Maintaining Ongoing PCI Compliance and Security

Complying with the PCI DSS is crucial for businesses that handle sensitive payment card data. That’s because compliance is not just about adhering to a set of regulations—it is about keeping cardholder data safe for the sake of customers, and for the sake of a company’s ability to do business.

But what does it mean to maintain PCI compliance and security? Many think that compliance is a one-time project, and upon meeting all the necessary requirements, a business is secure and compliant for good. However, in reality, there are many challenges that must be met in an effort to not only make cardholder data safe, but keep it safe.

Compliance and Security: An Ongoing Effort

When it comes to maintaining compliance and security, there are commonly two misconceptions at work.

The first misconception is that compliance consists of completing a one-time checklist. In fact, PCI compliance is an ongoing process that helps ensure cardholder data (CHD) remains safe as businesses grow, technology develops, industry standards change, and new threats to data security emerge.

The second misconception is that compliance always equals better security. While the ultimate goal of PCI compliance is the security of sensitive data, one does not always guarantee the other. While the PCI DSS’s framework provides a solid baseline, the best way to develop a secure cardholder data environment (CDE) is to develop a culture of security—including the protection of information assets and IT infrastructure—the result of which should be a naturally compliant environment. There are four aspects of sustainability that need to be addressed to facilitate this kind of environment: technical component sustainability, administrative effort, operational consistency, and business objective strategy.

The Challenges of Maintaining Ongoing Compliance

Businesses maintaining compliance in an ever-changing environment will always face new challenges. If organizational changes within a business or technical changes to a CDE occur, those changes must be evaluated for compliance and security. Likewise, the release of new or updated rules and regulations by the PCI SSC—such as updates to the PCI DSS—mean that CDEs must be evaluated to ensure that continuing compliance. Finally, as new industry threats emerge—such as an increase in cybercriminal attacks or the discovery of technical vulnerability—those threats must be addressed and protected against.

What Requirements Need Review to Ensure Compliance?

Because no two businesses are exactly alike, no two CDEs are exactly alike. Thus, the requirement review process may differ from entity to entity. Likewise, while all requirements need review on a continual basis, the timeline for doing so varies. According to the a Verizon Compliance Report, evaluation frequency can be divided into daily, weekly, every (x) months, annually, periodically, and “after changes.” For example, while an annual review is recommended for media inventories, the review of logs and security events for all CDE components to identify suspicious activity is recommended daily. That’s why it is important for entities to plan for long-term evaluation to most effectively achieve compliance and security.

Planning for Success with a Hosting Partner

If your business is planning on partnering with a hosting provider, it’s important that the provider have experience with facilitating PCI compliance, and that you will be able to create a customized solution for your hosting needs. Because PCI compliance is a complex process, and because that process is different for every entity, it is advantageous to partner with a PCI compliant hosting provider that can couple both the services you need with the support to facilitate ongoing compliance.