One of the primary issues that the recently published Verizon 2015 PCI Compliance Report brings to light is the challenge most companies face in maintaining continual compliance to the PCI DSS standard over time. Passing an initial compliance assessment is difficult enough, but even more striking is that only 29% of those companies who pass the assessment remain fully compliant with the payment card industry standard less than a year after attaining compliance. Most companies are clearly treating the initial compliance assessment as a bona fide project and bringing the necessary resources to bear in order to pass. What’s also clear, however, is that the attention to sustaining compliance wanes in between certification cycles, leaving organizations exposed to risk.
With 43 million security incidents detected by the 9,700 participating companies in 2014 and this number expected to continue to grow significantly it is a necessity to treat the compliance audit as a continuous, fluid project. Rodolphe Simonetti, managing director, professional services for Verizon Enterprise Solutions hits the nail on the head when he says that “Putting the focus on making compliance sustainable is key. It must be a part of day-to-day activities in an organisation’s greater security strategy”. The need to have people, process and technology in place focused on maintaining adherence to the PCI DSS standard on an ongoing basis is of paramount importance.
While the PCI requirements are spelled out they do require a great deal of work to implement – requiring a combination of knowledgeable people and technology that can keep tabs on all possible vectors. Change is the only constant and organizations must stay on top of all of them if they want to remain compliant all year long. Proper tooling can support compliance experts by keeping on top of all possible vectors and distilling critical information from the broader noise. Automating compliance reporting, alerting on important events such as configuration changes and access to sensitive corporate data, and protecting the most critical objects in the infrastructure can enable organizations to adopt a more sustainable approach to PCI compliance. Cyber attacks and breaches will only continue to increase, and the compliance regulations will continue to evolve to address these. With version 3.0 released just over a year ago, version 3.1 of the PCI DSS standard is expected imminently to address recent vulnerabilities. Organizations will have to shift their approach from fly in – fly out audits toward making regulatory adherence a core part of the company’s day to day operations.