In the Verizon Payment Security Report published August 31, 2017, there was an alarming statistic: 44.6% of companies fall out of DSS Compliance within nine months of validation.  Even with the increase of full compliance to over 55% in 2016, companies are still trying, and failing, to maintain their compliance effectively.

One of the reasons for this trend seems to be that companies are not actively managing and measuring the effectiveness and correctness of their security controls. The PCI Security Standards Council has been emphasizing the need for control effectiveness monitoring, and included a section entitled ‘Best Practices for Implementing PCI DSS into Business-as-Usual Processes’ in the PCI Data Security Standard (PCI DSS) since version 3.0. Additionally, beginning February 2018, the PCI DSS includes requirements for Service Providers to monitor some business-as-usual processes in requirement 12.11.

Speaking from personal experience, I have to agree that this is a correct assumption. I’ve seen it time and again where organization have forgotten to perform some testing procedure or other, and have to scramble to ‘catch-up’ after we’ve discovered the gap in an on-site assessment.  

So, for Merchants, smaller organizations, or organizations without a mature risk management process, where can you start? When looking at the entirety of the PCI DSS, especially for those that are subject to an annual Report on Compliance assessment or must use SAQ D, it can seem overwhelming. Fortunately, the PCI DSS has some items that are ready-made for measurement; those controls that have a defined time-based requirement.

Throughout the PCI DSS, there are requirements that specifically outline the interval at which various testing procedures must be conducted, data or evidence must be retained or destroyed, training must be conducted, procedures must be reviewed, or other actions must occur. Most time periods for these items are clearly defined as: Yearly/Annually, Semi-annually/6 months, Quarterly/3 months, Monthly, Weekly, or Daily. Some other requirements are defined as ‘Periodically’, or have time periods that are less strictly defined, and may be different for each organization.

Below is a link to a PDF version of this blog article with a chart showing all the time-based requirements from PCI DSS version 3.2, organized by periodicity, which can be used as a basis for developing business-as-usual metrics for these requirements. At a minimum, a person or group could be assigned the task to ask questions like, ‘Is this process actually happening?’ or ‘Is the required data or evidence being retained or destroyed per the required time period?’ Available testing, monitoring, and reporting tools and techniques, should be employed to automate these tasks wherever possible.

PCI Time-Based Requirements as a Starting Point for Business-As-Usual Process Monitoring.pdf

AppSec Consulting is available to help your organization evaluate how well these time-based requirements are being addressed. We also specialize in full-service risk assessment and management services. Contact us to see how we can assist.

Chip Ross

Chip came up through the ranks of Information Technology, beginning as a contract Desktop Field Engineer in 1997. His career evolution included leading the Desktop Operations team at Northwest Airlines, including day-to-day work direction for a team of 14 packagers and maintaining communication with upper management regarding desktop operations. In 2006, he transitioned to Information Security and delivered compliant merchant RoCs for 2007 – 2010, including the year of the Northwest/Delta merger.

Chip moved to Carlson in 2010 and continued delivering compliant Service Provider and Merchant RoCs from 2010 – 2012 as a Carlson-sponsored ISA. During that time, Chip also conducted many assessments at Carlson hotel and restaurant franchisees, providing on-the-ground guidance to the smaller merchants that make up a large portion of Carlson’s organization. Chip joined United Health Group as a sponsored ISA in early 2013, to provide guidance, tracking and reporting on the PCI efforts for the various teams and business units there.

Drawing on his experience, leading, participating, tracking and reporting on many remediation projects, Chip helps clients achieve their compliance goals through scope reduction, process improvement, and strategic technology integration. Chip’s broad background and extensive PCI experience with large corporations enables him to be comfortable working with client personnel anywhere from the data center to the board room, ensuring that AppSec Consulting’s clients receive thorough, top-quality consultation and assistance.

read more articles by Chip Ross

© Copyright 2018 AppSec Consulting, All Rights Reserved