For any business accepting credit or debit card payments from its customers, Payment Card Industry Data Security Standards (PCI DSS) compliance – which offers comprehensive standards to enhance payment card data security – is an absolute must. But for most, ensuring continuous compliance (the ongoing monitoring of rules rather than waiting for audits to show non-compliance) with the vast and ever changing set of rules can be a real drain on resources. Automation is key to resolving the problem, but what challenges does it solve and how can it be implemented effectively?
We recently invited a group of industry professionals to join a live webinar to discuss the challenges of PCI audit compliance and automation. You can watch the full version How to pass your audit but here’s a summary:
During the webinar, we carried out a short survey to find out about our respondents’ plans for continuous compliance in the year ahead. 47 percent confessed they had no plans in place for continuous compliance and only 13% had it in place. That’s a huge number considering the penalties incurred for failing to comply. The other 40 percent expressed an interest in achieving continuous compliance this year.
The 5 ‘C’s
Undoubtedly one or all of the following challenges are getting in the way of successful auditing…the five ‘C’s:
- Complexity- enterprises have hundreds of firewalls, routers and switches, all with their own complex configurations and thousands of access rules. All have to be tracked and catalogued which makes it almost impossible to comply with all the PCI DSS rules.
- Change- hundreds of changes every week amounts to thousands of changes to track from one audit to the next. The combination of rapid change and time pressures mean mistakes happen which can leave businesses wide open.
- Connectivity- configuration errors very easily lead to compliance issues and service downtime. A high number of rule changes can compromise cardholder data, which can leave businesses compromised until their next audit.
- Compliance- audits are time intensive and usually changes are unchecked between audits making the process even more laborious. Yet businesses cannot afford to fail an audit.
- Communication- poor communication and a siloed culture of app owners and IT security can mean a comprehensive compliance check between audits is extremely complicated and difficult to manage.