What is PCI DSS compliance?

Does your business accept credit card payments? If that’s the case, you should read this article to find out what the challenges to the Payment Card Industry Data Security Standard (PCI DSS) are, and the current best practices to ensure that you are in compliance with this legal requirement.

In this article, we will learn:

1. What is PCI DSS compliance?
2. What are the 12 Requirements of PCI?
3. Why PCI solutions may not be enough to secure your organization.
4. Best practices for ensuring your organization is in full compliance with all 12 PCI Requirements.

What is PCI DSS compliance?

The Payment Card Industry Data Security Standard is an information standard for companies that process sensitive payment information. These rules were created to accommodate emerging cyber threats and new methods of processing and storage. From February 1, 2018, every business that engages in credit card transactions is bound to comply with them. The standard was created by the PCI Security Standards Council (SSC), which is a global organization composed of the major credit card companies: Visa, Mastercard, Discover and American Express.

Nearly one in five (18%) organizations do not have a defined compliance program with a formal structure, defined objectives, defined scope and supporting projects.
2018 Payment Security Report by Verizon

The 12 Requirements of PCI DSS

PCI DSS outlines 12 Requirements that are considered data security best practices. These are organized into six goals (or sections); see below for details.

The 12 Requirements of PCI DSS. (Download as checklist)

Overall, in order to remain in compliance with PCI, organizations must implement tight controls over storage, transmission and processing of cardholder data. They also have to monitor, test and report on yearly results accordingly.

Unfortunately, many organizations still fail at their compliance efforts, even though they are required to achieve it at 100% and to maintain that rate. Verizon’s interim assessment of compliance for each PCI requirement yielded the following results:

Worldwide, the top-performing industry remains IT services, where over three-quarters of organizations (77.8%) achieved full compliance. Retail (56.3%) and financial services (47.9%) were significantly ahead of hospitality organizations (38.5%), which demonstrated the lowest compliance sustainability.
2018 Payment Security Report by Verizon

PCI Requirement 10

Of particular importance isRequirement 10: Track and monitor all access to network resources and cardholder data, because failing to fully comply with it (vs. other Requirements) means an organization may have been breached.

Source: 2018 Payment Security Report by Verizon

Monitoring key systems is critical for achieving sustainable security and companies that exhibit poor logging and monitoring are likely to take longer to spot breaches, giving criminals more time to do more damage. This means all applicable security controls must be continuously in place.

According to a recent report by the PCI SSC Special Interest Group (SIG) on Effective Daily Log Monitoring, Requirement 10 and 10.6, in particular, continue to pose the greatest challenge to organizations.

Download as checklist

The following areas were indicated as the most problematic:

• Identifying appropriate and/or relevant log sources
• Differentiating between “normal” activity and a “security event”
• Handling large volumes of log data
• Meeting the stated frequency of manual log reviews
• Correlating log data from disparate systems

Sumo Logic helps organizations of any size meet the stringent and challenging logging, monitoring and data retention requirements spelled out in PCI DSS Requirement 10 through the following:

• Automation that demonstrates compliance with PCI DSS Requirement 10
• Visibility across all systems
• Simplified compliance and shortened audit cycles
• Security by Design: Platform is PCI DSS 3.2 Service Provider Level 1 Certified
• Deployment in minutes, not days
• Reduced cost of ownership with a cloud-native, highly-scalable service
• Segmented, unalterable and centralized repository for all your log data

Why PCI may not be enough?

Over the years, the PCI compliance standard has undergone substantial changes, and the unpredictable nature of compliance audits where auditors can request precise information related to an organization’s operations makes meeting all requirements an arduous task. Especially when data breaches proliferate - such incidents have increased by 32 percent in 2018, compared with 2017.

That’s why you cannot underestimate the value of overall IT and security hygiene. Your best option is having a cloud-based organization that has built-in tools to manage encryption, masking, security, configuration and operations.

With Sumo Logic, a cloud-native data-analytics service, you can address log management, monitoring and data retention as prescribed by PCI DSS Requirement 10. In addition, we advise you to follow the below best practices.

Best practices

This list of 10 best practices has been compiled by Verison. You can find out more about it here.

1. Develop and maintain a sustainable security program
   In the end, PCI DSS is all about protecting cardholder data from improper disclosure. This includes everyone in the payment chain: merchants, service providers, acquirers, issuers, the payment brands and consumers. Nearly three-quarters of all attacks on retail, hospitality and food-service companies target cardholder data!
2. Develop program, policy and procedures
   You can’t be proactive in the event of a security breach if you don’t have a formal compliance program with clearly outlined policy rules and procedures. Such a program will also allow you to monitor your security controls and communicate compliance status across your entire organization.
3. Set performance metrics to measure success
   Having a collection of metrics doesn’t mean your organization is PCI-compliant. However, if analyzed properly, these metrics can provide useful information on the effectiveness of your security initiatives and indicate where to allocate more resources, if needed. There are different frameworks for selecting metrics; choose one that unlocks their intended purposes.
4. Assign ownership for coordinating security activities
   Centrally coordinating technologies, processes and people will greatly benefit the compliance process. The Compliance Manager will have a wide portfolio of responsibilities that includes coordinating the implementation and monitoring of security controls as well as collecting, collating, and storing evidence to demonstrate that required PCI DSS security controls are operating effectively on a continuous basis.
5. Emphasize security and risk management to attain and maintain compliance
   The larger and more complex an organization is, the more additional controls it may need to stay fully PCI-compliant. A good additional measure is to build a culture of security and to protect an organization’s assets and infrastructure, which will allow compliance achievement as a consequence. To determine whether your organization needs additional security controls, analyze your risk assessment outputs accordingly.
6. Continuously monitor security controls
   To ensure effective monitoring, you need to periodically review all your relevant security measures and build these into a process. Then, develop a strategy for continuous monitoring and documentation of all security controls (their implementation, effectiveness, efficiency, impact and status).
7. Detect and immediately respond to security control failures
   You probably understand by now that having the ability to detect security failures during review or monitoring process is absolutely critical for any organization. You must also have a process in place for responding to those failures as quickly as possible.
8. Maintain security awareness across the organization
   Implementing an information security awareness training program is mandatory per PCI DSS Requirement 12.6. This particular point also stipulates that you need to define appropriate communication methods, provide relevant training upon hire and at least annually, and implement effective communication channels for security awareness. These are required because security monitoring and access-management tools alone do not guarantee that risk can be minimized.
9. Monitor compliance of Third-Party Service Providers
   If you monitor the compliance status of your TPSPs, you will be able to determine if a change in relationship is required or not. It’s necessary for organizations and their TPSPs to clearly understand their roles and responsibilities to remain in compliance with applicable PCI Requirements.
10. Evolve your compliance program to address changes as they happen
    Monitoring and effectively communicating with all impacted parties on newly identified threats, changes to the organizational structure and changes in the industry that may impact the organization’s PCI DSS compliance efforts are the key duties of Compliance Managers.

Key Takeaways:

1. The Payment Card Industry Data Security Standard is a set of rules that every business that engages in credit card transactions is bound to comply with.
2. There are 12 Requirements of PCI that must be fully met. Requirement 10: Track and monitor all access to network resources and cardholder data must not be overlooked when it comes to protection against breaches.
3. Complying with PCI Requirements may not be enough to guarantee protection against threats, so maintain overall IT and security hygiene, invest in a cloud-native security tool like Sumo Logic and apply industry best practices.