To start off, I must admit that while documenting thoughts for this post I could not get the song “We’re Not Gonna Take It” by Twisted Sister out of my head.
The driver for this post was a blog post by Anton Chuvakin – where he posed the big question about how PCI can be easier. I provided some thoughts to him and he welcomed some additional thoughts.
Alex Hutton over at Risk Management Insight has also opined recently about PCI, the “compliance stick” not making compliance easier, and for those responsible for something like PCI compliance efforts – taking on a more consultative, high information value, decision making approach.
And of course, this post comes a few days after a breach disclosure – involving a payment processor called Heartland Payment Systems.
This post is not about how the PCI Security Standards Council can make compliance with PCI-DSS easier to achieve. Nor is it about how QSAs or security vendors can facilitate making merchants PCI compliance efforts easier. This post is more focused on merchants or processors making PCI compliance easier for themselves. My thought process is that if merchants can make some aspects of PCI compliance easier on themselves – then there is a reduced need for relying “so much” on QSAs and less heartache around PCI-DSS in general.
So off we go….
Commitment – The information risk management folks driving PCI compliance need to be committed to it. However, this commitment needs to be rooted in something more intangible then ensuring compliance with all the PCI-DSS requirements – which are really just a means to an end. The “end” needs to be what we are committed to; protecting consumers, maintaining business operations, and reducing credit card fraud. Yep, there are some reading this that are probably rolling their eyes and may click away from this page before even getting to the end of this sentence – but c’mon – be honest with yourself – is the “end” what we are committed to or just being compliant?
Structured Approach – Some entities may have their ducks in a row and “manage” PCI compliance to the nth degree – good for them. Others entities, are pushing it along with their bellies. Some thoughts I have on a structured approach include:
1. Do you have the equivalent of a PCI content diagram? Maybe something that visually represents interested parties in your organization. Treasury / finance, billing, application areas, IT areas, legal, etc…
2. What are the different PCI compliance “work streams” you are managing? More then likely you have more then one work stream; regardless of your state of compliance.
3. Are those persons responsible for managing PCI compliance properly positioned to deal with all the PCI interested parties in your organization? A few years ago I witnessed a CIO who within a few months of being in his role, promoted a handful of IT executives to titles/roles that would be equal to their business partners. The same concept applies for those managing PCI compliance – they have to be positioned to adequately deal with non-executive roadblocks, but also have access to executive stake holders to deal with executive roadblocks.
4. Finally, managing PCI compliance should not be relegated to the new employee or the junior employee – especially if they have no previous PCI compliance management experience. There are too many business, political, and IT obstacles to deal with that require some business acumen, negotiating, informing, and project management skills – especially in big companies.
Expertise – Those managing PCI Compliance need to be the experts on PCI within the organization. Knowing the words behind the acronym is not enough. I would argue that those responsible for PCI compliance should be familiar with all of the requirements and know what type of control it is (prevent, detect, response). You need to be able to gauge the effectiveness of the control in the context of the asset it is applied to and your environment in general. In general, there is nothing worse in my mind then a QSA finding something you should have already known or a QSA knowing more about your environment then you do.
Continuity – No, I am not talking about business continuity – but PCI compliance management continuity when people leave a company or take on new roles. There needs to be adequate documentation and there needs to be an intentional effort to make sure the knowledge transfer occurs and that it is understood. A lack of continuity can result in weeks if not months of re-gathering information with the possibility of losing valuable information along the way.
Some of these thoughts sound like no-brainers and I applaud you for making this far in the post. If I was interviewing for a PCI-specific role, being assigned to a new PCI-specific role, or assessing a company’s PCI compliance efforts – the thoughts above would form the questions I would ask. Also, just because a merchant / processor is doing all the above does not mean they will never need to reach out to QSAs or that PCI will just magically be easier. However, I do think it will provide clarity as to what needs to be done as well as allow a company to take a stronger stand on both false claims of compliance / non-compliance by interested parties.