PCI DSS compliance as BAU (business as usual)

Alastair Stewart
Senior Consultant at URM
5 Aug

Table of Contents

For an organisation to achieve and maintain compliance to the Payment Card Industry Data Security Standard (PCI DSS), the Payment Card Industry Security Standard Council (PCI SSC) encourages organisations to implement security into it business as usual (BAU) processes.

From URM’s own experience, this is particularly true for organisations where payment systems and processes are complex or if there are small teams responsible for a large quantity of PCI DSS requirements.

Embedding the security requirements from PCI DSS into BAU processes reduces the ‘last-minute headaches’ of collecting and collating evidence prior to the annual PCI DSS assessment.

This aids the business to monitor the effectiveness of their security controls on an ongoing basis and to maintain their PCI DSS compliant environment in between PCI DSS assessments.

The 5 areas where URM sees organisations failing to implement PCI DSS requirements into their BAU process:

1. Evaluate changes to the environment prior to completion of the change.

  • Including the addition of new systems, changes in system or network configurations and changes in personnel
  • Determining the potential impact to PCI DSS scope
  • Identifying PCI DSS requirements applicable to systems and networks affected by the changes
  • Updating the PCI DSS scope and implementing security controls as appropriate

2. Any changes to organisational structure should result in a formal review to determine if the PCI DSS scope has been affected.

  • Many companies go through mergers and/or acquisitions that may have a fundamental impact on the original PCI DSS scope

3. Making sure that all failures in security protocols are detected and investigated.

  • Addressing the security issue caused by failure of the control
  • Root cause analysis of the reason of failure.
  • Implementing mitigating controls to prevent future occurrences
  • Monitoring the mitigating control, potentially with enhanced monitoring for a period of time, to verify the control is operating efficiently

4. Regularly assess hardware and software technologies to confirm that they continue to be covered by the vendor and can meet the organisation’s PCI DSS requirements.

  • Hardware and software vendors provide ample time for organisations to prepare for such events.  Preparation can include upgrading the technology, creating a remediation plan or even replacement of the technology as necessary.

5. Continuous monitoring of security controls

  • It is vital to the organisation’s security strategy to ensure the following security systems are operating effectively and as intended, including:
    – Firewalls
    – Intrusion-detection systems/intrusion-prevention systems (IDS/IPS)
    – File-integrity monitoring (FIM)
    – Anti-virus (AV)
Alastair Stewart
Senior Consultant at URM
Alastair is one of the most experienced and proficient Payment Card Industry Qualified Security Assessors (PCI QSAs) in the UK. He has completed in excess of one hundred successful reports on compliance (RoCs) against different PCI DSS versions along with supporting the completion of self-assessment questionnaires (SAQs).
Read more

Are you looking for a PCI QSA?

As a long-established PCI QSA, URM is able to deliver a full PCI QSA-led audit and produce a report on compliance (RoC) as well as deliver a full QSA-led self-assessment questionnaire (SAQ)
Thumbnail of the Blog Illustration
Information Security
Published on
Pros and Cons of Delaying Your PCI DSS v4.0 Transition

Transitioning to PCI DSS v4.0 sooner rather than later has its advantages and disadvantages, in this article URM explores both sides of the argument.

Read more
Thumbnail of the Blog Illustration
Information Security
Published on
PCI SSC Remote Assessment Guidelines and Procedures

We address a number of key questions: What are the Main Contents? What Led to it Being Published? And others.

Read more
Thumbnail of the Blog Illustration
Information Security
Published on
PCI DSS Gap Analysis

URM’s PCI DSS gap analysis service is aimed at those organisations which are looking to benchmark....

Read more
Moving from our existing Pen Testers after 10 years was a difficult decision but I am really glad we did. It's been a pleasure working with you. The Pen Testing was extremely thorough and as hoped you were open to a collaborative deeper delve, far beyond what we were required to do for PCI DSS, which has been very useful.
Payment Service Provider
contact US

Let us help you

Let us help you in your compliance journey by completing the form and letting us know how we can best support you.