5 PCI-DSS Compliance Questions Every Security Analyst Should Ask

If you are involved in taking payment for a good or service of any kind, you are likely required to comply with the Payment Card Industry Data Security Standards (PCI-DSS). This comprehensive security framework and compilation of best practices applies to the storage, transmission, and processing of credit and debit card information to ensure security of the information involved in those transactions.

Compliance with PCI-DSS has always been a demanding exercise that has frustrated many organizations responsible for maintaining compliance. Verizon has echoed that sentiment in its annual ‘Payment Security Report’ (PSR). Verizon has been publishing the PSR since 2010, tracking organizational compliance with PCI-DSS on a global scale using customer surveys. The report provides valuable insights into how well organizations across the globe can apply PCI-DSS. In 2019, Verizon found that only 37.6 percent of organizations were completely PCI-DSS compliant, leading a downward trend that’s been occurring since 2016!

With just over a third of organizations actively maintaining compliance with PCI-DSS according to Verizon’s results, you have to ask yourself, what are some key things I should be doing to make sure my organization is compliant? Here is a list of five key questions you can ask to ensure you are meeting PCI-DSS requirements.

Does my organization have a PCI-DSS compliance program?

It seems like a simple question, because it is! But this simple question is a crucial step in becoming compliant with PCI-DSS or virtually any compliance framework. Many organizations rush to implement control practices and security programs that look great at a glance without appropriately considering their environment and business-specifics risks as well as the needs of the organization.

Performing a thorough risk-assessment to incorporate into the design and implementation of a compliance program will help ensure that your organization isn’t included in the large percentage of organizations that Verizon found to be only in partial compliance.

Does my organization measure its program against any kind of maturity model to show where we are?

Organizations that use security maturity models are more likely to be in compliance or reach appropriate compliance because this encourages them to understand the current level of maturity and effectiveness of their program and provides a pathway to improve! A weakness of the “set it and forget it” mentality is that the program will not evolve with the organization or its standards and it won’t create a pathway for improvement.

Curious where you stand in your maturity? Check out LogRhythm’s free self-assessment tool to verify your organization’s security maturity level.

My organization has a program. We understand our maturity level, but how can I, as a security analyst, help?

As a part of any PCI-DSS program, you will need to monitor firewalls, protect cardholder data, encrypt transmissions of that data, and restrict access to all that data. As an analyst monitoring SIEM, you have the unique opportunity to be the real-time check on all of these elements of compliance!

LogRhythm has an entire PCI DSS module dedicated to helping analysts and all members of the security team ensure they are taking an active part in the compliance initiatives of their company. The module offers over 70 AI Engine™ rules, predefined investigations, and detailed reports to help you maintain your compliance program, evaluate your maturity, and work toward moving your organization forward.

I just became compliant with the latest standard and new standards are already being released. How am I supposed to keep up with compliance?

The good news is that PCI has stated that the 12 core requirements of DSS are not expected to fundamentally change from its current version with 4.0 because PCI created a critical foundation for securing payment card data. Additionally, LogRhythm Labs is constantly keeping up with the changes in the compliance realm to ensure our customers and our module content is up to date with the latest requirements.

What’s next for PCI-DSS?

PCI-DSS is always evolving, and PCI is currently updating its standard to 4.0. The first draft is going through public feedback period and a final version of the standard is expected to be released in late 2020.

Odds are, if you deal with PCI-DSS, you have probably caught yourself asking at least one of the above questions, and that’s a good thing! It means you’re asking the important and difficult questions when it comes to compliance. LogRhythm Labs releases content that is aimed at keeping customers informed on the latest security and compliance activity and enabled to handle any challenges those activities pose. Stay tuned for new blogs and module content updates related to PCI-DSS 4.0!