Anyone who’s looked into the conundrum of PCI DSS knows that various solutions exist to help deal with the puzzle of compliance. These range from the downright dangerous such as ‘pause and...
Don’t Cast Your Company Adrift With a Leaky Compliance Programme
Treading water to ‘get by’ won’t help your company survive the tsunami of regulatory compliance that’s crashing towards it. Whether it’s PCI DSS, GDPR, PSD2 -SCA or MiFID II, your organisation’s buoyancy and survival rest solely in its compliance programme. It doesn’t rest in the hands of some passing lifeboat, the likes of which recently failed to rescue the Dixon’s corporation from a massive data breach fine of £500,000. A fine which, had the breach occurred under GDPR rules, could have been a staggering 4% of the company’s annual global turnover. No doubt Dixon’s were lucky on this occasion.
We’ve warned in previous blogs about the dangers of just ‘getting by’ with a less than buoyant compliance programme, whether it’s in Call Recording, Multi-Factor Authentication or PCI DSS compliance. We’ve also noted the overlap with these various regulations through encryption, automatic data removal, secure data storage, accurate call retrieval, deletion due to subject request or, as with GDPR, the ability for data to be ‘forgotten’ as well as for its access to be controlled. The list goes on … But, despite these notes of caution and well-publicised data breaches, organisations still fall short in their programmes.
So, what’s the extent of non-compliance and why?
Let’s take PCI DSS as an example.
A recent Verizon report revealed a negative global trend in full PCI compliance. It found that almost a fifth of organisations still have no defined programmes, and although the same amount rated their programmes as advanced, not one organisation was prepared to rate its compliance programme as ‘optimised’. Indeed, VTRAC (Verizon Threat Research Advisory Centre) states it has “never reviewed …or investigated a PCI data breach involving an affected entity that was truly PCI compliant – even if it had signed an Attestation of Compliance (AOC)”. In fact, no organisation sustaining a data breach in 2017-18 was compliant across all 12 Requirements, with number 11 proving the most difficult to satisfy. With VTRAC citing 11 as ‘fundamental’ to setting up and maintaining a robust and fully compliant programme, we need to ascertain why this Requirement poses such a problem.
Requirement 11 – the stumbling block to full compliance
Requirement 11 is all about testing the effectiveness of your security programme. Not only does it have an unnerving amount of overheads in terms of time and resources, but it’s also very technical. Its requirements mean that system testing must be done by an external ASV (Approved Scanning Vendor). A scan result revealing a vulnerability greater than a CVSS (Common Vulnerability Scoring system) of 4.0 (medium vulnerability) requires the scan be repeated. What’s more, no less than four passes on ASV scans have to be accomplished in order to secure your follow-on year’s AOC.
You’ll also have to perform quarterly vulnerability scans. Any internal scans that get a CVSS greater than 7.0 have to be resolved and re-scans implemented. As you can see, for the whole process of scanning, its preparation and review etc. your organisation needs a technical team: people who have the ability to understand scan results, to follow them up, fix them and to prep your systems ready for the inevitable re-scans. It’s also worth pointing out that although ASV scanning companies often claim they can assist in ‘compliance for the masse’, in reality, it’s simply not the case. Compliance is not that easy.
As well as the above external scans, you’ll also need quarterly wireless scans to check for rogue access points as well as internal and external penetration tests. For most companies, these are required each year and are an additional requirement each and every time significant hardware or software changes occur.
This effectively puts a complete cap on upgrading your systems without a whole raft of penetration tests and rescanning. Basically, unless you’re technical, qualified to run your own internal penetration tests and, of course, have very deep pockets, it’s really difficult to satisfy these requirements. It’s why compliance with PCI-DSS is considered such a time consuming and costly challenge, and why, undoubtedly, compliance levels are declining. This in itself is all the more ironic given how difficult it is to satisfy procedural requirements in the event of a data breach and then, of course, to meet any subsequent and potentially devastating fines.
BCH’s cloud-hosted communications solutions remove these obstacles
As an approved Level 1 PCI-DSS provider, we’ve already secured full compliance, so you won’t have to worry. Employing our fully-hosted cloud communications’ platform, which can either sit alongside your existing legacy system or replace it, is an opportunity to achieve compliance across a myriad of regulations. Doing so can avoid additional costs when, for example, you would otherwise have to modify or upgrade software procedures or buy licences each and every time a new or updated regulation is introduced.
BCH perform non-disruptive automatic software updates to ensure on-going regulatory compliance. There’s simply no need for our clients to do anything.
Whether its PCI compliance – requiring sensitive card data to be automatically removed from call recordings; GDPR regulations – calling for sensitive personal data to be encrypted; or MiFID II – requiring businesses within the financial services sector to record all transaction-related calls and to securely store them for a minimum of 5 years, our fully compliant systems will deliver.