Today’s IT environments are becoming more and more (not less) complex, and the risk to cardholder data access by unauthorized individuals and software programs has never been greater.
Beyond the headlines of high profile breaches is the reality that most PCI compliance efforts still follow the model of audit and remediate. By now, it should be clear that model is no longer sufficient to safeguard your organization.
Very few individuals in IT fully understand which policies govern which IT resources. As a result, IT personnel regularly make changes in the environment that put their organizations at risk of violating PCI policies. For example, an application server that accesses a database containing customer cardholder data is installed on infrastructure that does not meet PCI policy standards.
What’s more, when firefighting to resolve issues the focus is naturally on restoring service quickly as possible and compliance is often an after thought. Changes made in the heat of the moment or sensitive access granted and not revoked afterwards are all too commonly discovered only when an audit is performed. And even then, the audits are only partial audits meaning there are likely many more out of compliance situations that have not been discovered.
While it once may have been considered acceptable to do an annual PCI audit, flag these types of issues, and remediate them – it’s now clear this puts your organization at too high of a risk posture. Instead what’s needed is to put PCI compliance inline with daily operations.
ITinvolve helps you prepare for the new PCI Data Security Standard (DSS) 3.0
ITinvolve supports many updates required for PCI DSS 3.0 compliance including (partial list of requirements met):
- Have a current diagram that shows cardholder data flows (native support)
- Maintain an inventory of system components in scope for PCI DSS (native support)
- Clarified that changing default passwords is required for application/service accounts as well as user accounts (native support)
- Security considerations for authentication mechanisms such as physical security tokens, smart cards, and certifications (native support for management of electronic security measures)
- Protect POS terminals and devices from tampering or substitution (native support for policy-based risk analysis; additional support with security event management partners)
- Implement a methodology for penetration testing, and perform penetration tests to verify that the segmentation methods are operational and effective (workflow and task management enforcement and support)
- Maintain information about which PCI DSS requirements are managed by service providers and which are managed by the entity; service providers to acknowledge responsibility for maintaining applicable PCI DSS requirements (native support)
- Implementing security into business-as-usual activities and best practices for maintaining on-going PCI DSS compliance (native support)
With ITinvolve, you can put PCI compliance inline with daily operations:
- Easily model and visualize PCI policy requirements and their relationships to IT infrastructure configurations, automations, applications, and responsible parties
- Identify and proactively engage the right stakeholders to assess PCI risks from daily operational decisions
- Integrate security events and other PCI compliance-related data sources to provide unprecedented transparency and visibility