Three things that will simplify and streamline PCI Compliance…and those dreaded audits


By Rob van Es

Over the past 15 years, the Payment Card Industry Data Security Standard (PCI DSS) has evolved, grown, and put forth increasingly high standards for every company involved in payments. PCI DSS is a global standard and requirement designed to ensure that all companies maintain a secure environment when accepting, processing, storing, or transmitting credit card information.

When we work with enterprises in the financial industry to identify their high-value assets (their ‘crown jewels), PCI compliance factors in highly and is always a top priority. But like all rules, regulations, and compliance, it needs to be enforced to be effective. Enforcing PCI compliance falls to a few different parties, namely credit card brands, associated banks, as well as retailers.

PCI compliance around the globe

However, on a global scale, we’ve seen different reactions and adoption rates depending on the country in question. When we look at the US, for example, companies there have been subject to rigid enforcement of PCI DSS so have been quick to adopt while here in Australia, organisations are finding it ‘too hard’ and are also failing to maintain compliance once it’s achieved.

This has implications for those Australian companies exchanging financial data with American-based companies as they have some catching up to do before they can migrate or expand their business operations. It also means that from time to time, those responsible for enforcing compliance have no choice but to come down hard on organisations that are found to be non-compliant – in a show of force, but also out of practicality.

Australian cybersecurity professionals are all too familiar with this inconsistent approach and it has left many scrambling to achieve – and maintain – compliance. Falling behind could mean that a credit card company could issue warnings to local Australian banking and financial institutions, which would have to be taken very seriously. So what are we waiting for? Where do we start?

Tick these three boxes to get you on your way

Well, for those who are finding themselves suddenly more focused on PCI and associated audits (through changing or expanding business plans, increased enforcement from regulators, and the like), one of the first things to do is to look at what is being done elsewhere and adopt those best practices. At a high-level, these three things are needed for a quick, streamlined, and inexpensive audit:

  1. Scoping and mapping out your data is crucial
    Protecting cardholder data in today’s dynamic data environments is difficult given the interconnectedness of flat networks and the sharing of data – both internally and externally. The first step is to scope – or what I refer to as ‘right scoping’ – which simply means you need to identify where this cardholder data is stored and processed (i.e. the cardholder data environment or CDE).
    This first step is fundamental, but it can also be difficult to get right. The reason is that an organisation can’t scope what it can’t see, so (visually) mapping out applications and how they are connected within the network, as well as what they interact with outside of the network, is imperative and the necessary foundation to move forward.
    However, once you have that map, you can easily run into a classic “Goldilocks dilemma” – is it not enough or perhaps too much? On the one hand, if you put the scope too broad, it will increase audit obligations as well as overhead. For large organisations with complex environments, this can become incredibly burdensome in terms of time, resources, and manpower.
    On the other hand, if the scope is too narrow, an auditor will start asking difficult questions to prove that your environment is compliant and properly protected. This is also a situation that no organisation wants to be in so how can you get it ‘just right’?
  2. Enforcing the boundary with segmentation is key
    Once the map of your CDE and its boundaries have been established, it’s absolutely critical that you enforce it and segmentation has become one of best ways to do so (when done right!). Traditional approaches focus on segmenting the network, but this approach is difficult, error-prone, and expensive. Why? Because networks are about reliably connecting things – whereas segmentation is about reliably isolating things. Just because the network can deliver a packet (a formatted unit of data) doesn’t mean it should.
    From my perspective, the answer is to decouple security segmentation from the network, which frees security from the limitations of the underlying infrastructure (i.e. the network) to enforce security policies closest to what is being secured (i.e. the application). It enables you to protect applications wherever they run because they do not live exclusively on networks anymore, and enforcement must go wherever they do.
    So, when you decouple in this fashion, you’re mitigating the spread of a breach by enforcing policies that make a clear distinction between what should be allowed to connect, and enacting firewalls to ensure that what shouldn’t connect never does.
  3. Providing visibility and transparency makes everyone’s life easier
    Most PCI audits begin with the auditor trying to understand the data flow. Where is PCI data held and how does it move within the environment from application to application? What about from workload to workload? This is what dictates the “scope” referred to above.
    An auditor will expect you to validate the scope but then also prove that it’s correctly enforced (i.e. that the boundary is protected). It’s also important to note that auditors are human beings and they don’t have an infinite amount of time to do their jobs so if you hand over a subpar map or scope, it won’t make their job any easier – in fact, it’ll make the whole process harder for all parties involved.
    Visualisations and logs of traffic that was permitted or denied will go a long way to not just prove compliance, but to do so in a way that requires very little investigation from the auditors. It’s a win-win for everyone.

Further reading to guide you

For more information on PCI Compliance in Australia, its benefits, key requirements, and who must comply, visit the Australian government’s website here. And if you’re interested in reading more about decoupling security segmentation from the network, check out this white paper my colleagues recently published:

About the author

Rob van Es is Vice President of Asia Pacific at Illumio, where he leads regional business development. Rob has over two decades of experience managing sales for high-tech start-ups and later-stage companies. Connect on LinkedIn.