Compliance with the Payment Card Industry Data Security Standard (PCI DSS) can be a daunting task for many organizations. Understanding what’s expected of you can be hard enough, but then deciding on a strategic path forward to reaching a state of compliance and maintaining that posture can be incredibly complex. If you don’t do it right, achieving and maintaining compliance can also be much more costly than it needs to be. There are a few ways to get started with this process and quickly boost PCI compliance. We’ll walk through a couple approaches that can be used almost universally, by both SMBs and larger organizations, regardless of your current program maturity.
This is simultaneously the most important, most difficult, and highest security return-on-investment from all of these ways to boost PCI compliance. Network segmentation is the process of dividing your network into a series of smaller networks and limiting/preventing communication between them. For PCI, this involves sectioning all of your cardholder data (CHD) processing and storage into what’s referred to as the Cardholder Data Environment (CDE).
This allows sections of your network that aren’t involved in CHD-related activities and can’t communicate to/from the CDE to be removed from scope . PCI requirements would then only need to be applied to a subset of systems and devices in your environment, reducing level-of-effort and cost, and potentially allowing a Self Assessment Questionnaire (SAQ) with fewer requirements to be completed (a C rather than a D, for example). Less requirements and fewer places to apply them = easier, faster compliance.
Finally, segmentation offers a significant increase in “real” security. The Target breach in 2013, one of the most notable PCI-related breach incidents in the past decade, was possible because of non-existent or poor network segmentation. While compliance is often a good starting point for a security program, it does not directly equate to security and adequate defense. Segmentation, however, can pay dividends in the case of preventing an attacker from moving throughout your network in the case of breach. Good segmentation limits lateral movement between network segments, making an attacker’s life much more difficult and decreasing the odds that they are going to be able to find and exfiltrate sensitive data from your network.
2. Scope Reduction
While network segmentation is one sub-category of scope reduction, there are a lot of other efforts in this area that can help cut the number of PCI requirements that your organization is subject to following. One of these options for companies that utilize Point-of-Sale (PoS) systems is Point-to-Point Encryption (P2PE). P2PE are a special category of PoS systems that have been blessed as providing reliable encryption from the moment the card is swiped all the way to the payment processor. In fact, with authorized P2PE solutions the payment processor is the only one with the key to decrypt that CHD being sent, the organization accepting the payment never gets to see the key. What this allows you to do is complete a highly abbreviated SAQ, since unencrypted CHD never touches any of your systems or networks.
Additionally, another great way to boost PCI compliance is the avoidance of storing CHD. Proper CHD storage requires the adherence to a number of difficult PCI requirements, specifically related to the encryption of that data and the handling of the related encryption keys. This can be time and resource intensive, so a great way to avoid that and boost your compliance is to remove any processes that involve the electronic storage of CHD. Basically, if you don’t need it, don’t store it. One way to do this that is quickly becoming the “gold standard” for recurring payments among processors is the use of tokenization. In tokenization, the processor will pass you back a unique token that you store in your electronic systems to facilitate recurring payments. This way, your organization avoids the responsibility of protecting full primary account numbers (PAN) up to PCI’s standards.
3. Avoid or Eliminate Unnecessary Payment Channels
Many times when assessing an organization, there’s at least one channel where they’re accepting a disproportionately low number of transactions when compared to the level of effort they are putting into compliance and security efforts. While having multiple payment channels isn’t a compliance issue, removing any payment channels that are duplicative or unnecessary can reduce your resource expenditure and immediately boost PCI compliance. Of course don’t cut off meaningful avenues of payment just in the name of compliance!
4. Document Everything!
As with many compliance efforts, a PCI discussion wouldn’t be complete without touching on documentation. Even if you’re doing everything right, your level of compliance will be severely hampered without a solid set of policies and procedures. Documenting everything so you can prove your compliance to third-parties and maintain a consistent approach to security implementation is a great way to boost PCI compliance. Every single PCI DSS requirement requires policies and procedures to drive the compliance efforts, so it stands to reason that this could make up almost 50% of your compliance efforts. This can help drive your security and compliance program as you continue to improve.
5. Perform Regular Vulnerability Scans and Penetration Testing
We discussed what kinds of security testing that PCI requires in another blog post. It can be relatively easy to get all this security testing performed, since in most cases, you’ll be partnering with a third-party organization to accomplish this. While there are then follow-up activities that you’ll be required to undertake, such as remediation and documentation of risk, it can be a quick way to boost PCI compliance and get a baseline understanding of the residual risk to your organization.