The “Business as Usual”compliance expectations of PCI DSS 3.0 are even more complicated than previous iterations of the framework to protect payment card data. But don’t be afraid to take the leap now; compliance will become even more difficult as the bar for data security keeps rising.
It all boils down to perspective. Compliance isn’t meant to be achieved in a single shot to pass an audit. Compliance must be an ongoing state. Sure, automating security controls to achieve continuous compliance will be hard, but it won’t be complicated – actually, it will be a lot easier – with the help of an expert such as Ipswitch.
PCI realized it had to constantly tighten regulations to provide even better protection to consumer data. That’s why 3.0 mandated a shift Business as Usual, forcing you to adopt continuous compliance; the focus on repetition and consistency aims to usher in a shift in corporate culture. Put simply, if your organization doesn’t adopt the practice of continuance compliance – 24 hours a day, 7 days a week, 365 days a year – it is bound to fail.
As the Security Architect for Ipswitch, I defined our security and compliance polices, standards and procedures because we had to achieve PCI certification for our cloud offering.
To navigate Business as Usual, you as a security architect have to partner throughout your organization. If you want to be compliant, you have to create goals, standards and procedures that demonstrate your tools will map to PCI 3.0 regulations.
You chartered to build and maintain a secure network, protect cardholder data, run a vulnerability management program, implement strong access control measures, and regularly monitor and test networks. That may seem like a tall order, but we’re here to help you do it.
It’s important to get executive buy-in to implement PCI strategies that are aligned with documented policies and standards. You’ll have to work with IT to ensure that automated procedures are in place that minimize their time and effort in monitoring and enforcing those standards. And, often last but certainly not least, work with everyone as the resource responsible for guiding the overall audit process to success.
Implementing BAU has the potential to complicate your ability to measure compliance with your organization’s PCI policies. Understanding, and staying in front of, the seemingly constant refinements from PCI will help you choose the right technologies that will support the shift to “Business As Usual”.
These new expectations come as auditors are becoming more rigorous, and testing that your security procedures are ingrained in day-to-day processes across the organization, instead of being an annual effort just to pass an audit. They want to see if your organization has a security-aware culture. With these challenges, it shouldn’t be a surprise that only 20 percent of organizations were fully compliant on their Initial Report on Compliance, according to a Verizon study of 3,000 PCI DSS assessments in a three-year span ending 2014.
Those compliant organizations understand that Business as Usual will simplify – and not complicate – PCI compliance and the audit process. They know the key to simplification is that the use of automated security controls will provide continuous compliance. Automated controls reduce the time and effort spent on PCI procedures and make “one and done” compliance attempts an everyday occurrence, an ongoing state.
>> Learn more about simplifying PCI DSS 3.0 policies, standards and procedures via a webinar I recently participated in. It’s called The Impact of Business as Usual and hopefully the replay gets you started toward continuous compliance.
>> And be sure to engage with us next month during the Ipswitch Innovate 2015 User Summit, a two-day (October 21-22) online only event for IT professionals to learn from each other, and our product experts.