Recently Computer World published what’s most likely the very best article dealing with PCI Compliance. Not so much what it entails to be compliant, but what it takes to remain compliant.
PCI compliance is Zen-like. It’s hard to determine, and even when a letter declares a company PCI-compliant, that declaration can always be retroactively reversed later – such as if you’re breached. Yes, when you most need to be able to say that you are PCI-compliant is when it’s taken away.
The issue with PCI compliance is that the business network and the business environment is constantly changing and evolving. There are 12 requirements in the PCI DSS. In order to be compliant, all of these must be current all of the time. Some remain static, meaning they don’t change.
Let’s take requirement No. 1: Install and maintain a firewall configuration to protect cardholder data. Your PCI specialist installs and configures a firewall. Once it has been configured properly, you’ve met the first requirement, right? Well, sort of. Assuming the firmware is current, and nothing changes in the network environment, the answer would be Yes, you’ve met the requirement.
Let’s go down to requirement No. 11: Regularly test security systems and processes. Inside this requirement is 11.1, which requires that a hardware inventory be kept up to date of all devices on the “protected” or POS network. This is the network that handles all credit card transactions (your guest wi-fi, or any other network should NEVER be on the same sub-net as your POS traffic). You just replaced or added a POS terminal. Did you log it in the inventory, including the model and serial number? If the answer is No, then you’re not compliant.
On that very same replacement terminal, you need to make sure that you have met requirements 5 and 6: Use and regularly update antivirus software; Develop and maintain secure systems and applications. If you’ve added a location on the network for this terminal, the network diagram also needs to be updated.
Now let’s move on the the human factor in being compliant. Each individual who handles credit cards must be trained in the methods of handling cards safely and securely, which is part of requirement 12: Maintain a policy that addresses information security. If you’ve hired a new employee, they must first be trained and sign-off acknowledging that they’ve been trained. A copy of the signature page must go in their employee file.
The article in Computer World makes some outstanding points. First, you’re only compliant on the date that you last checked and updated (successfully) the requirements:
The reason why compliance is tied to the date the assessment was wrapped is that, in theory, any change at all to anything on the network could make that merchant noncompliant. I get that. It makes sense. But what good is PCI compliance if a retailer never knows if it is compliant?
This is where PCMDX comes in. We take it off your shoulders and put it on ours. We let you worry about the prime purpose of your business, and we take care of the things that we’re good at: Keeping you compliant.
Further more, as the article states, it’s the human factor that makes you (and keeps you) compliant:
But it (software) can’t track PCI compliance — which is a human-dictated state — any more than it can declare a system “secure.”
PCMDX is the only company in our service area (Alabama, Mississippi, Western Tennessee, Florida Panhandle) that creates a plan for your company to become, and remain, PCI Compliant. We will visit your site, examine your existing network, create a plan to make your network compliant, implement the plan, and then keep it maintained on a regular schedule.
Contact us today for a free, no-obligation consultation. You’ll be glad you did.