Illustrating SIEM Compliance Via PCI DSS Compliance

The benefits of deploying a SIEM solution on your enterprise’s IT environment are myriad; it enables threat detection, security data aggregation and analysis, threat correlation, security alerts, and user and entity behavior analysis. That list only scratches the surface of SIEM solutions’ capabilities. It’s no wonder then that, as the cybersecurity paradigm shifts from a prevention model to a rapid detection and response model, more enterprises are exploring the possibilities SIEM offers.

However, SIEM solutions also offer a benefit that is simultaneously central to cybersecurity and yet increasingly on its periphery: compliance. Virtually every enterprise of every size and economic sector must be in compliance with their relevant industry regulatory mandates. This can be expensive and challenging for enterprises to achieve, let alone maintain.

To highlight some of the challenges involved with digital compliance, let’s take a look at one regulatory mandate: PCI DSS.

What is PCI DSS?

Payment Card Industry Data Security Standard (PCI DSS) compliance mandates the proper processing, storage, and transfer of credit card data. There are 4 different levels of PCI DSS compliance depending on the volume of credit card data enterprises process and 12 steps to full compliance.

Altogether, PCI DSS sounds like a daunting, possibly overwhelming prospect for enterprises to achieve, but according to the PCI Security Standards Council compliance boils to down to three steps:

• Assessing business processes that deal with credit card data and analyzing them for potential vulnerabilities.
• Eliminating detected vulnerabilities and making credit card storage a means of last resort.
• Compiling and submitting required reports.

PCI DSS compliance is evaluated and enforced by individual payment brands like Visa or Mastercard, who each may have different compliance validation levels.

I Own a Small Business. Can I Ignore PCI DSS?

A persistent delusion in the corporate world is that small businesses and enterprises because they only process a relatively smaller volume of credit card data, they do not need to be in PCI DSS compliance.

The key word there is of course “delusion.”

It does not matter what size your business is or how infrequently you process credit card data—you still need to be in PCI DSS compliance even if you process just one users’ credit card. Furthermore, you are still responsible for compliance even if you outsource your credit card data processing to a third-party. You need to evaluate whether they are in compliance and ensure whatever activity you do perform involving credit cards—such as issuing a refund—follows regulations.

Your enterprise is also responsible for preventing data breaches of credit card data, as PCI DSS compliance holds you liable for fraudulent transactions in your data flows.  

What are the Consequences of a PCI DSS Compliance Failure?         

Failing to comply with PCI DSS—including suffering a data breach customer credit cards you could have prevented—can result in some expected consequences:

• Lost consumer confidence
• Loss of sales
• Legal costs from lawsuits, settlements, and fines
• Higher cybersecurity or compliance costs in the future.

However, a PCI DSS compliance failure can have uniquely damaging consequences as well:

• Fraud losses
• Termination of ability to accept payment cards
• Costs of re-issuing new payment cards.  

The consequences of a compliance failure are such that customer-facing businesses or businesses that handle client payments could be in a precarious financial situation afterward.

I’ve Achieved PCI DSS Compliance! I’m Finished!   

Well, not quite. PCI DSS is not a one-time event. Regulatory standards change to adapt to new hacking tactics and potential liabilities. Focusing on a once-a-year compliance assessment may fool you into thinking that you are safe; enterprises that pass their assessment but suffer a credit card data breach later in the year often find they were out of compliance when the breach occurred.   

You need to think of PCI DSS compliance as a marathon, not a sprint. It takes continual reassessment and re-enforcement even through reorganizations and employee turnovers. Automating some of the processes can certainly help, but it needs to be tackled on the human level just as much if not more.

So how can SIEM Help?

SIEM solutions can help with the basic components of PCI DSS compliance to make the lives of your employees and IT security professionals easier. SIEM can assess and analyze your business processes for potential security events and vulnerabilities, eliminate those vulnerabilities, and help your IT teams compile compliance reports for the various industry enforcers. In others, SIEM solutions can provide the technical tools to make compliance far easier and keep your enterprise adaptable to regulatory changes.     

If you want to learn more, you should check out the “Top 10 PCI DSS Compliance Pitfalls and How to Avoid Them” checklist, available for free from SIEM solution provider AlienVault here.

Other Resources:

By the Numbers: IT Security Professionals in the Enterprise

How to Potentially Mitigate Post-Breach Cybersecurity Litigation Costs

Breaches Aren’t Inevitable: Employees and Cybersecurity

PCI Security Standards Council

What’s Changed? The Gartner 2017 Security Information and Event Management (SIEM) Magic Quadrant

Widget not in any sidebars