PCI DSS May Require Pulling Up Your SOX (or ISO)

Posted by David Gamey on 22 Feb 2018.

Executives and managers in organizations preparing for their first onsite PCI security assessment may feel confident that having passed a SOX audit will make passing a PCI audit relatively easy. And while it’s true that it can make passing PCI easier, there can often be significant and expensive gaps between complying with the two frameworks.

SOX and PCI Have Different Programs, Objectives and Methods

Perhaps it's human nature to confuse these very different programs. That certainly seems to be what we've seen in the industry. Without question, SOX and PCI require strenuous effort to achieve compliance and complete audits; however, we find that the gaps can be so significant which is often unexpected and surprising. Understanding why, requires a slightly deeper look as there are several reasons why SOX and PCI don’t align:

  • The most significant reason is that while both standards focus on protecting information and both deal with best practices, their fundamental objectives are quite different. Both are reactions to control failures that began more than a decade ago. SOX to Enron et al and PCI to Egghead, Card Systems, TJX, Hartland, Target, Home Depot, and many others. SOX is really all about accuracy and integrity for the purpose of supporting audited financial statements. PCI is about preventing payment card account data breaches. Consequently, SOX is concerned with who changed what, whereas, PCI is ultimately more concerned with who saw cardholder data.
  • PCI is far more prescriptive and detailed than SOX. Management and auditors have more flexibility in their choice and tuning of best practices adopted in a SOX world. SOX controls often come up short when viewed through a PCI lens.
  • PCI scope and applicability are often broader than under SOX. PCI scope extends across the entirety of unbounded networks and connected systems. As such it tends to consume entire corporate networks and all connected systems. While there is no requirement for internal segregation of systems under PCI, in many cases achieving full compliance without segregation is impossible in practice. SOX simply allows more flexibility and selectivity than PCI.
  • SOX controls are based upon well-established criteria for determining materiality. PCI has no similar built-in concept. The underlying regulations are written without regard to transaction/account volumes or risk. While the application of PCI under the payment brand regulations does include concepts of risk based on transaction/account volumes and payment channels, the lack of a materiality concept can be challenging in low risk situations.

Similarly, PCI and ISO/IEC 27001 also don't completely align and many gaps can arise if the ISO Information Security Management System (ISMS) doesn't specifically consider PCI DSS control requirements.

13 Years On and PCI DSS Is Still A Challenge

With PCI DSS entering into its 13th year, a fair question to ask would be "why are organizations still finding PCI challenging?"

One reason is that PCI DSS validation isn't one size fits all :

  • The only organizations fully assessed (i.e. completing a Report on Compliance) under PCI DSS are the largest merchants and service providers (by transaction/account volumes), those unfortunate to have suffered a data breach, and any that voluntarily assess.
  • Smaller organizations are expected to be fully compliant but are measured using a lighter weight validation process (i.e. a Self-Assessment Questionnaire) that leaves out much of the detail and rigor of a full assessment.
  • Issuers of credit cards, often large banks, are also expected to be fully compliant but have been so far exempt from the mandatory formal annual validation required of those accepting credit cards.

The main reasons are that business and technology changes within the organization can be a significant factor contributing to the ongoing challenge. These almost always result in a PCI DSS scope change:

  • Business changes such as mergers, acquisitions, and new lines of business can introduce non-compliant elements.
  • Business changes that exploit new technologies (e.g. mobile applications, pay at the door) that will need to be compliant.
  • Business growth can lead to increased account/transaction volumes that can cross the threshold requiring a full assessment.
  • Previously unidentified cardholder data processes and flows such as Shadow IT going through their first assessment.
  • Technology changes (e.g. telephony) within the business can dramatically impact an organizations compliance footprint.
  • Contractual and other business requirements from customers (where the business is a service provider).
  • Inadequate due diligence on validating a solution, a service provider or other third party.
  • Businesses also need to be prepared for future mandated DSS requirements which are added to address new threats and feedback from breaches.

We believe we've covered the major reasons above; however, other factors such as staff changes, training, and even assessor changes can also create their own challenges.

We hope that this provides some insight into why many organizations and some large players are still struggling with PCI DSS to this day. We also hope that you will find our learn more resources valuable.

Learn More