It is cliché but true, as Abraham Maslow said, “I suppose it is tempting, if the only tool you have is a hammer, to treat everything as if it were a nail.” When dealing with day-to-day operational security, many organizations implement compliance-focused processes. In the payment card industry space, this is addressed as “business-as-usual” processes. For example, daily log reviews, user access requests, change control processes: compliance tasks that must be performed to achieve a desired outcome. Teams and organizations spend an inordinate amount of time performing these tasks to achieve and maintain compliance.
This is not the answer to the overall objective of protecting cardholder data and payment instruments, such as tokens.
Ultimately, PCI compliance is a “race to the bottom” and is only a minimum standard of security technology, processes, and principles. Prescriptive compliance is meant to be the lowest common denominator between organizations to achieve and maintain compliance. It levels the playing field for organizations of any size to meet their obligation to protecting data. It is the barest acceptable minimum.
Is this what is best for the organization? Does this adequately address the risk to payment card transactions and cardholder data?
The answer to those questions varies between teams and organizations. In many organizations that I have assessed and audited, executive management will have a different answer than mid-level managers and other employees. The desired outcomes may be similar; protect the business, protect the customer, reduce fraud and financial loss, etc. Every organization seeks those same outcomes, but the path each follow can vary. Factors such as size, complexity, team composition, technology in use, and budgetary constraints can all impact how an entity can determine what is best and how to address risk to cardholder data.
How do we do that? If compliance is not the answer, what is?
A comprehensive data security program that appropriately identifies, analyzes, and treats risk. The controls present in the PCI DSS are prescriptive and those controls can complement the organizations risk treatment. The controls in the Data Security Standard are the baseline security controls for risk treatment. Companies should look beyond required compliance and focus on how compliance works in tandem with protecting the confidentiality, integrity and availability of cardholder data and associated processes. Expand, go above and beyond the requirements and improve the overall security posture in the environment.
Organizations should implement an overarching security program that addresses compliance as well as the residual risk present after the PCI DSS controls are in-place. Risk should be prioritized to meet the overall security objectives for the organization. Multiple frameworks can, and should, be used to meet the desired outcomes, such as ISO, or NIST Cybersecurity Framework. These frameworks can be customized and expanded to enable an organization to build security processes that mitigate risk, increase agility, and allow for scalable growth as the organization evolves.
Compliance, by itself, is not the answer that companies are looking for.
As organizations mature, the outcomes to appropriately, not only adequately, protect data will change. Regulatory and legal requirements will evolve. In 2019, 25 states had data privacy bills introduced or filed. A security program that address the compliance requirements is a must—if not, the organization will suffer increased risk due to an inability to respond to change. The evolution of data security, all types of data, including privacy-related data and data elements, can only scale if the controlling organization has a plan, a program, a framework, to protect data.
Jason Likert is a Managing Consultant at SecureTrust, where Jason leads a team of information security professionals and oversees the execution of security audits, PCI compliance assessment, and other professional services engagements. Jason has been involved in the payment ecosystem as a consultant, auditor and assessor since 2005.
Prior to SecureTrust, he served eight years in the US Air Force and was Director of IT and large e-commerce and healthcare organizations. Jason holds the QSA, Certified ISO 27001 Lead Implementer and Certified ISO 27001 Lead Auditor certifications.