With the release of PCI-DSS 3.0, organizations have a framework for payment security as part of their business-as-usual activities. The updated standard introduces more flexibility and an increased focus on education, awareness and security as a shared responsibility. These are important changes because PCI-DSS 3.0 really looks at how to build security into your business processes. I’d like to explore the three main concepts that PCI-DSS 3.0 attempts to address and also the common challenges around ensuring continuous firewall compliance.
So this is great, but often when it comes to compliance there are some stumbling blocks.
Manual audits will chew up your time and resources and leave you no better off strategically.
This is no joke. Forrester Research has stated that conducting a manual firewall audit is “nearly impossible”. I’ve personally spoken with customers who before implementing AlgoSec were spending 2-3 weeks of audit preparation PER FIREWALL! And in a recent survey on the Impact of Security Management on the Business, nearly three-quarters (74%) of respondents said that firewall audits consume more than one man-week each year and one in six (16%) spend more than one month on firewall audits annually. Automating the audit process is really important because you most likely have to comply with more than just PCI-DSS and even for just PCI-DSS you may have to go through a couple of audits per year.
Point-in-time compliance serves no purpose.
If you don’t have processes in place to ensure continuous compliance, you are setting your organization up for a lot of unnecessary pain. Being PCI compliant today does not mean you will be compliant tomorrow. UNLESS you have a way to manage change. Security changes come fast and furious in many organizations as business requirements dictate. Every time a change is made, there’s an opportunity to take your environment out of compliance. So if you build into your change process a risk and compliance check (and even better, if you can automate that), you can validate that changes will not take you out of your ideal security and compliance posture.
PCI-DSS 3.0 is designed to address how networks and data centers have evolved and to not only improve security controls, but to build them into the fabric of your business. If you can be assured of what’s in your network and how data is flowing through your network, and if you can ensure all of your key stakeholders are aligned, you are well on your way to a continuously PCI compliant environment as well as a more secure and agile operation.
Receive notifications of new posts by email.