When faced with PCI compliance, most executives admit they don’t know where to start or who to go to for answers. Should they ask their managed service provider, hosting vendor, software vendor, or security consultant? And when they do get answers, they may not be sure what they mean or how to evaluate their effect on compliance.
Things get even more complicated in fast-growing companies where people are constantly changing roles and responsibilities. The question of who is responsible for what becomes lost in organizational changes, as does compliance documentation from the previous year. When the PCI auditor calls, there’s often a panic to respond as well as serious internal pressure to avoid paying expensive fines for failure.
Navigating compliance on your own can be frustrating and costly. In a pre-audit assessment, 3rd party auditors can identify areas that need your attention but aren’t legally allowed to give you recommendations. A vendor like Five Talent has the freedom to identify which areas are at risk for failure and then make clear recommendations for how to change them.
In our experience, the biggest struggle clients face with PCI compliance is understanding what their vendors are responsible for and what they need to take on themselves. This lack of awareness can lead to confusion, frustration, and repeated failed audits.
There are three critical steps to building a proactive PCI strategy that ensures ongoing compliance.
Step 1: Identify Shared Responsibilities
If you have multiple vendors, chances are you have some assumptions about who is taking care of compliance. Even if you’re familiar with the PCI DSS Compliance checklist, you still need to know exactly who is responsible and accountable for following necessary steps.
PCI DSS Compliance Checklist:
1 – Install and maintain a firewall configuration to protect cardholder data.
2 – Do not use vendor-supplied defaults for system passwords and other security parameters.
3 – Protect stored cardholder data.
4 – Encrypt transmission of cardholder data across open, public networks.
5 – Use and regularly update anti-virus software or programs.
6 – Develop and maintain secure systems and applications.
7 – Restrict access to cardholder data by business need to know.
8 – Assign a unique ID to each person with computer access.
9 – Restrict physical access to cardholder data.
10 – Track and monitor all access to network resources and cardholder data.
11 – Regularly test security systems and processes.
12 – Maintain a policy that addresses information security for all personnel.
– PCI DSS Computing Cloud Guidelines, PCI Security Standards Council
- Assemble a compliance team representing your vendors, providers, and internal managers for a holistic view of your process.
- Walk through a Shared Responsibility Model to determine which individuals will be responsible for each item on your PCI DSS checklist. Taking 100% ownership of a line item means reporting and proving to your auditor that the checklist item is complete. It also means ensuring that everyone affecting the item is following the checklist.
- Maintain a centralized documentation repository as an in-house knowledge base for roles and responsibilities. This is hugely important for seamless transitions when people change or leave jobs. This includes job duties and daily responsibilities, as well as documentation of PCI activities from the previous year.
For a recent FinTech client, identifying roles and responsibilities for multiple vendors was a major challenge affecting the company’s ability to meet compliance. In the midst of rapid growth and internal management changes, the startup had lost sight of who was responsible for what. Five Talent came in as the primary contact for all vendors and was tasked with asking the right questions and finding answers. The result was a more proactive, streamlined process for meeting compliance as well as a reduction in the number of vendors to manage.
Step 2: Understand Security
Once you’ve established ownership of items, the next step is to gain a thorough understanding of security for PCI. This includes:
1 – People (who is involved, their level of access, and how they treat data)
2 – Process (steps for making changes, who is informed, what the impact is)
3 – Systems & Architecture (segmentation, encryption, data classifications)
- Make sure everyone understands the benefits and threats based on the outcomes
- Ensure all people involved are aligned and motivated by the same goals
In any organization, the hardest thing to change is people. By creating a proactive plan for compliance, you can set employees and vendors up for success.
Step 3: Plan Proactive Strategies
You can’t just flip a switch overnight and become PCI compliant. Typically your
auditor will expect you to go back three to six months to show how you’ve
maintained compliance. By giving your internal team a clear process well in advance
of your audit you’ll save time and resources meeting regulatory requirements
You need to know you’re going to be PCI compliant BEFORE you begin working on your workload or technology solution. Going back and changing
your processes after the fact is 10x more painful and costly than doing it
intentionally from Day 1.
- Remember – it’s not your responsibility to educate vendors as to what PCI compliance is. They should step up and own the education for compliance and put processes in place to ensure successful audits. For instance, cloud providers such as Amazon Web Services (AWS) or Azure will give you their shared responsibility model outlining what items they own and what items you are responsible for so ownership is clear.
- Choose vendors based on their compliance experience. Ask them how they handle PCI and what steps they take to meet requirements.
In summary, when you plan ahead, set clear expectations with outside vendors, and put proactive strategies in place, you should be able to meet PCI compliance year after year with relative ease. Audits are predictable and PCI requirements are fairly straightforward and easy to follow once you understand and plan for them