Are you new to PCI DSS? Perhaps you need to refresh your approach? If so, this article breaks down 6 strategies that will help you eat the proverbial elephant. PCI DSS has been around for 15+ years and over that time it’s evolved, matured, and grown. It applies to all ‘entities’ that store, process, or transmit cardholder data. It will be familiar to large merchants, payment processors, acquiring banks, and organizations providing third-party services. Still, there are lots of organizations and people that the DSS may be new to. If you’re amongst them, your first impressions of the standard may be that it’s large, cumbersome, not fit to your business, and may prove impossible to implement. In short, you’re very likely to be overwhelmed and think the regulators are trampling your picnic.
The first thing you need to realize, is that you are contractually bound to be compliant and you likely have been for years. All PCI card brands (American Express, Discover, JCB, MasterCard, and Visa) have long had contract language that requires you to conform to their rules or operating regulations which includes being PCI DSS compliant at all times. So if you are non-compliant you’re technically in breach of contract. The second thing to realize, is that validation of compliance has nothing to do with the requirement to be compliant. Just because you haven’t been asked to demonstrate compliance doesn’t mean you get a free pass.
Who gets asked to validate compliance is up to the individual card brands which consider factors like numbers of cards handled, risk, type of business, etc. The brands tend to focus more on volumes of cards rather than transaction values because they are concerned about fraud committed using stolen accounts. Also, not everyone gets asked to validate the same way. There are self assessment approaches for small merchants and entities. There are also rigorous third-party “onsite” assessments for larger ones and companies providing services to many entities. There are even special “forensic audits” for organizations unfortunate to have experience a breach. Any organization can be asked for formal validation at the discretion of the card brands. The brands will work with organizations that fall short; however, they require remediation plans with measurable progress. Yes, it may be a difficult journey but it isn’t impossible.
The overwhelming sticker shock part of PCI happens when you transition from no assessment or self-assessing to full “onsite” assessments. It can also happen if you start to take PCI very seriously and dig into those questions you’ve been checking off as in-place.
So if any of this feels familiar, sit, take a breath, and review these strategies.
1. Make sure you have senior management support
The road to PCI compliance is often long and bumpy. You’ll need supportive and understanding management to get there and stay there. PCI isn’t an IT or audit problem, if management asks IT to protect what you do today, you may not like the bill. The most effective approaches will require you to consider changes to business processes.
2. Find and document your scope
PCI DSS is all about scope. The single most important thing you need to be absolutely certain of is your scope. Getting this wrong means that you are either wasting resources measuring compliance on things you don’t need to, or you have overlooked your responsibilities and may be headed for a failing assessment or a breach. You will need to look not only at IT but your business processes as well. Where and how you received card holder data, how it flows through your organization, what technologies it touches, what third parties you share the data with, and how all of this is supported and secured. You will need to follow the data flows from the time it leaves the cardholder to when it leaves your organizations, understand the demarcations of when it becomes your responsibility, understand the types of technologies involved and what compliance implications these have. Make sure you look not only at regular processes but consider special cases and circumstances, temporary or infrequent use cases, etc. And if you aren’t already familiar with PCI and payment terminology, you will need to review it as many of the terms may seem arcane are have nuances that can have significant implications.
3. Determine your applicable requirements (i.e. footprints)
Once you’ve determined who and what is in scope, it’s time to figure out which requirements apply to which components, in which flows, and how all these interact with each other. This is sometimes referred to as determining your “applicability” or your “compliance footprint”. One key to understanding this, is that every PCI requirement may not apply in all scenarios. A requirement that doesn’t apply, can be validated as N/A provided that answer can be justified. Examples, of reduced footprints are describe below. The easiest place to see these footprints is to look at the variety of current Self-Assessment Questionnaire (SAQ) documents tailored to common scenarios.
4. Find and exploit ways to simplify your compliance through de-scoping and reducing applicability
Just because you have been doing things a certain way, doesn’t mean it’s the best way. Many organizations have operational practices that are historical and haven’t been revisited in years. Worse they may be based on information that either has become or was always incorrect. Re-examining these with business units can identify opportunities for simplification and savings. For example:
You will need to engage with a variety of groups within the business and get them to look at the alternatives. You may also need to overcome some tightly held objections. It isn’t uncommon for some of these objections to be based on misconceptions. Accounting teams that believe the banks require you to store the full card, e-commerce teams that believe they can’t control the user experience using IFRAMEs, etc. Use these opportunities to develop remediation strategies.
5. Identify gaps, establish and follow a roadmap
Use your footprints to perform a gap assessment. Prioritize high risk areas and to make ongoing operations compliant. Circle back and clean up legacy data and similar issues. Use scope reduction strategies to simplify remediation and ongoing compliance efforts. Set attainable and measurable goals. Then implement your controls.
Don’t forget complex or tricky issues even if they are low risk. If anything, they become more awkward to deal with the closer you get to being compliant. If you need help get informed outside advise such as from a QSA.
6. Monitor changes to the business, your scope, and your compliance
Whether you are getting compliant or staying that way, you need to monitor yourself to stay on course. Not only are there many challenges that can get in the way of attaining compliance, it’s surprisingly easy to fall out of compliance. Things you should be looking at:
PCI DSS can be big and complicated with many moving parts, but it is essentially an open book exam. They key to success is properly preparing for it, knowing your environment, being able to explain yourself, showing what you’ve accomplished, and keeping records to prove you’ve been doing it right all along.