9 PCI Compliance Recommendations for During and After the Pandemic

Let’s face it. We’re all trying to navigate uncharted territory in the middle of a global pandemic. For many businesses, stepping back to focus on the big picture makes a lot of sense. However, there’s one very specific area businesses simply can’t neglect right now: PCI compliance.

But why should you worry about making PCI compliance a priority when much of the business world is just trying to remain viable? It all comes down to managing risk. Especially today, it’s easy to get overwhelmed by the risk we feel in both our professional and personal lives. Yet we can’t forget that PCI compliance is a critical part of business. And we typically don’t give it the attention it deserves.

If your company has put big projects on hold during the COVID-19 pandemic (or for any other reason), it could be the perfect time to focus on compliance as well as your general security posture. Here are three sets of practical PCI compliance recommendations that can help you during and after the pandemic.

3 “Catch-Up” Recommendations

When working with customers, I almost universally see a few recurring issues to fix. Let’s call these “catch-up” recommendations since they represent things you’ve likely been putting off (but should already be doing on a regular basis):

1. Work on your PCI policies and procedures. Policy documents at a lot of companies are a mess. If you can find five people that even know where you keep them, you’re probably ahead of the game. I’ve seen many policies that haven’t been updated in a decade. Use any spare time to update and communicate your latest PCI policies.
2. Update your network maps. I can’t even begin to tell you the number of times I’ve sat through a PCI or network security meeting and found that a company has no up-to-date network diagram. Not only is a map useful for training and troubleshooting, but it’s a requirement for PCI compliance. Don’t be surprised if you discover servers that you had completely forgotten about or entire systems you thought were long dead merrily still running along — unmonitored and out of anyone’s control.
3. Update your networking equipment firmware and system operating systems. I recently led a painful upgrade process on a Linux system that was so far behind that it couldn’t get updated using the normal upgrade path. This led to a very arduous migration that was otherwise completely unnecessary. Use this time to get everything on the latest stable branch of code available.

3 “Do Now” Recommendations

Whether you’re relatively new to the PCI world or deeply immersed in it, there are a few basic steps that can greatly simplify the compliance process. Consider these recommendations as part of your core compliance foundation:

1. Define your PCI compliance team. Even if it’s only a team of one at first, someone has to take responsibility for building your security program. This person should be empowered with authority from your company’s leaders. After all, anyone can put in all the programs, policies and software you can imagine — but if they don’t have support from the top, it won’t mean anything.
2. Take a detailed inventory of your environment. What is your security posture? This is the time to inventory your policies, equipment, licensing, digital assets, connectivity, vendor relationships and your ability to monitor all these items. Knowing what you have and don’t have — and what you can and can’t do — will help you understand which gaps you need to fill in terms of compliance.
3. Perform an honest risk assessment. What are the risks currently exposed in your company? What threats realistically exist? Being thoughtful about reducing risk and addressing those threats will provide an important lens to prioritize your efforts.

3 “Strategic” Recommendations

Going beyond the scope of “check-box” PCI compliance, the following recommendations represent some of the most important IT security changes you can make to protect your business and your customers. Because these three items represent more long-term steps, let’s dive a bit deeper into each one:

1. Turn on MFA for everything
2. Log (and review) everything
3. Update your password policy

Turn on MFA for Everything

I always advise customers to find a multifactor authentication (MFA) solution and turn it on for everything. And, yes, I mean everything. I can’t think of a single solution that will provide more security benefits for your business. MFA is simply too easy, cheap and security-impacting to ignore.

If you’re not overly familiar with MFA (sometimes called 2FA), it’s simply an extra authentication step during a login process that involves a one-time use code or similar time-sensitive task. There’s a good chance you’ve personally experienced MFA when accessing an online financial or shopping account.

Any effective MFA solution should combine two of these three options:

• What you know, such as a password
• What you have, such as your phone or similar security fob
• Who you are, such as biometrics like a thumbprint

There are many mature solutions in the MFA arena. I’ve personally used free options built into platforms, one-time codes with Google Authenticator and both Duo and Okta. I tend to prefer time-based codes rather than text messages.

Many security experts cite MFA as the most effective tool to prevent cybercrime. Unfortunately, executive and user pushback are often the biggest obstacles in deploying MFA. Most people simply don’t like disruptions in their routines—and MFA is purposely designed to do just that.

You can always attempt to make MFA easier for users, but be careful about making it too easy. Cybercriminals can quickly exploit weaknesses (especially with frustrated users who’ll do just about anything to get through a login process). And remember: The most critical part (and a common mistake I see) is just remembering to actually turn MFA on!

Log (and Review) Everything

If you’re not already doing so, I implore you to turn on logging and track everything in a central location. I’m a huge fan of managed SIEM/SOC services that ingest, monitor and provide alerting for logs. Besides, if you aren’t collecting and examining your logs regularly, you don’t truly know what’s happening in your environment.

There are two primary benefits to generating and reviewing your logs. If someone’s trying to access systems they shouldn’t — or systems are exhibiting unusual traffic or behavior — there’s a good chance you’ll catch it in the logs.

The second benefit is being able to identify broken systems. For example, I’ve inherited servers that “appeared” to be working but were essentially running wild. The logs usually revealed easily fixable configuration issues. Suddenly, systems that had been problem children simply began behaving great again. Like MFA, logging is simply too easy not to do.

Update Your Password Policy

Most people are working with outdated information when it comes to passwords. Prevailing convention for years was to change passwords often and arbitrarily. We thought adding a symbol or number to the mix helped. Sadly, we discovered that too many people just wrote down their passwords in plain text somewhere, “hid” them under their keyboard, or taped them directly to their monitor.

It turns out that password length matters more than anything else. In fact, a longer password can be magnitudes stronger than a shorter complex password. The next time you’re working on password policies, make your passwords long (literally 15 characters or longer). Change them only after a phishing type of attack or similar compromise, and that’s it.

Unfortunately, password policy is one area where PCI guidance lags behind. They still want password changes every 90 days. So, talk with your QSA about how to manage exceptions and look at NIST for supporting evidence. You might be stuck changing passwords more often than you prefer, but using longer passwords is still a safer option.

Make PCI Compliance a Priority

When budgets are tight and you’re not deploying new IT systems, it’s a smart time to get your PCI house in order. If you follow these recommendations, you’ll be that much further ahead when the economy rebounds and you inevitably find yourself juggling new IT projects and initiatives again. And don’t forget to check out the latest PCI DSS guidelines—they’re a great resource for all your PCI-related projects.