Staying in control of PCI DSS - why it doesn’t have to be a battle to stay compliant - Part 2

In my last article I highlighted the importance for any business handling payment security data to keep it adequately protected by adhering to PCI DSS standards. The consequences for those that do not comply with the regulations could be dire; including loss of consumer and supplier trust, but also a fine from regulators if a data breach occurs. Of course, given there are 12 requirements to keep on-top of, it might seem like a mammoth task to stay complaint. Thankfully it doesn’t have to be that complex.

Here are nine key factors of control which can help guide any business in maintaining compliance via the 12 key requirements of the PCI DSS standard, as well as communicate compliance progress to the board. These are as follows:

• Factor 1: Control Environment: The sustainability and effectiveness of the 12 Key Requirements depends on a healthy Control Environment.
• Factor 2: Control Design: Proper control operation to meet DSS security control objectives depends on sound Control Design.
• Factor 3: Control Risk: Without ongoing maintenance (security testing, risk management, etc.), controls can degrade over time and eventually break down. Mitigation of control failures requires integrated management of Control Risk.
• Factor 4: Control Robustness: Controls operate in dynamic business and ever-changing threat environments. They must be robust to resist unwanted change to remain functional and perform to specifications (configure standards, access control, system hardening, etc.).
• Factor 5: Control Resilience: Security controls can potentially still fail, despite adding layers of control for increased robustness, therefore control resilience with proactive discovery and quick recovery from failure is essential for effectiveness and sustainability.
• Factor 6: Control Lifecycle Management: To achieve all of the above it is necessary to monitor and actively manage security controls throughout each stage of their lifecycle from inception to retirement. 
• Factor 7: Performance Management: Establishing and communicating performance standards to measure the actual performance of the control environment improves control effectiveness, and promotes predictable outcomes of your data protection and compliance activities, allowing for early identification and correction of performance deviations.
• Factor 8: Maturity Measurement: A control environment should never be stagnant – it must improve continuously. To do so, businesses need a roadmap, a target level of process and capability maturity to track the degree of formality and optimization of processes as indication of how close developing processes are to being complete and capable of continual improvement.
• Factor 9: Self-Assessment: Achieving all of the above requires in-house proficiency – resource capacity (people, processes and technology), capability (supporting processes), competency (skills, knowledge and experience) and commitment (the will to consistently adhere to compliance requirements) – in short: self-assessment proficiency.

Businesses should also remember that passing PCI compliance validation doesn’t mean that systems are ‘secure’, just that there was no evidence of non-compliance during the assessment   period, which is typically just a week or two. On the flip side, security systems are often tested every day. Sustaining compliance with the PCI DSS Standard is not a project, a one-off activity, but an ongoing programme. A programme that needs to adapt to the changing needs of business and new technologies that may be introduced into the business environment.

The key to a compliance processes being effective is the need to be driven from the top. Often this is hindered by the simple fact that general progress or challenges are not clearly communicated or understood by executives. By structuring the compliance process and conversations on our nine factors of control effectiveness and sustainability, executives can obtain a clearer understanding of the process involved and a clearer dialogue can be opened up to avoid unnecessary obstacles.