5 Steps to Managing PCI DSS Updates

By Hugo Henderson

August 4, 2008

PCI compliance managers and professionals from over 20 household names came together at the inaugural PCI DSS Forum London event in June, with one issue in particular on everyones mind, Version 1.2.

True to form, according to many present, the PCI Security Council has been vague as to what the update will entail for businesses.  However, experts on the day, including Branko Lolich from American Express, echoed the official statement of the Council; Version 1.2 is simply a refinement of the current standard; carry on as you are until 1 October and you will then have a grace period in which to make the changes.  You could almost hear the room breathe a (very) cautious sigh of relief.  A month later, and the PCI Council announce the 24 Month Lifecycle Review and Change Process, proof that changes to the standard can be expected on a regular basis.
 
A major requirement of the PCI DSS is that companies elicit a response to policies from 100% of the user population, therefore these changes, no matter how minor, must be communicated across the entire card processing network.  All policy documentation will be inspected during onsite audits, and staff will be questioned as to their understanding of policies, therefore it is imperative that staff be kept up to date on Version 1.2 and all revisions to the standard, and how these effect their responsibiities; no mean feat on a 24 month lifecycle review process.

Managing the PCI DSS Lifecycle Review

So, how do you manage this, and more importantly, how can you prove that you’ve made every effort to do so?  Well, according to some, Automated Self Certification is the answer.  We asked Robert O’Brien, CEO of Baronscourt and expert on Automated Self Certification, to give us the 5 key ways in which the technology can help manage PCI DSS change:

1. Automating the policy creation process allows you to quickly create new policies from scratch or amend existing policies to meet with changes – automatic versioning control provides an audit for all original policies sent.

2. Automatic targetting and scheduling technology allows you to ensure that you target ALL users in the organisation – look for products that include laptop users, PDA and mobile users, remote/web access users and non computer users.

3. Obtaining a response every time allows organisations to capture an audit trail of user response to any policy communication.  Even those staff that don’t provide a positive response can be brought up to speed as part of a remediation project.  

4. Automating surveys and risk assessments allows you to test employee understanding and present a picture of your IT security posture at any given time. Auditors like to see high user participation percentages.

5. Automation allows for ease of audit and reporting.  Products with sophisticated, multi level reporting and audits will help you identify problems and risk areas, and take immediate remedial action.  


Two recently published reports futher compound the necessity of communicating policy and eliciting action and response across the user population.  The Identity Theft Resource Centre has issued statistics which state that 16% of all data breaches in 2008 have come from insiders, a figure up by 6% on last year.  The 2008 Verizon Business Data Breach report is even more shocking; 62% of data breaches can be attributed to a significant error in human behaviour, and business partners accounted for a third of all breaches, small wonder that 3rd party issues appear so frequently on PCI forums and blogs.  With the organisational compliance burden increasing year on year, it makes sense that more and more companies are turning to Automated Self Certification.  

Baronscourt have developed MetaCompliance, the leading automated self certification product suite.  For more information on how MetaCompliance can help you overcome your PCI challenges, visit www.metacompliance.com

More...

Next Steps...