Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Compliance

The New Compliance Checklist

Anyone who does business in the cloud knows that compliance standards are a mandatory and often complicated part of the game. Yet getting and staying compliant can be especially tricky for finance and e-commerce organizations, which are bound by soon-to-be updated Payment Card industry (PCI) Data Security Standards (DSS) that demand especially tight controls. Creating a secure cloud environment is only the beginning for companies that handle sensitive credit card and finance data.

Anyone who does business in the cloud knows that compliance standards are a mandatory and often complicated part of the game. Yet getting and staying compliant can be especially tricky for finance and e-commerce organizations, which are bound by soon-to-be updated Payment Card industry (PCI) Data Security Standards (DSS) that demand especially tight controls. Creating a secure cloud environment is only the beginning for companies that handle sensitive credit card and finance data. To pass audits and prevent breaches, these companies must stay attuned and responsive to the changing face of compliance.

The issue? Many companies focus the lion’s share of their attention on security and performance, and think of compliance as a simple box to be checked off. As I’ve written before, compliance is a byproduct of a solid security program – but that doesn’t mean it’s simple. When it comes to protecting sensitive financial data and transactions, compliance can involve technical architecture and operational processes that many organizations simply don’t understand or don’t want to bother with. And because those regulations can be quite complicated, it’s not uncommon for organizations to entrust their compliance to a third party provider on the assumption that the provider will take care of everything.

PCI 3.0 ComplianceYet both of these approaches carry considerable risks. We live in a world where finance, business and technology have intersected in unforeseen and innovative ways. These new tools and platforms will continue to evolve – and the compliance requirements will continue to adapt right along with them. This means that businesses must stay attentive to these changes and update their compliance tactics accordingly.

 

Risks and Repercussions

It’s no secret that organizations that don’t bother analyzing their own specific compliance dynamics can end up without adequate coverage. Those that hand all responsibility for their compliance over to a cloud provider can also wind up short-changed, as some providers supply only the bare minimum of compliance controls, rather than taking into account each customer’s unique circumstances and requirements. Given the complexity of getting and staying compliant, this puts the customer on shaky ground.

Another danger: not keeping up with the latest compliance regulations and techniques. Businesses who assume yesterday’s compliance practices will be adequate today obviously run the risk of violating new PCI regulations, something very topical as the PCI DDS 3.0 updates are due this November. These businesses also risk missing out on new technologies and tactics that can actually simplify compliance, such as isolated payment engines.

Doing a Compliance Background Check

All of this points to one conclusion: companies must ask detailed questions – both internally and of their third party provider – or risk being saddled with an invisible compliance gap that only comes to light when it’s too late. Organizations who want to stay current on compliance must do their homework and ask the right questions of any third party provider they consider. Handling fiscal data and credit card transactions poses its own set of compliance needs, and businesses will want to make sure that their provider is on top of the latest and greatest compliance practices – such as payment islands and other criteria as noted below.

• Monthly vulnerability scanning and patching. Running scans can prevent many attacks, while patching can stop a small leak from growing into a costly disaster.

• A log management policy that involves daily reviews. This is an effective and easy way to spot abnormalities and resolve them before they make a deeper impact.

• A layered security model. A truly secure cloud relies on a variety of tools and strategies working in tandem, including perimeter security, DDoS mitigation, firewalls, IP reputation filtering, multifactor authentication, anti-malware and more.

• A strong response plan in the event of a breach. Many breaches takes days or months to detect, so having an effective plan to detect intrusions and maintain uptime is critical to prevent widespread data loss, fines and brand damage.

• Internal and well-documented audits. Clear and thorough records should be provided that validate the vendor’s review process while demonstrating that monitoring and compliance needs are being met.

• Best case scenario is to isolate the credit card databases within the cloud infrastructure decoupling regulated data from monolithic IT environments through network segmentation. As recommended by leading analyst firm, Gartner, this concept of a Payment Island removes and isolates risk while limiting the scope of infrastructure, policies, and procedures that must meet compliance.

Remember that reputable providers will be transparent in providing clear and detailed answers – so don’t be afraid to probe into their experience in guaranteeing PCI compliance. The above practices are critical for creating a secure and high-performing cloud environment that protects cardholders and lets businesses safely collect, store and transmit confidential data.

Compliance might seem like a hassle when you tackle it head-on, but a smart and thorough plan will ultimately spare you the expensive fines, increased audits and irreparable brand damage that come along with a breach. It will also guarantee the consistency and protection that are so critical when it comes to disaster prevention. Do the legwork now to ensure you’re as compliant as you need to be and you’ll provide your organization with a higher-performing cloud, successful audits, and a safer, smoother future.

Written By

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Data Breaches

GoTo said an unidentified threat actor stole encrypted backups and an encryption key for a portion of that data during a 2022 breach.

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...

Risk Management

A threat-based approach to security often focuses on a checklist to meet industry requirements but overlooked the key component of security: reducing risk.

Audits

Out of the 335 public recommendations on a comprehensive cybersecurity strategy made since 2010, 190 were not implemented by federal agencies as of December...

Incident Response

Cygnvs emerges from stealth mode with an incident response platform and $55 million in Series A funding.

Risk Management

CISA has published a report detailing the cybersecurity risks to the K-12 education system and recommendations on how to secure it.

Incident Response

A new Mississippi Cyber Unit will be the state’s centralized cybersecurity threat information, mitigation and incident reporting and response center.