The latest revision to PCI DSS, PCI 3.2, provides specific security guidance on the handling, processing, transmitting and storing of credit card data. PCI 3.2 presents an opportunity for retail, healthcare, finance and hospitality organizations to minimize the theft, exposure and leakage of their customer’s personal and financial credit information by strengthening weakened security controls. For example, PCI 3.2 has provisions for 2-factor authentication, preventing weak passwords and restricting access to cardholder information. Despite the benefits, compliance with PCI 3.2 is not without its challenges.
A lot of time and effort is often required to attain compliance, and as a result, some organizations focus on passing the PCI audit and proving compliance at that point in time. But then over time, configuration changes push the environment out of compliance, making those environments less secure, and increases cybersecurity risk. The result is that the next time, there is even more effort – time and resources – that needs to be expended to achieve compliance.
Even when compliance with PCI DSS is achieved, it is easy to be lulled into a false sense of security, thinking that just being compliant results in a secure environment. This is when systems can “drift” out of compliance, even though at a particular point in time the organization may have undergone third-party penetration testing and vulnerability assessments and passed an audit. However, the PCI Security Standards Council states “to ensure security controls continue to be properly implemented, PCI DSS should be implemented into BAU (business as usual) activities as part of an entity’s overall security strategy.” BAU translates into continuous compliance every day.
Technical Skills Gap
Organizations are challenged with complying with PCI 3.2 and mitigating growing cybersecurity risks while grappling with the technical skills gap – difficulty in hiring, training and retaining cybersecurity talent. The lack of adequate resources to achieve compliance causes organizations to adopt a check-box mentality for passing each PCI compliance audit and then simply return to business as usual after the administrative scramble. This leads to configuration drift and increased cybersecurity risk.
Rather than a point-in-time approach to PCI compliance, it is important that organizations take the approach of continuous compliance, leveraging PCI not just for compliance purposes but actually as a means to improving security posture. Continuous compliance lowers the cost of staying in compliance, improves your security posture and reduces risk in your environment. Tripwire ExpertOps can help you address the challenges of adhering to PCI while ensuring continuous compliance. ExpertOps is a managed service that delivers the industry’s best file monitoring solution and configuration management solution with personalized consulting to address your particular business needs and compliance goals. Your designated expert will help you ensure that all your critical assets – file systems, databases and POS devices – are in compliance with PCI, not just at a point in time but continuously, to ensure that configuration changes in your environment don’t affect your compliance and security posture. ExpertOps also provides customized and actionable reports to ensure that FIM results are refined and also support you during audits. This ensures that there is no configuration drift and that audits are not tedious. Finally, because we know that compliance does not necessarily mean that your environment is secure, your designated Tripwire expert will act as an extension of your team, providing recommendations to improve your security posture and ensure that the latest patches are deployed. Learn more about Tripwire ExpertOps here.