If you accept payment cards, your organization is responsible for ensuring specific processes are followed and requirements are met– 24 hours a day, 7 days a week, 365 days a year.
According to Bluefin’s The State of Enterprise Readiness for PCI DSS 4.0 whitepaper, only 21% of organizations say they are “very confident” that they are able to protect customer payment data and nearly half (49%) report to have yet to begin executing changes for PCI DSS v4.0.
Working with campus-based organizations, we understand how difficult year-round compliance can be, especially trying to manage multiple merchants across different locations. With all of the other obligations and priorities on campus, it is easy to quickly lose focus as resources and teams are assigned to other projects and priorities.
How are organizations successfully monitoring and maintaining ongoing compliance efforts? Regardless of their size, it requires a daily, coordinated focus and must be actively maintained. Integrating PCI compliance into your normal business as usual processes is the only way to ensure you are able to actively protect payment cards at all times. Below are a few of the key elements we have found are necessary for managing your PCI compliance efforts throughout the year, as well as some expert advice and strategies from some of our valued CampusGuard customers.
Key Elements of a Well-Run PCI Program:
1) Focus on Scope (And Reducing It!)
Before you can implement appropriate controls, you need to know what to do and where they are needed. Having and documenting an inventory of all systems, processes, and people that store, process, or access cardholder data is critical. Once you know where the data is, you can start to identify ways to reduce or eliminate scope (i.e. eliminating storage of payment card information, upgrading payment terminals, reducing risky payment channels, segmenting data, etc.). By doing so, you can limit the risk of data being leaked or stolen, and effectively reduce the effort needed to manage your PCI program.
Through this effort you should be able to streamline outdated processes and standardize on approved payment technologies. You may be able to consolidate systems, reduce maintenance, cut software licensing costs, and improve system performance by more centrally applying patches and configurations system-wide.
The PCI Team at Florida International University has worked hard to define their role and streamline operations. “Our strategy at Florida International University was to reduce our PCI risk by reducing the overall PCI scope. We created a PCI Compliance team with members from the Information Security Office and the Controller’s Office. The PCI Compliance team meets once a month to review new requests, changes, etc. We have created a governance structure whereby contracts for products where credit cards will be accepted must be reviewed and approved by the PCI Compliance Team.
In order to reduce our PCI scope we require that all merchants use validated P2PE devices or other scope reducing processes/solutions. There is a point of contact for each merchant which is responsible for overseeing the PCI compliance for their area which includes submitting appropriate SAQs’ each year. Furthermore, annual PCI training is required for all merchants and their employees.”
2) Don’t Underestimate the Resources Needed
Most members of the PCI Team are not solely dedicated to PCI compliance. They are juggling multiple other responsibilities and PCI is just one item on their plate. As a campus-based organization, you are most likely transmitting, handling, and storing cardholder data across multiple systems and networks. In order to keep your PCI efforts on track, you need to develop and maintain required system configurations and policies, implement new and required technologies, and continually educate staff members on their individual roles and responsibilities. All of that takes time to plan, develop, and deploy and, since the responsibility is shared, additional time may be required for coordination across groups.
Performing an annual risk assessment or gap analysis can help you identify the amount of effort needed to achieve or maintain compliance, and help secure executive-level support with a commitment to the necessary budget and resources. The PCI compliance program does not rely on technology alone, but must include people and processes, along with the supporting policies and procedures.
3) Make Your Program Sustainable
PCI compliance is not a “check the box” activity; it isn’t a goal you achieve during the annual assessment and then forget about. It only takes one unprotected admin account to throw you out of compliance and into a data compromise, so it is important to continuously monitor and adjust your program so that it can withstand the test of time.
It is also important to make PCI compliance a shared responsibility belonging to all users within your cardholder data environment. It is not just a task for your IT Team or your PCI Team, but rather a responsibility for all system administrators, front-line staff, managers, etc. Assign individual responsibilities and ensure all of those involved understand their role in maintaining compliance. Including PCI tasks into the business as usual efforts will allow staff to allocate time to track changes, make updates, accomplish tasks, etc. Define performance goals and objectives so you can meet specific deadlines and celebrate successes along the way. Dedicate a shared, central location for collecting and storing all documentation and evidence necessary for attesting compliance and provide access to responsible team members. This way you aren’t scrambling to gather all of the necessary policies, logs, scan reports, etc. when your attestation date rolls around.
“While the path to compliance at the University of Florida has been years in the making, it was not sustainable until a true partnership was established between the functional and technical owners of PCI. The availability of an IT contact person that assisted as “translator” between these two units turned out to be essential to our success.
