A recent study by Verizon revealed that only 11.1 percent of companies subject to the Payment Card Industry Data Security Standard (PCI DSS) actually comply with all 12 requirements. Any business that accepts one of the major branded credit cards is subject to the scope of PCI DSS, but here are some common areas where companies fail to achieve compliance, and practical tips for getting them right.
1. Perform Penetration Testing
The latest iteration of PCI DSS, version 3.0, updates penetration testing requirements, providing more details on their scope and methodology. (The new requirements are effective June 2015.) Such testing must include network layer and application layer evaluations. Organizations subject to PCI DSS must perform this testing at least annually, and after any significant change to the environment. In all cases, testers must be professionally qualified.
2. Follow Through on Vulnerability Scanning
Requirement 11.2 mandates quarterly scans following any significant network changes, performed from both an internal and an external perspective. The challenge here is twofold: follow-through and record keeping. It is not sufficient to simply perform scans. You must scan, fix vulnerabilities and rerun the scan until it shows clean results. Maintain records for each scan and provide four passing quarterly scans for the preceding year.
3. Patch All Systems
Applying vendor updates to operating systems and applications is a time-consuming process that requires coordination and testing, but it provides a very high degree of security control by correcting known vulnerabilities with vendor-supplied patches. Requirement 6 specifies that critical security patches must be applied within a month of release. Automation is key here. Adopt system configuration management software to track patches and report noncompliance.
4. Establish a Continuous Compliance Process
The PCI DSS requirements in these three areas are long-standing, and it’s hard to imagine that any organization simply is unaware of them. Why do so many companies fail these tests? Because each requires ongoing action. Remember, compliance is not a one-time or once-a-year activity but a continuous process that requires care and feeding throughout the year.