How to Improve PCI DSS Compliance Using the CIS Controls

 

 

How well are companies protecting payment card data? According to the Verizon 2022 Payment Security Report, things are improving.

A greater proportion of enterprises have achieved 100% compliance with the Payment Card Industry Data Security Standard (PCI DSS) compared to several years ago. In 2020, Verizon found that 43.4% of enterprises belonged to this category. That's up from 27.9% just a year earlier.

So how are enterprises growing their PCI DSS compliance? We'll explore this below. First, let's provide a bit of background on PCI DSS.

Overview of PCI DSS Compliance

Introduced in 2004, the PCI DSS is a voluntary industry self-governance standard that's designed for protecting payment card data against instances of fraud. PCI DSS v4.0 consists of 12 detailed requirements that mirror security best practices. It applies to all entities that store, process, or transmit cardholder and/or sensitive financial authentication data.

PCI DSS and related security standards fall under the administration of the PCI Security Standards Council, which was founded by the major payment card companies. Participants include merchants, payment card-issuing banks, processors, developers, and vendors. The PCI DSS covers technical and operational system components included in, or connected to, cardholder data.

Use of Compensating Controls on the Rise

Some enterprises cannot fulfill the exact requirements of the PCI DSS as a result of technical constraints and/or business needs. In those instances, they can implement compensating controls to meet those requirements in a way that works for them.

The use of compensating controls is on the rise, according to Verizon. In 2019, approximately a quarter (24.7%) of enterprises were using these measures to comply with PCI DSS. This grew to 30.1% a year later.

Compensating controls come with their fair share of risks, however. Many enterprises leverage specialized technology in order to implement compensating controls. Like any technical solution, these tools are susceptible to outdated settings or misconfigurations that cyber threat actors can use to gain access to a target's systems and data. This explains why a sustainable strategy for long-term compliance is necessary.

Using the CIS Controls to Improve PCI Compliance

One of the best ways to develop and implement a long-term plan is through the use of a consensus-driven solution such as the CIS Critical Security Controls (CIS Controls). The CIS Controls and the associated CIS Benchmarks provide security best practices for protecting systems and data as well as complying with frameworks like PCI DSS v4.0.

In fact, recently released a mapping that explains how the CIS Controls map to PCI DSS v4.0.

The PCI Security Standards Council lists CIS as one of the reputable sources for system hardening. You can find out more by accessing the full PCI DSS v4.0 document in the PCI document library.

In pursuit of full PCI DSS v4.0 compliance, IT professionals can use the CIS Controls Self Assessment Tool (CIS CSAT) to help manage their implementation of the CIS Controls. CIS CSAT enables teams to assess and track their progress in implementing the CIS Controls over time and identify areas for improvement. Equipped with mappings to PCI DSS v4.0 and other security frameworks, CIS CSAT is available as a free CIS-hosted version for any enterprise to try, while CIS CSAT Pro offers additional features, including on-premises use, for CIS SecureSuite Members.

Keep Up with Payment Card Security

Developing a long-term plan can help ensure success when working toward PCI DSS v4.0. Resources and tools for implementing and assessing the cybersecurity recommendations of CIS Controls and CIS Benchmarks are available through CIS SecureSuite Membership, a cost-effective way to achieve PCI DSS compliance and ensure the protection of digital assets.