PCI DSS Mitigating Controls for Risk Management

Mitigating controls are the key to reducing threats and vulnerabilities. That statement is the ultimate fundamental premise for designing, implementing and maintaining a risk management strategy. Where does one find the proper mitigating controls for use in the organization‘s risk management strategy? For information security management systems, the mitigating controls can be found within international standards, such as ISO/IEC 27001:2013. The security controls outlined in these standards define and suggest measures to take in order to reduce risk to an organization’s assets. We have a very popular article that describes the use of mitigating controls in order to reduce the risks derived from the relationships of threats to assets.

Mitigating Controls for Risk Management

The PCI standards experts who have stumbled upon this article probably won‘t view the information as new and insightful, but you are welcome to leave us with some additional wisdom of your own. The article is intended for risk managers and risk analysts beginning to work with the Payment Card Industry Data Security Standard (PCI DSS) and may have been utilizing other standards and controls for risk management.

We have already discussed the compatibility of implementing the PCI DSS and the ISO 27001 standards simultaneously. Hopefully we can continue to emphasize the connections between the standards and the shared work that is required by each, but only needs to be completed once by the risk management team in order to pass the certifications for both.

To start with there is a difference between the PCI DSS and ISO 27001, as the latter is designed for information security management systems and is an optional international standard. The former is a requirement for any organization that stores, processes, or transmits cardholder data, including merchants, service providers, acquirers (merchant banks) and issuers. The mitigating controls requirements from the PCI DSS have some specifics defined in terms of protecting customer data (requirements 1, 2, 3, 4, 10, & 11); however, the remaining requirements (5, 6, 7, 8, 9, & 12) are all foundations of Security and directly coincide with other security standards.

Due to the nature of the requirements for the PCI DSS, which include a vast amount of testing and verification procedures, as well as the frequent use of third-parties for testing and processing data, the control implementation strategy is more comprehensive than the ISO 27001. The nearly 300 controls are comprised of the Testing Procedures and Implementation Guidelines necessary to complete the requirements are a daunting task for even the most efficient and effective risk managers to maintain and organize.

When defining the scope of the PCI DSS strategy, you have to consider the cardholder data environment (CDE) or simply all IT equipment and systems possibly connected to the data. The standard doesn’t require the isolation of the CDE, so the entire infrastructure may be included. Network segmentation of the CDE from the entity’s network isn’t required, however it is strongly recommended as a best practice to reduce the scope, cost, difficulty of implementing and maintaining controls, and risk to the organization. Another best practice is to use a “Business-as-usual” approach to implementing controls and processes, allowing the organization to monitor the effectiveness of the security controls on an ongoing basis. The principal is to maintain the PCI DSS environment, while improving the compliance between assessments.

Other key recommendations for maintaining a compliant environment while improving control implementation happen to be fundamentals of the ISO 27001 standard that include:

• Organizations should implement a formalized risk assessment methodology that best suits the culture and requirements of the organization;
• A continuous risk assessment process enables ongoing discovery of emerging threats and vulnerabilities, allowing an organization to mitigate such threats and vulnerabilities in a proactive and timely manner;
• Risk assessments must not be used as a means of avoiding or bypassing applicable requirements (or related compensating controls);
• Another interesting dynamic of the PCI DSS is the selective use of Compensating Controls.

Compensating Controls

Compensating controls may be considered for most PCI DSS requirements when an entity cannot meet a requirement explicitly as stated, due to legitimate technical or documented business constraints, but has sufficiently mitigated the risk associated with the requirement through implementation of other, or compensating, controls.

Compensating controls must satisfy the following criteria:

1. Meet the intent and rigor of the original PCI DSS requirement.
2. Provide a similar level of defense as the original PCI DSS requirement, such that the compensating controls sufficiently offsets the risk that the original PCI DSS requirement was designed to defend against. (See Navigating PCI DSS for the intent of each PCI DSS requirement.)
3. Be “above and beyond” other PCI DSS requirements. (Simply being in compliance with other PCI DSS requirements is not a compensating control.)

On an annual basis, any compensating controls must be documented, reviewed and validated by the assessor and included with the Report on Compliance submission, per Appendix B: Compensating Controls and Appendix C: Compensating Controls Worksheet.

The process can intimidate initially, but the proper management of time and resources makes the effort worth it, especially if you are required to do so. We intend for this article to help shed some light on the similarities between the standards.

The ability to execute a strategy that streamlines your risk management process and aids you in the controls implementation is the design of the Risk Management Studio application. We have mapped the controls of the ISO 27001:2013 and the PCI DSS, making your job much easier. The risk management tool outlines the process for you and allows for a rapid deployment, but also provides numerous customization features for you to adapt to your specific risk management needs. For more information feel free to contact our customer support at info@riskmangementstudio.com.