It may have started as a guideline for protection of credit-card information, but the payment card industry’s PCI DSS (Payment Card Industry Data Security Standard) is rapidly gaining a following across other industries as a more general framework for data security.
That following has seen PCI DSS QSAs (qualified security assessors) called in to engage with companies that are looking to store data other than payment-card data but recognise that the standard – which was updated in September to v3.2 and took effect this month to include technological prescriptions around multi-factor authentication and penetration testing – represents best practice for reviewing and protecting a company’s data assets.
Whereas many security practitioners have focused on using technological controls to protect whatever types of data an organisation is collecting, PCI DSS is built around the idea of minimising the amount of data that is stored in the first place.
This represents a challenge for many companies, Trustwave Asia-Pacific director of compliance and risk services Raymond Simpson told CSO Australia, but it also helps them refocus their security efforts in a way that is proving extremely useful for them.
“We find that many new clients still tend to want to hold onto much more data than needed,” Simpson said. “But companies need to understand that with any data you hold onto, there will be additional scrutiny and requirements to meet industry regulation and data protection laws – so it’s best practice to not hold onto anything that you don’t need.”
“The worst-case scenario is to hold onto the data.”
Simpson, a QSA with more than 10 years’ experience in PCI DSS audits, said a growing number of companies had engaged with cloud providers – who are themselves actively pursuing PCI DSS and other security certifications in Australia and outside of it – to leverage their often more-substantial investments in security process and technology.
This approach meant that businesses declining to get rid of data altogether can still gain compliant data protection without making the “massive investment in meeting the intent of the standard”, Simpson said.
Yet relying on third parties was not enough in itself to ensure compliance: businesses need to maintain responsibility for their data no matter where it is housed. In this respect, efforts around PCI DSS are particularly paying off for smaller businesses “that may not have the [security] knowledge internally,” Simpson said. “It gives them the framework to implement some really good security.”
“People often want to refer to PCI DSS as best practice,” he continued, “but I think it’s actually essential practice. It hasn’t necessarily honed in on any specific threat, but it provides the framework for the management of the risks to an appropriate degree. If you’re not doing the things that are in the PCI standard, something may be wrong with the way you’re addressing information security.”
Compliance requires much more than ticking the boxes, however: a recent audit of PCI DSS compliance by Verizon found that only 28.6 percent of companies were still fully compliant with PCI DSS a year after they had been certified as compliant. This was up from 7.5 percent in 2012, but still well behind the ideal.
Testing of security systems, Verizon found, was a particularly difficult area to gain compliance and it was the only one of 12 PCI DSS domains where compliance failed to increase over the audit period. This had been addressed in PCI DSS 3.2, which imposes new security requirements around detection and reporting practices, architecture documentation, penetration testing practices, cardholder protection, and other areas (Gartner offers a rundown of the changes and their implications here).
Recertification – both in maintaining compliance to a certified level, and in adjusting processes to accommodate new versions of PCI DSS such as the current jump to v3.2 – remained a tricky issue for many companies, Simpson agreed.
Growing governance requirements, and pressure from all directions to improve the protection of corporate data, had reduced tolerance for companies that failed to conduct adequate testing and tweaking of their policies to ensure ongoing compliance.
“We’ve had a few instances in the region where companies haven’t maintained compliance and then had a few issues recertifying,” Simpson said. “It’s not something where they can just wheedle their way out of it anymore; it is more firm than in the past.”
Breach-notification laws – which are in effect in the US and other countries but have been proceeding at snail’s pace through the machinery of Australia’s Parliament – had proven to be a significant motivator for companies to ensure that they got PCI DSS compliant and stayed that way.
“The industry is really maturing,” Simpson said, “and the breach notification is probably the stick. It’s driving companies to a whole new level in terms of investing in information security, by virtue of the reputational impact in terms of disclosing breaches. And that has a positive effect on the market.”