Page 34 - GS181201
P. 34
CoverStory
One such effort was establishing the PCI Small Merchant simple, others very complex. [Their] main task is to predict
Taskforce in 2015, which continually updates educational how the things they describe will behave, depending on
materials, most recently with the August 2018, publication the circumstances." A simple, highly effective model for a
of the PCI Data Security Essentials Evaluation Tool, Leach PCI-compliant data protection program would outline key
noted. Designed to simplify security, the set of resources success factors for performance and program competencies,
includes Guide to Safe Payments, Common Payment Systems, van Oosten proposed. However, chief information security
Questions to Ask Your Vendors, Glossary of Payment and officers (CISOs) frequently fail to win approval, support
Information Security Terms, Data Security Essentials and funding for these programs. Verizon's 2018 report
Evaluation Tool and a PCI Firewall Basics infographic. Leach found that 47.5 percent of respondents had not maintained
said the free downloadable guides are available on the sustainable control environments between 2016 and 2017,
Merchant Resource Page of the PCI SSC's website. placing them at higher risk of a data breach.
Chris Bucolo, vice president, market strategy at "CISOs must articulate the need in a compelling story to
ControlScan Inc., said the evaluation tool was the result of the board of directors," van Oosten said. "The strength
ongoing collaborations among taskforce members around and outcomes of the [compliance program] investment
the world. "The ultimate goal is to remove the barriers that must be predictable. To be persuasive, they need precise
keep small merchants from successfully completing their approaches to measuring and improving performance.
self-assessment questionnaires," he stated. "At the same They must also align the program with the organization's
time, we are striving to educate these merchants so that core values and cultures."
they can achieve a strong security posture." Consistent performance
Global collaboration Consistent performance is critical to ongoing data pro-
Collaboration was a recurrent theme at the PCI SSC's North tection, van Oosten maintained. The objective is to make
America Community Meeting held at the Mirage Hotel compliance activities and outcomes predictable, which can
Las Vegas in September 2018. More than 1,300 security be challenging for a large enterprise with multiple regions
professionals attended the annual gathering to discuss and business units. "The success of a compliance manage-
evolving threats and recent developments in security. ment program is more dependent on how it is structured,
Leach said market feedback and global collaboration are what its objectives are, and the 4 C's: the capacity, capa-
critical to staying ahead of cybercrime. bility, competence, and commitment with which it is ex-
ecuted," van Oosten added. "This will result in predictable
The council's participating organizations, board of advisers, outcomes."
technical advisory board, regional engagement boards,
affiliate members, strategic regional members, taskforces, Following are Verizon's nine factors of control effectiveness
special interest groups and newly formed global executive and sustainability:
assessor roundtable are all part of efforts to promote cross- 1. Control environment: A healthy control environ-
industry collaboration, Leach noted. "Bringing diverse ment supports the 12 key requirements of the PCI
participants together facilitates meaningful discussions, DSS, which encompass network security, configura-
such as how payment processing in Brazil compares with tion standards, cardholder data protection, secure
Southeast Asia," Leach said. "We also looked at how to data transmission, malicious software protection,
bring more consistency and transparency to our feedback secure systems, access control, authentication, phys-
process." ical security, monitoring, security testing and secu-
rity management.
Incoming PCI SSC executive director Lance J. Johnson
added, "It is only by working together as an industry that 2. Control design: Effective control design incorpo-
we can achieve success securing payments and combating rates all PCI DSS security control objectives.
card breaches." In his Sept. 26, 2018, keynote address,
Johnson cited the PCI SSC's diverse global community 3. Control risk: Ongoing maintenance (security test-
as its greatest accomplishment, suggesting that learning ing, risk management, etc.) mitigates control fail-
from each other is key to a sustainable future. ures, preventing controls from degrading over time
and eventually breaking down.
Disciplined execution
4. Control robustness: Control robustness relates to a
Verizon's 2018 Payment Security Report provides analysis control system's ability to remain viable during dis-
from PCI DSS compliance validation assessments, ruptions. Robust control environments are more re-
including the company's Data Breach Investigations sistant to adverse events and stealthy, sophisticated
Report. Lead author Ciske van Oosten, senior manager of attacks.
global intelligence at Verizon Enterprise Solutions, said
compliance programs must rely on data and predictive 5. Control resilience: Control resilience enables or-
analytics, not guesswork. "We live in a world of models, ganizations to proactively discover and quickly
all kinds of them," van Oosten said. "Some models are remediate failure points, ensuring compliance and
34
