The Council just published Information Supplement: Best Practices for Maintaining PCI DSS Compliance, which provides updated guidance and practical recommendations for dealing with the challenges associated with maintaining PCI DSS compliance. In this article, we discuss the updated guidance and how it may be of benefit to your organization. We sit down with Emma Sutcliffe, Senior Director of Data Security Standards to discuss the guidance.
Why is the Council updating this information supplement?
Emma Sutcliffe: This topic was proposed and selected by PCI SSC Participation Organizations as part of the Council’s Special Interest Group (SIG) election process. This new information supplement replaces guidance previously published in August 2014.
Industry feedback tells us that many organizations experience a decline in the effectiveness of their PCI DSS security controls and their overall state of compliance after the assessment is completed. This guidance aims to help organizations understand how to incorporate continuous security and compliance practices into their culture and daily operational activities.
What are the challenges in maintaining compliance?
Emma Sutcliffe: For many organizations, the pressure to adapt to ever-increasing customer demands and emerging technologies, and the resulting changes to an organization’s business goals, structure and technology infrastructure, can introduce compliance gaps. In other cases, factors contributing to a decline in compliance could include organizational complacency or a lack of leadership commitment to maintaining compliance. Some organizations assume practice from previous years can simply be repeated for compliance, while others are over-confident in their own practices and don’t devote the resources necessary to regularly monitor their compliance program’s effectiveness.
Shifting the mindset from one of compliance to a continuous, risk-based mentality is a critical component of making payment security business-as-usual. The ongoing security of cardholder data should be the driving objective behind all PCI DSS compliance activities, as opposed to achieving a passing compliance report and then subsequently letting security practices fall-off.
What are the risks of not maintaining compliance?
Emma Sutcliffe: Failing to maintain compliance at all times could leave organizations more susceptible to security control failures, malicious attack, or accidental information leakage.
How will this guidance paper help organizations?
Emma Sutcliffe: The Information Supplement: Best Practices for Maintaining PCI DSS Compliance provides practical recommendations for dealing with some of the key challenges in maintaining compliance and offers solutions to help organizations avoid the pitfalls of compliance fall-off. Using this guidance as a resource, merchants, service providers and other organizations can better understand how to plan for and maintain a state of continuous compliance.
The new Information Supplement replaces guidance previously published in August 2014. What new content is included in this updated information supplement?
Emma Sutcliffe: This updated information supplement expands on the guidance previously provided in the 2014 guidance. Some of the updates include:
- New guidance on managing internal compliance programs, scope and compensating control reviews, maintaining evidence of security control effectiveness, security awareness, and monitoring compliance of third-party service providers.
- Updated guidance on roles and responsibilities, measuring adequacy and effectiveness of security controls, and sampling of controls.
- The addition of two new appendices to assist with identifying applicable PCI DSS requirements for different asset types and managing compliance monitoring activities.
This paper was created by a Council Special Interest Group. Can you talk a little bit about this program?
Emma Sutcliffe: Special Interest Groups are PCI community-led initiatives that address specific areas or challenges in relation to the PCI Standards. SIGs bring together the brightest payment security minds from a wide-ranging group of PCI stakeholders including merchants, financial institutions, service providers, assessors and associations and provide another way for the PCI community to provide relevant updates and valuable resources to help merchants and others in their payment security efforts.
*Note: The Information Supplement: Best Practices for Maintaining PCI DSS Compliance does not define how an organization should report or validate their compliance. Compliance programs are managed by the payment card brands and acquiring banks. Organizations should consult with their payment card brand or acquirer, as applicable, to understand their compliance reporting obligations.