When we look at how companies approach getting their PCI DSS report on compliance (ROC), we find it is typically handled as a “project.” Often this “project” (or group of “projects”) is signed off on by the C-suite. Next comes vendor selection, choosing a group from the Big Four accounting firms who will run a readiness assessment before the PCI Assessor arrives onsite to ensure the business passes.
Because they scale across the majority of the company, these projects often end up with a price tag in the multiples of millions. For example, none of the Big Four know your company, so how will they know your card data environment? They will need to see it to gather required proof to provide for the PCI QSA. So, collecting this evidence as part of their pre-assessment and then properly cataloging it is the bulk of the work they will perform. Gathering this type of evidence for the accounting firm places a large burden on many departments within IT, including Infosec, ecommerce, networking, data center personnel, and international personnel.
What Happens Next?
Once you’ve earned your PCI DSS compliance validation for the year, now what? Most companies at this point will end up going back to the usual, focusing on how and where to make their next dollar. Some IT processes like Vulnerability Management (patching), Network Change control, Network reviews, Access Reviews, Logging, Monitoring, and others will continue. However, all too often, the compliance team or internal PCI team backs off from the various IT teams to ensure they aren’t bothered with cumbersome tasks for compliance and can focus completely on business development.
This is when little things can start falling through the cracks over the year. Maybe an Architecture drawing gets forgotten, so a system doesn’t have proper monitoring. Or a code source doesn’t have File Integrity monitoring set up. It could be anything, all of it leading to a company falling out of PCI DSS compliance, which is ultimately what forces businesses to stand up expensive PCI DSS pre-assessment projects year after year.
Small Steps toward a Big Project
So how can a company ensure they’re not calling a Big Four assessor back and paying them millions year after year? It starts by putting check points into your governance, risk, and compliance or Workflow system. Start asking the various IT teams every 30 days or every quarter for particular PCI DSS requirements. These check points could be as simple as an automated ServiceNow or JIRA ticket that informs the network engineer or DevOps person that they need to provide specific evidence of an access review, network drawing, or other piece of data. Doing this small thing can help ensure your PCI DSS compliance never becomes a “project” and can save you millions of dollars year over year.
Now keeping all of this in mind, it’s important to know what your card data environment (CDE) is. After all, scoping the PCI DSS ROC is roughly 80 percent of the battle. This is an exercise where your compliance team will sit down with the various business units and start to understand any system or service that touches, processes, stores, or passes any PCI data. Then there’s the “connected to” challenge, which states that any system connected to a PCI system is then also a PCI system.
How can you keep the reins on all of that at once?
Year-Round CDE Maintenance
There’s clear benefit to understanding your CDE year round. One analogy I like to use is this: You’ve paid a painter to paint your house. The morning the work is due to start, you hear some loud noises outside. When you go outside to check out the progress, you notice the painters are indeed there and they are doing their job, except they are doing the job you paid for on your neighbor’s house. Your neighbor is irate as well, because while he appreciates the new paint job, it’s not the color he wanted.
Likewise, if your infosec and other IT teams are doing all of the proper security work and other tasks, but on the parts of the environment that are not part of the overall PCI scope, then how can they be certain they are applying the correct security controls (the paint color)? And how do they know they are doing it on the right data (the house)?
This is where technology such as PK Discovery and PK Masking, part of our powerful PK Protect data security and protection suite, can help. PK Discovery can inform you exactly where all of your credit card data sits. Any fake credit card numbers used in test environments will be located and designated as not legitimate numbers. In the event that PK Discovery finds legitimate credit cards outside of the bounds of the CDE, it has the capability to trigger PK Masking to automatically mask, redact, or otherwise protect those numbers.
It’s vital to fully understand your CDE to promote continuous PCI DSS compliance. Want to learn more about how to build a sustainable compliance strategy? Download our free ebook, “What’s Next After Achieving PCI DSS Compliance.”