PCI Compliance – Your First Three Steps to Compliance
We’ve all been there. You are sitting at your desk, minding your own business, and someone drops off a letter addressed to the PCI Compliance Officer. You have just been notified that you are officially a Level 1 Merchant. Today isn’t your day.
Several years ago I was sitting at that desk, and I still clearly remember the day the letter arrived; it was the 19th of January, 2006. The letter stated that the company I worked for was a Level 1 Merchant and we were required to submit a PCI-DSS (Payment Card Industry Data Security Standard) report on compliance by the end of the year. I was visited by every C-level officer and most of the other senior managers in the company that day. They all had the same questions — and one collective demand: Are we compliant? What do we do next? What’s it going to cost? Do we have to do this? What if we don’t pass? You need to answer these questions, and you need to do it fast!
So what should you do?
A number of tasks should be executed as soon as possible, even if you already have a compliance program.
- Make PCI compliance a priority for the COMPANY, not just the IT Department. In most companies the IT department doesn’t actually own the revenue chain, the business does. Sure, many of the controls are IT-centric, but many of the ones most commonly overlooked and most logistically challenging deal with vendor relationships, awareness training, and policy and procedures. Think about all the places credit card data comes into your company from … all of those people will need to be covered by credit card data handling policies and will need to attend security awareness training focused on properly handling credit card data. The easiest way to make it a priority is to assign ownership to one of the senior officers in the company: the CIO, COO, CSO, CFO or some other C-level officer. If that seems like “overkill,” then you’ve just made my point for me … this stuff is important! Failing to understand that will cost you time, money and opportunity.
- Call the bank. Talk with your relationship manager at the bank and schedule a quarterly call with him or her. The purpose of the call is to both build a real relationship with them and to tell them how you are progressing on your compliance initiatives. Be upfront with them and tell them what you are working on and how you are going about it. Sometimes they can be very helpful in solving some of your biggest problems. I also suggest inviting your QSA to sit in on these calls, particularly during the first year, because this expert can lend the objectivity that the bank’s employees will be looking for when discussing progress. The QSA can also help you filter and process some of what the bank is telling you. QSAs can also help by sharing their experience. They’ve likely seen the same situation before and can base their recommendations on real-world experience and what works and what doesn’t. If you don’t have a QSA yet, go to step number three.
- Get some expert assistance. This is probably the most important thing you can do to get your company on the road to compliance. Look for a firm that employs senior practitioners and has people who have been in your shoes (yes, I’m talking about a company like FishNet Security) because they probably have people who have already seen your exact challenges and can help you architect solutions to your problems. Here are a few of the things you’ll want any firm you engage to be able to assist with:
- Help you educate the staff (particularly your executive level staff; compliance starts at the top and it is important to learn how it can impact the company). The biggest issue facing most companies trying to comply with PCI is that their executive management doesn’t understand it and they are afraid to ask!
- Help determine how “compliant” you really are; you need a starting place. One of my biggest problems in compliance used to be the blind spots. Every company does certain things well and other things not as well. The expert will be able to analyze your payment chain and identify areas that are likely to cause a problem and which ones are complaint. This is really important because if you are like me, you only like surprises on your birthday.
- Recommend remediation tasks that will need to be accomplished. A good QSA will understand not only the issue causing a gap in compliance but will also be able to look at your environment and suggest ways to achieve compliance. One of the biggest benefits of having a QSA assist with remediation is that companies often try remediation and either overdo it or don’t go far enough. Both situations cost you additional time and money and can be avoided with a little guidance that aligns compliance, security and business needs. I strongly suggest engaging the company that will eventually conduct your PCI audit because it will help with consistent guidance throughout the process.
So let’s recap: The three steps are make compliance a priority for the company, call the bank and get some expert assistance. Sure, there a many more things that will need to be “done” before you’ll be compliant with the PCI-DSS, and it’ll take a while to get there. It certainly won’t be easy. Remember, a journey of a thousand miles begins with the first step. By starting with these three simple steps, you can get your company off on the right foot as it begins its journey towards compliance.