Complying with one of the most widely known stringent compliance standard of PCI DSS is a challenging task. There are numerous security controls and technical activities that go into achieving it for the first time. But the story doesn’t end there. By the time you are done celebrating your achievement, it’s time to maintain the compliance and sustain for the entire life cycle of next one year.
For organization those who have been maintaining compliance over several years might very well know that one has to be very particular in completing the periodic activities. However difficult it sounds, but with good amount of planning and division of responsibilities in between your team, accomplishing this won’t be difficult.
Issue in maintaining Compliance:
- Failing to achieve quarterly ASV passing scans.
- Failing to complete quarterly internal vulnerability assessment.
- Bi-annual firewall and router rule review
- To scale up and forgot to implement applicable PCI controls on the new systems in scope.
- New systems added in scope not included in VAPT activity
- Wireless scan for detection of authorized and unauthorized wireless access points
- User access reconciliation – at least every 90 days
- Regarding retention period of cardholder data storage. Adopt a manual method or automated card finder tools
- Timely installation of critical patches within one month and non-critical ones within a defined time period.
How to maintain compliance:
- Set reminders and deadlines for completing the daily, weekly, monthly, quarterly, biannual and annual tasks
- Design a PCI compliance maintenance charter
- Clearly define responsibilities and divide tasks between the concerned department and stakeholders.
- Be extra vigilant about what you are adding into the existing scope of PCI DSS. Replicate applicable security controls on the new systems.
- Choose your new service providers wisely. Chase the existing ones for demonstrating their compliance on time.