The transition of all our standalone terminals to P2PE technology combined with the movement of our eCommerce and system components to the cloud significantly reduced the PCI foot print, which was the primary focus of our endeavor. We had previously implemented annual visits with each merchant location, which will be continued. We met with major stake holders and developed a responsibility matrix that identifies the responsible parties for each of the PCI requirements.
Each step above was discussed with our QSA partner, CampusGuard, to confirm that we were moving forward in a correct manner. In summary, the entire project was designed and executed to have a sustainable mechanism in place to remain compliant now and in the future,” shared University of Florida’s Payment Card Manager.
4) Make PCI Compliance Part of your Enterprise-wide Security Program
Building your PCI compliance efforts into your organization’s larger information security and risk management strategy can help you protect not only payment card data, but also other types of sensitive information. The PCI DSS can be used as a baseline for controls that support a broader information security environment and evolve as the threat landscape changes, new technologies emerge, and new business processes arise.
According to Drexel University’s Sr. Information Security Analyst, “The Drexel Information Security Office is leading the PCI DSS compliance efforts at Drexel University. It does that by partnering with the Drexel Treasury Office and with help from CampusGuard. The Drexel PCI optimization program focuses on consolidating payment card transaction processors and acquirers, reducing the number of merchant IDs, and implementing P2PE solutions for new and existing processes across the organization. With this program, Drexel University is expecting to harden overall information security and safeguards for protecting sensitive information, reduce compliance scope and complexity, and lower Information Security cyber insurance costs.”
5) Make a Schedule (And stick to it!)
Whatever your annual compliance cycle is, it is important to document where you are at in the process and ensure you are meeting all daily, weekly, monthly, quarterly, and annual tasks. You can start with your annual attestation due date and work backwards to determine what should be completed and when. Below is a sample quarterly schedule that you can adjust to meet your organization’s program goals.
Q1
- Identify and document all the areas that payment card data is stored, processed, or transmitted within your environment. Make sure the appropriate security controls have
been applied against each system that interacts with cardholder data. - Perform a formal risk assessment.
- Review your security policies.
- Identify the quarterly vulnerability scanning schedule.
Q2
- Create your security awareness training program or review and update as needed to reflect latest trends and risks. Determine the date for annual training, as well as a plan
for ongoing training activities and reminders. - Have staff review and acknowledge payment card policy and procedures.
- Review physical security – ensure processes are in place for device inspections.
- Ensure all third-party service providers are known and documented, track their compliance status, and request required documentation.
Q3
- Review vendor and remote access accounts, and verify that all permissions are up to date and the appropriate levels of privileges have been assigned. Remove access if it is
not required and disable or delete accounts not in use. - Review firewall inbound and outbound network rules.
- Perform any required annual penetration tests. Remediate all findings and re-test as necessary.
- Review your incident response plan. Schedule a tabletop exercise to test the plan and ensure all individuals know their responsibilities in the event of a suspected breach or
compromise.
Q4
- Complete merchant SAQs
- Attest compliance and submit necessary documentation to the Acquirer
College of Charleston’s Treasurer has helped lead the compliance effort for several years as changes are made to payment environments and processes. “After years of effort to reach PCI-DSS compliance, the College of Charleston works to maintain and enforce the status quo by doing the following:
- Periodic unannounced visits to the merchants on campus to verify the security of the credit card processors and verification that the appropriate inspection logs are keptcurrent;
- Conduct and monitor quarterly scans and perform the necessary penetration testing to ensure that all systems are secure;
- Work with our merchants to identify the appropriate SAQ and work with them to fill them out annually, around February/March of each year;
- After receiving the SAQs from each merchant the College’s PCI committee, consisting of staff members from Business Affairs, Information Technology and Information Security, review the answers and determine the appropriate SAQ for the College to submit on behalf of all merchants;
- Conduct yearly training of all personnel involved with credit card processing;
- Continually monitor trade websites and magazines and attend conferences to ascertain if any changes in technology can reduce processes that are identified as being within the scope of any PCI concern.”
For more guidance on how to manage your PCI compliance program ongoing, reach out to us.
Some additional guidance from the CampusGuard Customer Advocate team:
[Seguy]: It is always fun to be part of the celebration when a customer achieves PCI compliance, especially the first time, as there is so much effort that has gone before. Convincing staff not to accept emailed in payment data, swapping out older equipment with new technology, changing how they work with their customers, and creating/updating documentation can take more time and effort than the customer anticipates when we first get engaged with them. But by working with them to integrate each of the above elements into their program, they achieve a level of sustainability that ensures we are celebrating compliance year after year.