Database Compliance Explained: SOX vs PCI DSS

Database compliance has taken center stage in recent years due to the exponential rise in Ecommerce and online activity involving Personally identifiable information (PII). Sarbanes-Oxley Act (SOX) and Payment Card Industry Data Security Standard (PCI DSS) are two leading compliance protocols that organizations can no longer ignore.

More and more organizations are also realizing that traditional security solutions and manual procedures are no longer enough to get the job done. This article will delve into SOX and PCI DSS, while showing you how database automation tools can help you ace your audits and stay on top of things.

Internal-Difference-between-sox-and-pci

What is SOX?

In a nutshell, the Sarbanes-Oxley Act of 2002 is meant to help protect investors from fraudulent financial reporting by corporations. Also known as the SOX Act of 2002 and the Corporate Responsibility Act of 2002, it mandates strict reforms to existing securities regulations and imposed penalties on violators.

SOX defines a framework that makes it harder for executives to escape scrutiny for data hacks. Organizations must maintain proven auditing practices and assure integrity and timeliness of data. These requirements necessitate comprehensive tracking and system management that handle critical data. 

The new law sets out reforms and additions in four principal areas:

  1. Corporate responsibility
  2. Increased criminal punishment
  3. Accounting regulation
  4. New protections

SOX Compliance Requirements

Section 802 of the SOX Act of 2002 involves three rules. The first deals with destruction/falsification of records. The second strictly defines the retention period for storing records. The third rule outlines the specific business records that companies need to store, including electronic communications.

Section 404 of the SOX Act of 2002 requires organizations to establish internal controls and reporting methods to prove that they are compliant. 

To accelerate your SOX database compliance, you need a solution that provides comprehensive database activity visibility. This solution must have advanced reporting, alerting, access control, and auditing features to address the requirements mentioned in sections 302, 404, and 409 of the SOX act.

Read More: SOX Database Compliance

What is PCI DSS?

Payment Card Industry Data Security Standard (PCI DSS) is an information security standard for organizations that handle branded credit cards from the major card schemes. The standard was created to increase controls around cardholder data to reduce credit card fraud.

If a company is PCI-compliant and suffers a data breach, it can still be responsible for paying penalties. However, the card brands may significantly lower or even completely eliminate fines if the company in question has taken all the required steps to become (and stay) PCI-compliant. 

The PCI Data Security Standard specifies 12 requirements for compliance, organized into six logically related groups called "control objectives". 

  1. Build and Maintain a Secure Network with Robust Systems
  2. Protect Sensitive Cardholder Data
  3. Create a Transparent Vulnerability Management Program
  4. Enforce Strong Access Control Measures
  5. Monitor and Test All Networks
  6. Maintain an Up-to-date Information Security Policy

The 12 requirements are a combination of best practices and data security guidelines that have to be met at all times to make sure that no personal data is leaked. Any lapses or mishaps can lead to the compromising of millions of cardholder details such as credit card numbers, addresses, and more.

  1. Implementation of a firewall configuration to protect cardholder data by scanning network traffic and blocking untrusted network access.
  2. Changing vendor-supplied defaults (which are typically easy to guess) for system passwords and other security parameters.
  3. Protecting stored cardholder data. Encryption, hashing, masking and truncation are methods used to protect cardholder data.
  4. Strong encryption while transmitting cardholder data over open, public networks, using only trusted keys and certifications..
  5. Protecting all systems against malware and performing regular updates of antivirus and other types of security software solutions. 
  6. Developing and maintaining secure systems and applications  to stop malicious individuals from gaining privileged access. 
  7. Usage of systems and processes to restrict privileged access to cardholder data only on a “need to know” basis.
  8. Identification and authentication - Each person with access to system components should be assigned a unique identification (ID).
  9. Restricting physical access to cardholder data and implementing adequate security obstacles to make sure everything is safe.
  10. Tracking and monitoring all access to cardholder data and network resources with the help of logging mechanisms.
  11. Testing of systems, processes and software frequently to uncover vulnerabilities that could be used by malicious individuals.
  12. Maintaining an information security policy for all personnel and making them understand the sensitivity of data and information.

PCI DSS Compliance Requirements

What organizations need to prepare for is Report on Compliance (ROC). This is basically a form that  is used to verify that the merchant being audited is compliant with the PCI DSS standard. ROC confirms that policies, strategies, approaches & workflows are appropriately implemented by the organization.

