Sep 26, 2018
Once they’ve achieved PCI DSS compliance, many companies see that as a box ticked that they don’t need to think about for another 12 months. But PCI standards should be adhered to 24/7/365 – when you’re handling customers’ personal details, you need to do so securely all the time, not just during your compliance assessment. Worryingly, Verizon’s 2015 PCI Compliance Report found that 80% of companies failed an interim compliance assessment. And tellingly, in the 10 years they’ve been producing this report, 0 organisations which have been breached were fully compliant with PCI DSS at the time they suffered the breach.It’s clear that sustaining PCI DSS compliance is a critical part of protecting your data. So today I’m looking at 4 ways to make it easier to sustain PCI compliance year-round.
1) Stay up to Date With Standards
The security landscape is constantly changing, with new threats and vulnerabilities emerging all the time. As such, security best practices and compliance standards are regularly reviewed and updated to ensure they are up to date. This means that the standards you adhered to twelve months ago may not all still be applicable. It’s up to you and your security team to keep up with changing security requirements, to make sure you don’t fall out of compliance by mistake, simply due to having outdated information about the requirements.
2) Create a Culture of Security
The best thing you can do to maintain PCI compliance year-round is to make it a part of your company’s culture – and this is something that needs to be implemented from the top-down. It’s vital that your developers and security team alike see that security is a company-wide priority, and something that is of particular concern to your company’s senior executives. Traditionally, developers are judged on the functionality and reliability of their code, and so it’s easy for security practices to end up taking a backseat during the development process. But by revising the standards your developers’ work is judged against, to make security more of a priority, you will take huge strides to becoming consistently compliant with PCI standards.
3) Secure the SDLC
Most of the vulnerabilities that make it into finished applications and pose a risk to your company’s compliance can be detected and remediated early-on in the software development lifecycle. Many of these vulnerabilities can be prevented by providing your developers with language- and role-specific training, teaching them the tenets of defensive coding that they can put into practice every day.
4) Security Software Training
Static and dynamic testing tools can both be huge assets in the fight for improved compliance and application security – but only if they’re used effectively. Patching, maintaining and monitoring key systems is critical for achieving sustainable compliance, and has the additional benefit of allowing you to spot breaches sooner, so the business cost of a data breach is lower than it would be if it were identified later.It’s essential to train your software engineers to use security software properly, in order to prevent these expensive investments from sitting unused and gathering dust. Being able to use security software properly will allow your engineers to weed out false positive results, and identify the real threats to your compliance.