Compliance in Christmas, compliance, international standards, it governance, governance, risk management, business continuity, information security, infosec, infosecurity, iso27001, iso22301, disaster recovery, pcidss, payment card, payment security, breach, breach report, cyber security

With Christmas just around the corner, this is one of the busiest times of the year for many businesses, and particularly PCI DSS compliant organisations. It will be of no surprise to anyone that the number of card transactions being processed at this time of year increases dramatically. 

With the increase in the volume of transactions and all the seasonal distractions, how do businesses ensure they stay compliant? Well, maybe this blog can help you keep non-compliance as a ghost of Christmas Past!

First and foremost, don’t schedule any significant changes to occur during or just before this busy period, this should be standard business practice but becomes even more pertinent for a PCI DSS compliant environment.  

The PCI DSS mandates a myriad of time and resource-intensive activities following any significant change.  Activities such as re-evaluating the scope, checking the applicability of all requirements and updating documentation are not things you want to be doing when you are at your busiest. It is also worth bearing in mind that something which may be a small change in relation to your business or infrastructure could in fact represent a significant change for your PCI DSS scope.

The PCI DSS has many requirements that mandate regular activities such as firewall reviews, staff training, vulnerability scanning and penetration testing amongst others. These activities all have different frequencies ranging from annual, through 6 monthly and quarterly to weekly or daily.  It may seem obvious, but do try and plan your annual, 6 monthly and quarterly activities to avoid the festive period.  You really don’t want to arrange a penetration test during the busiest month of the year and then find some critical system being disrupted!

But what about your monthly, weekly activities (e.g. file integrity checks), and even your daily activities (e.g. log reviews) I hear you asking.  Well, this is where automation can be your yuletide saviour.  Almost all the tasks that need to be undertaken more frequently than quarterly would be far too labour intensive if conducted manually at any time of the year. This is where products and services can assist.  Most vulnerability scanners, for example, can be scheduled to scan at certain times, SIEM tools can parse and review logs in real-time, and some can also perform weekly file integrity checks.  Relying on human participation for these sorts of activities is fraught with difficulty and absent-mindedness (especially when they’re rushed off their feet and stuffed with turkey!).

All of this leads back to an approach that the PCI Security Standards Council has been advocating for some years now, i.e. PCI DSS should be part of your business-as-usual processes. Taking steps to integrate compliance with everything you do as a matter, of course, can have real long-term benefits.  As the saying goes ‘Compliance is not just for Christmas’

Merry Christmas everyone….. from your friendly neighbourhood QSA.