In this week’s webcast, Jane Man and Guillaume Ross revisited the latest PCI DSS 3.0 requirements. Security professionals need to be diligent to remain compliant and secure. Jane and Guillaume discussed some key results from the Verizon 2015 PCI Compliance Report, tips and tricks for complying with requirements 7, 8, and 10, and touched upon upcoming changes in v3.0 and v3.1. Read on for the top 3 takeaways from the “PCI DSS 3.0 Update: How to Restrict, Authenticate, and Monitor Access to Cardholder Data” webcast:
1) Compliance is a Point in Time Event – If you’re deemed compliant and then stop performing processes associated with any requirement, you can easily be out of compliance a few days later. Compliance takes maintenance and adjustments as your environment changes through added data sources, users, operating systems, or applications. According to the Verizon 2015 PCI Compliance Report, none of the companies that have suffered a breach complied with requirements for monitoring access – but they could have been previously compliant, which leads me to the next big takeaway…
2) Sustainability is Essential – Companies can often be very diligent when first aiming to achieve compliance, but if there isn’t staff dedicated to the new processes and tasks involved in becoming compliant, the compliancy slips. Compliance is binary and must be a continuous process. You’re either compliant or you’re not – even if you’re 95% of the way there, you’re technically not compliant without that last 5%. It’s important to have clear and sustainable practices and controls in place that will be effective and efficient over time to help maintain compliance and strong security. Regularly test security systems and processes, and even if you have automated tools, make sure someone is taking the time to look at systems and investigate legitimate alerts. In hindsight, it can be easy to say a breach could have been prevented if you'd just looked at the right logs - but looking at the right log at the right time requires sustained effort and strong monitoring, logging, and auditing processes.
3) Reduce, Restrict, and Revalidate – Reduce the amount of shared and generic accounts wherever possible, and make sure all activity on accounts like these is traceable and logged. Users should be restricted to only access systems, features, and data they need to perform their jobs. Security teams should have controls in place to enforce and provision access policies and to detect violations. Always be revalidating the access you’ve given to users. The jobs and needs of users in an organization can morph over time. As more privileges are given out, make sure that anything no longer needed is removed to avoid “permission creep," which gets harder and harder to manage if neglected. When it comes to compliance, we should always be fine-tuning permissions and processes – without forgetting to go above and beyond to ensure security for important assets as well.
For the in-depth discussion and tips and tricks on keeping up with PCI DSS Compliance, view the on-demand webinar now.