Friday, July 5, 2013

Why Security Teams Fail PCI Audits?

5 Key Challenges in the way of successful auditing!

For any business accepting credit or debit card payments from its customers, Payment Card Industry Data Security Standards (PCI DSS) compliance - which offers comprehensive standards to enhance payment card data security - is an absolute must.

But for most, ensuring continuous compliance (the ongoing monitoring of rules rather than waiting for audits to show non-compliance) with the vast and ever changing set of rules can be a real drain on resources. 

The 5 'C's

Undoubtedly one or all of the following challenges are getting in the way of successful auditing…the five 'C's:

Complexity- enterprises have hundreds of firewalls, routers and switches, all with their own complex configurations and thousands of access rules. All have to be tracked and catalogued which makes it almost impossible to comply with all the PCI DSS rules.

  • Change - hundreds of changes every week amounts to thousands of changes to track from one audit to the next. The combination of rapid change and time pressures mean mistakes happen which can leave businesses wide open.
  • Connectivity - configuration errors very easily lead to compliance issues and service downtime. A high number of rule changes can compromise cardholder data, which can leave businesses compromised until their next audit.
  • Compliance - audits are time intensive and usually changes are unchecked between audits making the process even more laborious. Yet businesses cannot afford to fail an audit.
  • Communication - poor communication and a siloed culture of app owners and IT security can mean a comprehensive compliance check between audits is extremely complicated and difficult to manage.

PCI DSS auditing doesn't always need to be a costly and thankless task. While compliance will always be essential for most enterprises, automation solutions can make it a much more efficient process - by slashing time spent on repetitive, manual work so that security teams can focus on strategic tasks such as security architecture, research and education.

No comments: