PCI is an ongoing process.
PCI is an ongoing process. In my experience, the biggest reasons companies fail their PCI compliance after passing the previous year is due to not staying on top of the ongoing processes required to maintain PCI compliance. 95% of the time, a failing report the following year comes down to a lack of the following:
- 4 quarters of passing internal vulnerability scans.
- 4 quarters of passing external vulnerability scans.
- Performing a review of firewall rule sets at least once every 6 months.
- Internal & external pen-tests that have critical vulnerability findings that are not remediated/re-tested.
When that time of year for a company’s PCI assessment rolls around, it’s simple enough to run a script on systems, output firewall ACL’s, collect sample logs, etc. Also, many third-party PCI vendors have a set it and forget it approach (IE: Configuring your SIEM to retain logs for at least 365 days). However, the items mentioned above cannot be done one time a year, with the exception of the pen-tests, assuming there have not been major changes to the network and you are a merchant (service providers must now conduct pen-tests twice a year). I have seen numerous clients whose passing or failing of their PCI assessment comes down to 1 missing/failing scan. PCI is very binary, you pass or you fail. If you fail one control, you fail the assessment.
Many times, the reason clients did not have their scans or reviews was because the person in charge of running them throughout the year left the company, and did not let anyone know where they were. Imagine, you fail not because you have not been doing something, but because you cannot find the documentation! For all companies, I highly recommend that whomever you place in charge of scans (or any task) uploads all documentation to a centralized portal/file-server. That way if they leave, you can still provide the scans/evidence to your QSA.
If you are interested in PCI or any cybersecurity framework consulting, please reach out to us at [email protected]
Author: R. Scott Pierangelo
Silent Storm Security Founding Partner| MSCS, PMP, CISSP, CISA, CISM, CRISC, CGEIT, QSA, PCIP