Maintaining Sustainable PCI DSS Compliance
Complying with one of the most widely known stringent compliance standard of
PCI DSS is a challenging task. There are numerous security con trols and
technical activities that go into achieving it for the first time. But the story
doesn’t end there. By the time you are done celebrating your achievement, it’s
time to maintain the compliance and sustain for the entire life cycle of next one
year.
For organization those who have been maintaining compliance over several years
might very well know that one has to be very particular in completing the
periodic activities. However difficult it sounds, but with good amount of
planning and division of responsibilities in between your team, accomplishing
this won’t be daunting.
Some of the common points of failure are:

Failing to achieve quarterly ASV passing scans. Remember, a failed scan
report is not valid.

Failing to complete quarterly internal vulnera bility assessment.

Bi-annual firewall and router rule review

Did you scale up and forgot to implement applicable PCI controls on the
new systems in scope?

New systems added in scope not included in VAPT activity

Wireless scan for detection of authorized an d UNAUTHORIZED wireless
access points

User access reconciliation – at least every 90 days

Did you cross the defined retention period of cardholder data storage?
Adopt a manual method or automated card finder tools / cron jobs to check
presence of CHD beyond retention.

Timely installation of critical patches within one month and non -critical
ones within a defined time period.
What could be possible repercussions of failing to meet some of the regular
compliance maintenance activities?

You may miss your intended date of PCI re-certification

Acquirers will constantly follow to submit those quarterly ASV reports

You may be having possibly vulnerable systems with weak or no controls

Suffer business implications with your client failing to meet contractual
requirements

Lessen consumer trust

Flagging or even removal from the Payment Brands listing of compliant
companies (if listed)
Source: Verizon 2015 PCI Compliance Report
How not to fail maintaining compliance?

Set reminders and deadlines for completing the daily, weekly, monthly,
quarterly, biannual and annual tasks

Design a PCI compliance maintenance charter

Clearly define responsibilities and divide tasks between the concerned
department and stakeholders.

Be extra vigilant about what you are adding into the existing scope of PCI
DSS. Replicate applicable security controls on the new systems. Consult your
information security team or QSA to be cent per cent sure.

Choose your new service providers wisely. Chase the existing ones for
demonstrating their compliance on time.

Incorporate PCI DSS into business as usual s o that it becomes a part of
everyday business.

Patch your systems on time. Not just the OS and network device firmware
but also the applications.

Don’t just collect logs. Review, analyse and take actions upon them.

The standard will continuously evolve and get more stringent. Invest into
security solutions foreseeing long term benefits.With that, best of luck in
maintaining and sustaining compliance year after year.
Source: https://www.sisainfosec.com/americas/blogs/maintaining-sustainable-pci-dsscompliance/