 2022. It includes a lot of added flexibility such as having the ability to define customized validation routes to meet the intent of security controls, which is great for companies moving to the cloud. We are expecting some, potentially more stringent requirements, and we can expect different frequencies in measuring compliance. It’s likely that a lot of the terminology and clarifications will be updated as well. Certainly, in the request for comments (RFC), there is terminology that appears to have changed. We’re also probably going to see some best practice updates, particularly around authentication and password guidance, but the DSS will continue to promote security as a continuous process.
Compliance-by-design and embedding processes within an organization’s business-as-usual activities, will very much come through in the new version of the standard and will make way for meaningful risk assessments. One of the things that has often been criticized about the DSS in the past is that it doesn’t carry much in terms of risk management, although it is very prescriptive in terms of the controls that are expected and the level at which they’re expected to be implemented.
So, what are the main takeaways from version four? There will definitely be new challenges that we’ll need to deal with such as keeping abreast of the threat landscape and understanding new technologies, particularly around mobile devices, data management and how they can benefit the organization. We need to make sure that we evolve the compliance program to accommodate new changes in the DSS while also making sure that we’ve got a very integrated, holistic and straightforward approach to managing compliance… because it really doesn’t need to be complicated!
Version four will also bring new opportunities. There will be increased awareness, particularly when it comes to cardholder data risks, and there’s the opportunity to have a better understanding of our business operations. It’s important to make sure that the operational, tactical and strategic objectives are more aligned and that we’re all moving in the same direction. If we can achieve that, then we will have a much more efficient approach to executing business processes. In addition, leveraging automation and continuous control monitoring will reduce the need for human intervention in some areas, which will create efficiencies in itself, but it will also ensure that our security controls are embedded and that we form a more effective business culture.
There’s a lot to consider here but don’t forget that PCI DSS version four will come with a transition period where organizations can continue with the program that they already have and be able to still comply with it and be assessed against it.