Chef Blogs

Automating PCI-DSS Compliance with Chef

Alan Baptista | Posted on | Chef Compliance | Chef InSpec | compliance

Any company that handles credit card data, especially in the United States, is subject to the Payment Card Industry Data Security Standard (PCI DSS), and already knows how difficult and time-consuming PCI audits can be.  

Gathering relevant data that demonstrates how each and every configuration item in the cardholder data environment (CDE) is compliant and has been over time, is often a manual process. The hundreds or thousands of hours of labor required to collect this information by hand is wasteful. That’s why it is critical for any organization subject to PCI to quickly pass their audits with as little manual work as necessary. By automating these processes, engineering teams can spend less time hunting down information to satisfy audit requests and more time doing product development.  

Maintaining PCI DSS compliance is a struggle for many organizations, particularly those that have experienced a data breach. The 2020 Verizon Payment Security report found that companies in the retail, hospitality, and finance industries struggled the most with PCI DSS requirements. 

The 2020 Verizon Payment Security Report found that only 27% of the organizations were able to maintain full compliance with the PCI-DSS, an 8.8% drop from the year before.

A typical approach to passing a PCI DSS audit is to issue ad-hoc remote commands to gather information, compose verification scripts to run by hand or manually verify a number of system settings in tandem with auditors using screenshots and similar approaches. This approach is fundamentally unsustainable because it requires custom work that’s specific to the context of your PCI DSS audit. It cannot be leveraged in other parts of business-critical workflows, such as checking for compliance in pre-production environments. 

Adopting a continuous compliance approach allows organizations to quickly answer audit questions at any time, not just quarterly or yearly. Chef Compliance can help implement continuous security assesments that allow your organization to satisfy audit requirements at any time and make audits painless. 

With Chef Compliance, your teams can enter an audit cycle knowing their exact compliance posture, rather than being surprised by auditors who find weak points in your environment. Compliance issues or policy breaches can be rapidly identified, and teams can react quickly to triage and remediate problems even before auditors show up.  

For more information visit the Chef for PCI-DSS Compliance page: chef.io/solutions/compliance/pci-dss 

Tags