Cover Feature Cyber Security
Three things that will simplify and streamline PCI Compliance… and those dreaded audits
O By Rob van Es
ver the past 15 years, the Payment Card Industry Data Security Standard (PCI DSS) has evolved, grown, and put forth increasingly high standards for every company involved in payments. PCI DSS is a global standard and requirement designed to ensure that all companies maintain a secure environment when accepting, processing, storing, or transmitting credit card information. When we work with enterprises in the financial industry to identify their high-value assets (their ‘crown jewels), PCI compliance factors in highly and is always a top priority. But like all rules, regulations, and compliance, it needs to be enforced to be effective. Enforcing PCI compliance falls to a few different parties, namely credit card brands, associated banks, as well as retailers.
PCI compliance around the globe However, on a global scale, we’ve seen different reactions and adoption rates depending on the country in question. When we look at the US, for example, companies there have been subject to rigid enforcement of PCI DSS so have been quick to adopt while here in Australia, organisations are finding it ‘too hard’ and are also failing to maintain compliance once it’s achieved. This has implications for those Australian companies exchanging financial data with American-based companies as they have some catching up to do before they can migrate or expand their business operations. It also means that from time to time, those responsible for enforcing compliance have no choice but to come down hard on organisations that are found to be non-compliant – in a
34 | Australian Cyber Security Magazine
show of force, but also out of practicality. Australian cybersecurity professionals are all too familiar with this inconsistent approach and it has left many scrambling to achieve – and maintain – compliance. Falling behind could mean that a credit card company could issue warnings to local Australian banking and financial institutions, which would have to be taken very seriously. So what are we waiting for? Where do we start?
Tick these three boxes to get you on your way Well, for those who are finding themselves suddenly more focused on PCI and associated audits (through changing or expanding business plans, increased enforcement from regulators, and the like), one of the first things to do is to look at what is being done elsewhere and adopt those best practices. At a high-level, these three things are needed for a quick, streamlined, and inexpensive audit:
1.Scoping and mapping out your data is crucial Protecting cardholder data in today's dynamic data environments is difficult given the interconnectedness of flat networks and the sharing of data – both internally and externally. The first step is to scope – or what I refer to as ‘right scoping’ – which simply means you need to identify where this cardholder data is stored and processed (i.e. the cardholder data environment or CDE). This first step is fundamental, but it can also be difficult
