Compliance is a day-by-day security process.

Brand Barney, Security Analyst, SecurityMetrics
By: Brand Barney
PCI compliance isn’t an event. It’s an ongoing process! Lots of people believe they can ‘finish’ or ‘complete’ PCI requirements, but it doesn’t really work like that. A submitted Self-Assessment Questionnaire (SAQ) is only as good as the proactive, ongoing security of the business behind it.

I think Bob Russo, head of the PCI Security Standards Council said it best.
Bob Russo PCI requirements
Bob Russo, PCI SSC
“Organizations must not take solely a checklist approach to security, or rely on periodic validation on a specific day as their security goal, but must instead exercise continuous vigilance and maintain a strict security program that ensures constant and ongoing PCI DSS compliance."

How exactly are you supposed to maintain PCI requirements?

  • Ensure your security policies are updated. Anytime you change the way you store, process, or transmit cardholder data, update those policies to reflect the changes!
  • Train your employees. While training new (and current) staff members, remind them about the rights and wrongs of correct card data handling.
  • Update your SAQ if things change. If anything in your card processing environment changes, your SAQ is no longer valid! Update and resubmit your SAQ for best results.
  • Run external vulnerability scans. If your business is required to scan for vulnerabilities, make sure scans run at least quarterly and when you make any network changes. (Do you see a pattern yet?)
  • Understand where your credit card data is stored. One of the reasons it’s hard to maintain compliance is because businesses accidentally store unencrypted card data.Identify unencrypted card datawith card discovery tools like PANscan®.
Have a business security question? Tweet me and you may see your question answered on the next SecurityQ.

Subscribe to blog.securitymetrics.com

Brand Barney (CISSP, HCISPP, QSA) is a Security Analyst at SecurityMetrics, has over 10 years of data security experience, and will totally geek out if you mention Doctor Who. Brand loves to play jazz piano and daydreams about being as great as Dave Brubeck or Thelonious Monk. Connect with him on Twitter or check out his other blog posts.
Tuesday, May 13, 2014