Replacing a guidance document published in 2014, the PCI Council recently published Information Supplement: Best Practices for Maintaining PCI DSS Compliance. This new supplemental document outlines guidance and instruction for handling challenges associated with preserving PCI DSS compliance after the PCI DSS assessment has completed.
Challenges in maintaining compliance occur for a variety of reasons. An organization may make changes due to customer requirements, shifting business goals, or a change in technology infrastructure. An organization may assume that continuing to do what was done in previous years will guarantee continued compliance. In other organizations, leadership may lack a solid commitment to preserving compliance and divert resources away from monitoring their compliance program. Whatever the issues may be, organizations are well aware that compliance gaps leave them vulnerable to security control failures, inadvertent information loss, and malicious intrusions.
The supplemental document is a result of the PCI’s community-driven initiative focusing on payment security challenges related to PCI Security Standards. Feedback from industry has shown that entities typically see a drop in their PCI security control effectiveness and overall compliance posture in the period following their PCI DSS assessment. In an effort to help organizations maintain PCI DSS compliance, this document emphasizes integrating security and compliance practices into the organization’s culture and everyday activities.
The following key principles are outlined in the document:
1. Develop and Maintain a Sustainable Compliance Program
2. Develop Program, Policy, and Procedures
3. Define Performance Metrics to Measure Success
4. Assign Ownership for Coordinating Security Activities
5. Emphasize Security and Risk Management to Attain and Maintain Compliance
6. Continuously Monitor Controls
7. Detect and Respond to Control Failures
8. Maintain Security Awareness
9. Monitoring Compliance of Third-Party Service Providers
10. Evolve the Compliance Program to Address Changes
The document can be read in its entirety on the PCI Council’s website here.