However, there is a big “grey area” when it comes to PCI DSS. Not only are the instructions vague and tough to interpret, but the enforcement is still pretty much inconsistent and unclear on many levels. This leaves many organizations confused about what needs to be done, especially with the database. 

For example, Compliance with PCI DSS is currently not required by federal law in the United States. However, some U.S. state laws refer to PCI DSS directly.

Did You Know?
As per a recent Verizon report, only 29% of companies remain PCI DSS compliant a year after validation (passing an audit).

SOX vs PCI DSS - Not Quite the Same

The main difference between the two protocols is that SOX is a mandatory compliance requirement for US government entities, with violators facing monetary and criminal consequences. The Sarbanes-Oxley Act holds organizations accountable and requires them to demonstrate compliance.

Besides the aforementioned Report on Compliance, an organization required to be SOX-compliant will need to create an Internal Control report, with all detected faults being reported up the chain. All documentation needs to be constantly updated and maintained for the auditors inspection.

On the other hand, PCI DSS is essentially a set of best practices that is more of an “alignment tool” with the big credit card companies, who can also issue monthly penalties to non compliant entities (based on their client volume). It’s more of a gold standard when it comes to online transactions.   

 

 

SOX

PCI DSS

Effective 

July, 2002

September, 2006

Sector/s

Publicly Traded US Companies 

E-commerce, Banking, Services

Type of Data

Corporate Info, Communications

Card Numbers, Personal Details

Region

USA

Global

Mandatory

Yes

Only if Processing Card Info

But regardless of what protocol you are required to follow, you will not be able to skip the aligning of your database to get compliant. There is too much data at stake for you to rely on traditional security solutions (firewalls, WAFs) or manual workarounds that are no longer able to get the job done.

Automating Database SOX Compliance

Your database management can no longer be just an afterthought. Your pipeline needs to be meticulously planned, designed, and monitored to get optimal results and also achieve sustainable compliance. Having such a solution in place will give you the ability to do the following without adding staff.

Here are three significant steps that will get you SOX-compliant in no time.

  • Create Customized Roles and Permissions

    This crucial functionality is literally the foundation of every database compliance activity. Every Database Administrator (DBA) needs to know who is putting their hand into the jar. Old methods involved hiring people who tried to document all activity with third-party solutions. But that no longer works.

    A modern database automation and management solution will allow you to create customized roles and permissions, while managing (removing, adding, editing) them seamlessly as per the organization’s requirements. And it gets better - everything is documented automatically for your SOXI audit.
  • Gain Enhanced Visibility with Constant Monitoring

    Staying compliant also means that you are monitoring all changes in real-time with the ability to notify relevant stakeholders about data breaches when they occur. Database automation solutions help enforce version control best practices and change policy for database development across all teams.

    DBAs can also enjoy check-in and check-out mechanisms that significantly improve their ability to regulate the amount of developers working on the application code at any given time. This is extremely important in organizations that are scaling up with multiple teams on-premise and in remote locations.

    Database changes are thus validated against schemas and relevant content, while preventing unauthorized and out-of-process changes. This ensures that all changes are properly logged, something that significantly boosts visibility and also provides you with a comprehensive audit trail - automatically.
  • Enforce Full Lifecycle Compliance with Policy Rules

    Furthermore, having such an automation solution in place will also help you create better code. A smooth development pipeline will allow you to model the release process and production path, while predicting errors or conflicts that might prevent a successful deployment or create unexpected bottlenecks.

    Once you can package, verify, deploy and promote database changes securely, you can get better at preventing configuration drift and also non-policy changes to your code. This effectively improves your code integrity and provides your organization with another effective layer of defence.

Wrapping Up

As mentioned earlier in this article, automating and monitoring your database has become a crucial aspect in achieving SOX and PCI DSS compliance. 

Furthermore, having such an automation solution in place will also help you create better code. A smooth pipeline will allow you to model the release process and production path, while predicting errors or conflicts that might prevent smooth deployment or even lead to unexpected downtimes. 

Only a proactive approach will enable your organization to pass all SOX audits with flying colors, while improving productivity and boosting benchmarks.

Want to Ace Your SOX Audit?
Take Your Database SOX Compliance to the Next Level With a Fully Automated Compliance Solution

More Posts You May Like