Improving PCI DSS Compliance with the CIS Controls


How well are companies protecting payment card data? According to the Verizon 2020 Payment Security Report, the answer is not so well.

Even though threats to payment card data are on the rise, fewer organizations are maintaining a minimum baseline of security controls. According to the Verizon report: “In 2019, from the total population of organizations assessed on PCI DSS compliance, only 27.9% of organizations achieved 100% compliance during their interim compliance validation. This is a further 8.8 percentage-point (pp) drop from the year before, when only 36.7% of organizations demonstrated full compliance.”

So why are organizations struggling with their PCI data security controls? The Verizon report cites a lack of resources to support data security and compliance initiatives as one of the main reasons.

The PCI Data Security Standard (PCI DSS)

The PCI DSS was introduced in 2004 to help prevent credit card fraud. It is a voluntary industry self-governance standard for the protection of payment card data. PCI DSS version 3.2.1 consists of twelve detailed requirements that mirror security best practices. It applies to all entities that store, process, or transmit cardholder and/or sensitive authentication data.

PCI DSS and related security standards are administered by the PCI Security Standards Council, which was founded by the major payment card companies. Participants include merchants, payment card issuing banks, processors, developers, and vendors. The PCI DSS covers technical and operational system components included in, or connected to, cardholder data.

Compensating Controls

To help combat vulnerabilities, many organizations leverage specialized technology in order to implement compensating controls.  Like any technical solution, these tools need to be correctly configured and maintained. Outdated settings or misconfigurations need to be identified and remediated before these vulnerabilities can be exploited.

The good news is that many of the organizational shortcomings identified in the Verizon report are eventually solved. However, falling behind on data security programs is never a good idea. A sustainable strategy for long-term compliance is needed, and a security strategy leveraging publicly-available best practices and compensating controls can help.

Using the CIS Controls to Improve PCI Compliance

One of the best ways to develop and implement a long-term plan is through the use of a consensus-driven solution such as the CIS Controls. The CIS Controls and the associated CIS Benchmarks provide security best practices for systems and data.

Developed by a global community of cybersecurity experts and IT professionals, and managed by the Center for Internet Security (CIS), the CIS Controls are 20 prioritized best practices that organizations can implement to help prevent cyber-attacks. The CIS Benchmarks are 100+ configuration guidelines across more than 25 product vendor families, including servers, operating systems, and cloud infrastructure. They provide guidance on administrative privileges, data encryption standards, port access, and more.

Organizations can use the CIS Controls and CIS Benchmarks to help achieve PCI compliance. In fact, CIS recently released a mapping to the PCI DSS v3.2.1 which can help those responsible to understand what is needed: CIS Controls and Sub-Controls Mapping to PCI DSS.

CIS is included among reputable sources for system hardening in the full PCI DSS document, which is available for download from the PCI document library.

CIS Controls Self Assessment Tool

In addition to the CIS Controls and CIS Benchmarks, IT professionals can use the CIS Controls Self Assessment Tool (CIS CSAT) to help manage their implementation. CIS CSAT enables teams to assess and track progress over time, and identify areas for improvement.

Mappings to PCI DSS v3.2.1 are included in CIS CSAT Pro. These mappings are available in the Mappings section of the Sub-Control View, along with the NIST 800-53 mappings. Users can click on a mapping block to see additional information on the PCI DSS requirement.

CIS CSAT is available as a free hosted version for any organization to try. CIS CSAT Pro offers additional features, including on-premises use, for CIS SecureSuite Members.

Keep Up with Payment Card Security

The Verizon report says that the CIS Controls are a highly practical and useful framework for every organization to use for both implementation and assessment.

While compliance with PCI DSS may seem challenging, developing a long-term plan can help ensure success. Resources and tools for implementing and assessing the cybersecurity recommendations of CIS Controls and CIS Benchmarks are available through through CIS SecureSuite Membership, a cost-effective way to achieve PCI DSS compliance and ensure the protection of data assets.