By Stuart Wright | Head of Information Security Consulting at Nettitude
We are now over halfway through 2020, and it is fair to say that this has been an unusual year so far for everyone. Like many organisations, Nettitude has had to be agile in how we work, in which we have adapted to a whole new way of delivering consultancy. In addition, many of our clients have had to adapt their processes for how they receive assessments. As a result, we have all become very familiar with new ways of working and whilst this has been challenging to say the least, there is hope that it will create a new resilience in the way be approach challenges moving forwards. So how has the current climate affected PCI compliance? And what’s in store for the rest of 2020?
Below, we’ll take a look at some of the challenges faced around PCI compliance in recent months and reflect on what we’ve learnt, what needs to change, and the approach we’re taking to continue to ensure the effectiveness of our consultancy and assessment procedures.
What Challenges has 2020 posed to PCI Compliance?
Many of our PCI DSS merchants and service provider clients have faced significant changes due to the impact of lockdown, in which we’ve seen challenges such as:
- Retail – many high-street retailers have had to close their stores, and so on-site assessments have not been possible. Simultaneously, online shopping has seen a huge increase, placing additional demand on E-Commerce retailers.
- Call Centres – with the advice to work from home where possible in place, many organisations have had to close their call centres, and enable their workforce to work remotely. This is particularly challenging for any organisation taking telephone payments, where a sudden and unplanned change to operating procedures can have significant impact on PCI DSS compliance.
- Service Providers – while many merchants have been able to agree deferral of their annual assessments with their acquiring banks, service providers have largely needed to maintain compliance throughout this period in order to fulfil contractual obligations to their own clients.
- Small Family Businesses – it’s been common to see traditionally small and localised businesses (such as butchers, restaurants, cafes, and bakeries) switch to delivery services with online ordering. Legal and compliance obligations such as PCI DSS and data protection can very easily be overlooked in such a small business trying to stay afloat through very challenging times.
The show must go on – Creating resilience
By working closely with our PCI DSS merchant and service provider clients, it has been possible to continue delivering consultancy and “on-site assessments” with relatively few complications. We’ve implemented a comprehensive process for delivering remote assessments, including additional planning and mechanisms to deliver virtual tours of client sites. With support and guidance from the PCI Security Standards Council, card schemes, and acquiring banks, we’ve successfully assessed many clients over the past six months, and will continue to do so for as long as restrictions remain in place.
This period has not been plain sailing for all of our clients, and there are many lessons we can learn from our experiences over the past six months. Business continuity planning (BCP) in particular, is an area where many organisations will likely invest heavily in the coming months and years, based on their experiences so far in 2020.
The PCI DSS requires you to consider BCP as part of your incident response planning (requirement 12.10), but does not provide any more detailed guidance on what this should include. Many organisations focus on recovering from a disaster or a breach, with significant efforts and attention paid to technology and the recovery of systems and data.
We’ve also witnessed business of all sizes respond very quickly in recent months, not to a system failure or a breach, but to a sudden change in working practices. In many cases organisations have enabled their entire workforce to work remotely, and with relative ease thanks to the prevalence and adoption of cloud-based technologies.
Incorporating PCI compliance into BCP and disaster recovery planning
Clearly enabling your business to continue to function is a priority, but organisations also need to consider compliance as part of their BCP and disaster recovery planning. It’s important to remember that during an on-site assessment your QSA isn’t just confirming your compliance at a point-in-time, rather that you’ve maintained compliance throughout the period since your previous assessment.
Information security and compliance should not be viewed as something extra to consider when you design a business continuity plan, they’re integral to your business and therefore should be baked in to your thinking.
We recommend that you review your business continuity plans, and evaluate whether they extend beyond keeping the business running, and consider information security and compliance.
Businesses should be considering questions such as:
- Will our PCI DSS scope change as a result of triggering a BCP plan?
- Can we maintain business-as-usual PCI DSS requirements if our working model changes?
- How will we ensure we complete frequency based requirements such as quarterly vulnerability scans, penetration tests, and firewall ruleset reviews?
- Can we continue to install security updates correctly if our workforce is remote?
- Are processes such as change management and user awareness training at risk of lapsing due to focus in other areas?
- Will we need to design compensating controls, and if so, how will we validate and maintain them?
- Who do we contact for support, and how would we contact our acquiring bank or a card scheme for compliance guidance?
What have we learnt?
It’s all too easy to do “just enough” when it comes to compliance, but if your planning does not take into consideration how you will maintain good security practices, and your compliance obligations, then you may find you encounter significant issues in the future. Nettitude’s Information Security Consultants are able to not only help your business to incorporate PCI compliance into your BCP and disaster recovery planning, but also assist in regularly reviewing your plan to ensure your business maintains resiliency, no matter what else 2020 decides to throw at us.
For more information on PCI Compliance, please don’t hesitate to get in touch with your local Nettitude team.