The 2017 Verizon Payment Security Report asks, “Your payment security might be compliant for the assessment, but how long will it stay that way?” According to the report, 55.4% of businesses achieve full compliance with their annual Payment Card Industry Data Security Standard (PCI DSS) review, but nearly half of these companies then fall out of compliance within a year.
This is incredibly important because 100% of companies that suffered a payment card breach were found to lack compliance with PCI-DSS. The report elaborates on this point, “Many of the security controls that were not in place cover fundamental security principles that have broad applicability. Their absence could be material to the likelihood of an organization suffering a data breach. Indeed, no organization affected by payment card data breaches was found to be in full compliance with the PCI DSS during a subsequent Verizon PCI forensic investigator (PFI) inquiry.”
So why don’t more companies achieve and maintain compliance? For many, the challenge is that they simply don’t have the right staffing levels or the right tools to consistently achieve good outcomes when approaching compliance as a manual task. Automating policy enforcement is a key element to achieving and maintaining compliance. The report backs this up, “Measure, report and act. Enhance data and security monitoring, detection and response competency through automation, training and performance measurement.”
DivvyCloud helps customers achieve and maintain PCI DSS compliance through the pre-built PCI DSS compliance pack. This pack provides dozens of prebuilt policies that are mapped back to PCI-DSS directives. After connecting their public cloud accounts (AWS, Azure or GCP) to DivvyCloud a customer can quickly see if their public cloud environment measures up to these prebuilt policies, and configure Bots (our automated workflows) to enforce or remediate violations of these policies. This allows companies to quickly move towards achieving compliance, and importantly to stay in compliance.
DivvyCloud continuously monitors cloud infrastructure in AWS, Azure and GCP in real time. This means that compliance with PCI DSS no longer is a once a quarter exercise where companies lapse in and out of compliance. DivvyCloud also provides the customer with historical benchmark performance and helps solve the challenge of “control performance vs effectiveness” that the report discusses.
“The performance of security controls should be measured to determine achievement against an established standard benchmark… Its measurement is based on the amount of time a control meets its intent while in operation, and the amount of time it remains in operation without disruption. It assumes that past achievement is a good indicator of future success.”
The report concludes by saying, “Most companies initiated their PCI Security compliance programs many years ago. By now, they certainly should have processes in place to support their program; making daily management and ongoing control maintenance relatively effortless. Sadly, that’s not always the case.”
DivvyCloud’s policy automation for AWS, Azure, and GCP is here to help if you want to improve your PCI security compliance program and achieve maturity.