Many organisations work diligently to achieve Payment Card Industry Data Security Standard (PCIDSS) compliance in year one, but only 21% of organisations remain fully compliant at the time of the 2011 Report on Compliance**.
So, how can your organisation sustain PCIDSS compliance?
To date, the most common approach has been to establish a PCIDSS “project”, typically with a beginning and an end with the objective to “achieve compliance”. However, achieving a sustainable compliance program means developing on going, maintainable business practices with the right people, processes and technology.
The PCIcomply framework provides a centralised PCIDSS compliance repository for all PCIDSS obligations, the applicable controls as well as the tools for enterprise wide monitoring, testing and reporting of PCIDSS compliance. The solution includes workflows to support each process, Information Security Policy lifecycle management and certifications, and integration with Enterprise Risk Management (ERM) and PCIcomply as part of a multi-compliance framework.
What is the PCIcomply Framework and How Does It Do This?
To understand how the PCIcomply framework is a solution to sustainable PCIDSS compliance, let’s first look at what is PCIDSS and who has to comply, what happens if I do not comply and what are the compliance requirements
What is PCIDSS?
The Payment Card Industry Data Security Standard (PCI DSS) is a set of requirements designed to help ensure organisations maintain a secure network and proactively protect customer account data. It is the minimum requirements for handling cardholder information based information security best practices.
The PCI DSS is administered and managed by the Payment Card Industry Security Standards Council (PCI SSC), an independent body that was created by the major payment card brands (including Visa, MasterCard, American Express). The payment card brands and the acquiring banks are responsible for enforcing PCI DSS compliance.
Who Has to Comply and by When?
PCI DSS applies to all organisations that accept, acquire, transmit, process, and/or store cardholder data regardless of size and number of transactions. These organisations are obligated to continuously protect cardholder data to the minimum requirements in the PCI DSS.
The dates for compliance set by the card brands both overseas and Australia have passed.
** Verizon 2011 Payment Card Industry Compliance Report.
What if I do not Comply?
There are two key consequences of non-compliance. The first relates to the non-compliance with the standard and second are the impacts from a data breach.
Non-Compliance with PCI DSS
The PCI standard forms part of the operating regulations that apply to organisations that operate merchant accounts. Organisations are contractually required to be compliant through their contracts with the card brands or their acquiring bank. There are also regulatory requirements around privacy of customer data. Consequence for non-compliance include:
- Fines (in the US $5,000 to $100,000 per month)
- Insurance claims
- Terminated banking relationship or increase transaction fees
- Potential inability to process credit cards
The most sever consequence of non-compliance is the impact to your organisations reputation from a data breach.
Reputation impacts due to a breach of data security is both immediate and long term. Just one breach can do this. Customers may no longer be confident their data is secure impacting the ability to conduct business both now and into the future. This includes loss of current and future business, a significant loss in profits and poor industry/community standing.
To fix problems causing the breach and to become PCI compliance is not an overnight fix. Becoming PCI compliant takes most organisations many months and involves significant investment and resources across the business.
So, what are the PCIDSS Compliance Requirements?
The PCIDSS Standard Requirements (based on the ROC V2.0) are:
- 12 high level compliance requirements within 6 control objectives
- 252 individual requirements
- 315 testing procedures to determine the compliance status
- 654 test steps to be performed to support the testing procedures
- Applicable to multiple cardholder data environments (CED) – (Y)
- Up to Y x 252 Test Plans to be planned and executed (for multiple CDEs)
- Continuous control monitoring and reporting including
- Quarterly vulnerability scanning
- Annual penetration testing
- Annual QSA assessment
Features of a Compliance Program to facilitate compliance with the PCIDSS includes:
- Identify and record organisation CDEs
- Record all PCI requirements and map to relevant CDEs
- Assignment of accountabilities for key compliance activities (eg. Program Owner, requirement owner(s), requirements testers)
- Regular testing of control effectiveness, recording of test results, monitoring and remediation of compliance issues
- Design and maintain Information Security Policies and Procedures and monitoring of policy compliance
- Continuous stakeholder reporting of compliance status
- Compliance certification and sign off
The standard and requirements are not stagnant. They are fluid in nature to meet the changes in both security and technology. The Standard is continually revised and up-dated to meet these changing requirements. This may be year to year.
The Solution to a Sustainable Compliance Approach – PCIcomply Framework
IncQ Consulting has developed the PCIcomply Framework powered by SAP GRC as a solution to sustainable PCI compliance.
What is the PCIcomply Framework?
The PCIcomply framework is a single enterprise automated repository for all compliance data. It supports compliance monitoring and reporting frameworks and processes and can form part of an Enterprise Governance, Risk and Compliance Framework (eGRC).
- Recording of the PCI DSS requirements – 12 high level and 252 individual requirements
- Recording of the testing procedures, tests steps and testing method (based on the ROC)
- Recording organisations CDEs
- Linking of the relevant PCI DSS requirements (and associated testing procedures) to CDE
- Linking to business processes
- Assignment of individual accountabilities
- Planning and activation of Test Plans (via automated workflows)
- Recording of individual test results
- Automated remediation processes to address compliance failures
- Policy Lifecycle Management functionality to assist with:
- Creation, maintenance, revision and publication of policies
- Mapping of controls, risks and compliance programs to specific policies
- Compliance status reporting (high level and granular)
- Compliance certification and sign off
By design, PCIcomply enables multiple business areas and user to access, record, and monitor, manage and report their PCI requirements in a single system. The assignment of ownership to key activities and the automated workflows ensures compliance activities are performed when required. The integrated reporting function enables timely analysis and reporting of compliance data, determination of compliance status and the management of any compliance issues.
Other Features of PCIcomply
Additional features PCIcomply provide:
- Supports best practice governance, risk and compliance frameworks by promoting collaboration, accountability, transparency and consistency in the management of risk and compliance requirements.
- Integration with Enterprise Risk Management (ERM) providing an enterprise-wide risk and compliance view.
- Part of a multi-compliance framework enabling the mapping of controls to multiple regulations and policies. Can also support additional regulations and policies and other review and audit processes.
- Audit log of all data, results, changes and updates.
What are the Business Benefits of a Sustainable Compliance Approach?
The business benefits of a sustainable compliance approach are:
- Single establishment
- In Place
- Continuous Business As Usual function
- Multiple users across multiple business areas
- Lower overall cost of compliance
- Timely and informed decision making based on available and up-to-date PCI compliance data
- Ability to adjust obligation/requirement changes in a consistent and timely manner
- Ability to monitor and manage Information Security Policy effectiveness and to proactively take action on policy compliance issues
In Summary – PCIcomply, a Solution to Sustainable PCI DSS Compliance
The PCI standard is a complex, onerous and continuous compliance requirement that requires the development of maintainable business practices with the right people, process and technology to ensure sustainable compliance.
The PCIcomply Framework powered by SAP GRC provides a solution to sustainable PCI compliance. The integrated central repository for compliance data enables the recording, testing, monitoring and reporting of PCI requirements. The assignment of ownership to key activities and the automated workflows ensures compliance activities are performed when required. The Policy Lifecycle Management feature enables the linking of controls, risks and compliance programs to specific policies such as the Information Security Policy.
PCIcomply is a component of a multi-compliance framework that can support additional Regulations and Policies and other review and audit processes and forms the basis of a roadmap to eGRC.