If you are involved in taking payment for a good or service of any kind, you are likely required to comply with the Payment Card Industry Data Security Standards (PCI DSS) requirements. This comprehensive security framework and compilation of best practices applies to the storage, transmission, and processing of credit and debit card information to ensure security of the information involved in those transactions.
Compliance with PCI DSS requirements have always been a demanding exercise that has frustrated many organizations responsible for maintaining compliance. Verizon has echoed that sentiment in its recurring Payment Security Report (PSR). Verizon has been publishing the PSR since 2010, tracking organizational compliance with PCI DSS on a global scale using customer surveys. The report provides valuable insights into how well organizations across the globe can apply PCI DSS. From 2016-2019, there was downward trend for full compliance that hit a low of 36.7%. Since that time, the trend has thankfully reversed to go back up to 43.3% in full compliance.
With the amount of companies that aren’t reaching full compliance PCI DSS according to Verizon’s results, you have to ask yourself, what are some key things I should be doing to make sure my organization is compliant? Here is a list of five key questions you can ask to ensure you are meeting PCI DSS requirements.
1. Does my organization have a PCI DSS compliance program?
It seems like a simple question, because it is! But this simple question is a crucial step in becoming compliant with PCI DSS requirements or virtually any compliance framework. Many organizations rush to implement control practices and security programs that look great at a glance without appropriately considering their environment and business-specifics risks as well as the needs of the organization.
Performing a thorough risk-assessment to incorporate into the design and implementation of a compliance program will help ensure that your organization isn’t included in the large percentage of organizations that Verizon found to be only in partial compliance.
2. Does my organization measure its program against a maturity model?
Organizations that use security maturity models are more likely to be in compliance or reach appropriate compliance because this encourages them to understand the current level of maturity and effectiveness of their program and provides a pathway to improve! A weakness of the “set it and forget it” mentality is that the program will not evolve with the organization or its standards and it won’t create a pathway for improvement.
Curious where you stand in your maturity? Check out LogRhythm’s free self-assessment tool to verify your organization’s security maturity level.
3. My organization has a program. We understand our maturity level, but how can I help?
As a part of any PCI DSS program, you will need to monitor your network activity, protect cardholder data, encrypt transmissions of that data, and restrict access to all that data. As an analyst monitoring security information and event management (SIEM), you have the unique opportunity to be the real-time check on all these elements of compliance!
LogRhythm has support for PCI DSS requirements in all our platforms dedicated to helping analysts and all members of the security team ensure they are taking an active part in the compliance initiatives of their company. Our support ranges from AI Engine™ rules, predefined investigations, and detailed reports to help you maintain your compliance program, evaluate your maturity, and work toward moving your organization forward.
4. What’s next for PCI DSS requirements?
PCI DSS requirements are always evolving, and PCI just recently went through an update, now on version 4.0. There aren’t massive changes with this version of PCI DSS but it has undergone some exciting changes. The changes to the standards themselves centered around the evolving threat landscape and how best to continue to protect cardholder information. This includes phishing awareness, cloud security considerations, as well as enhancements to existing activities like risk assessment. Another large change includes added flexibility for organizations to meet the compliance standards by following a “customized approach” which gives organizations an ability to define controls that meet the PCI DSS stated objectives without adhering specifically to the strict controls of the framework.
PCI DSS requirements will continue to evolve over time to adapt the evolving security landscape and needs of protecting cardholder information. LogRhythm Labs is constantly keeping up with the changes in the compliance realm to ensure our customers and our module content is up to date with the latest requirements.
Odds are, if you deal with PCI DSS, you have probably caught yourself asking at least one of the above questions, and that’s a good thing! It means you’re asking the important and difficult questions when it comes to compliance. LogRhythm Labs releases content that is aimed at keeping customers informed on the latest security and compliance activity and enabled to handle any challenges those activities pose.
To learn more about how you can comply with PCI DSS requirements, read this blog on how to get started.