5 Mistakes That Will Break Your PCI Compliance Program

You did it! Your organization successfully completed a compliant SAQ and your acquiring bank has approved your annual Attestation of Compliance. Now what?

Unfortunately the work does not stop here. Not only are organizations required to achieve 100% compliance with the PCI DSS, they are also required to maintain it. In Verizon’s 2019 Payment Security Report, the percentage of organizations passing interim security tests for PCI (6 months after attestation) dropped to only 37%, which is the lowest percentage in 5 years. How can you ensure you are not one of the 63% of organizations falling out of compliance partway into the year?

Below are five of the top mistakes that can break your PCI compliance program.

1. A “Check the Box” Mentality
   PCI compliance is not intended to be a check box activity; it is a prescription for maintaining cardholder data security. All individuals involved with payment card handling must understand that compliance is not a goal achieved during the annual assessment cycle and then forgotten until next year’s attestation date rolls around. The best way to get away from that mentality is to create a well-defined schedule of checks and balances so requirements do not fall through the cracks. A big part of your PCI program should be continual monitoring of all merchants to ensure they have accurate and up-to-date documentation, and are following the departmental procedures. Can they provide their device inspection logs upon request? Do they have up to date AoCs from all third-party vendors? Have all employees been trained on the procedures and they can provide signed acknowledgements for the training? Are departments training new hires before they are allowed to process payments? Can they provide a passing vulnerability scan each quarter? Are critical systems being patched in a timely manner? If an incident or suspected compromise occurs, do they know where to find the incident response plan?

   Visit with your merchants as often as possible so they view the PCI Team as a partner instead of the group who adds to their To Do list once a year. You can have in-person education sessions throughout the year and/or send recurring communications (like the CampusGuard Newsletters) updating them on new technologies, possible vulnerabilities/risks, etc. As compliance activities become a larger part of the merchants’ business-as-usual efforts, the “burden” they feel during the annual attestation process will lesson.

2. Scope Creep
   Before you can implement appropriate controls for PCI compliance, you need to know all systems, processes, and people that store, process, or access cardholder data, or can impact the security of the cardholder data. This list is your PCI scope. Once defined, it is critical to limit all payment activities to these systems, people, and processes only, and ensure that you are not inadvertently pulling other areas into scope. Too often during our assessments, we find that organizations have overlooked some system or process that is touching cardholder data. For example, there may be a department collecting payment data on paper forms only and having the payment processed by another department.

   You may know about the second department, having worked with them to deploy a P2PE solution, but the first department’s access to cardholder data has expanded your PCI scope. Another frequent example is the Foundation keeping donor payment cards in an Excel spreadsheet for annual donations. This activity will quickly pull that computer and the connected network into scope, and you will have to apply all 300+ requirements to your campus network (and you don’t want to do that!). Or, perhaps the Advancement Call Center has switched over to VoIP phones and is now using those for their annual phone-a-thon. Those telephone-based payments can be pulling your network into scope as well.Spreading awareness across campus, beyond just the known merchant areas, can counter unintended scope creep. Educate your community regarding policies and the steps that must be followed for any payment-related activities. Publicize the processes for new merchants so that everyone who is considering a new payment flow knows what to do to get that started in a compliant manner.

3. Lack of Team and/or Support
   Assembling a PCI Team and retaining executive support is essential to the success of your ongoing compliance efforts. As you know, PCI compliance does not rely on technology alone, but includes people and processes, along with the supporting policies and procedures. It is important to have representatives from both the business and IT organizations on the PCI Team, as each brings needed skills and expertise, as you work together toward the common goal. Including members from internal audit, general counsel, and information security is the best way to round out your team. Formalizing the PCI Team with defined roles for each person and an official PCI Team Charter will go a long way to ensure the success and longevity of the team. Having executive level support helps to ensure the program is prioritized at a high level, and necessary funding is allocated. Executives can participate either directly as part of the PCI Team or by providing decision-making and guidance support through their time on a Steering Committee that oversees the PCI Team. In either capacity, they will be kept well-informed as to the areas of concern, level of effort for remediation, and be better able to provide the appropriate budget and resources. If you are struggling to gain the leadership support your program needs, consider performing a risk assessment or gap analysis to identify the areas of concern with associated risk, impact, and remediation. This type of information can be the impetus for a great conversation with tangible steps and outcomes.
4. Lack of Merchant Involvement
   Although the PCI Team take the lead, responsibility for PCI compliance is shared by everyone, especially those within your cardholder data environment. Merchants should be responsible for completing their own Self-Assessment Questionnaire (SAQ) annually, maintaining departmental procedures, training staff members upon hire and annually, performing device inspections, and any other applicable PCI DSS requirements. Without involving your merchants at that level, they may not fully understand or appreciate the role they play in your overall compliance. In the early years of a PCI program, it can be difficult to get merchants to understand the importance of compliance and why they are being asked to take steps that they perceive to be “busy work.” However, as time goes on and PCI is integrated into your business-as-usual efforts, they will come to understand the importance of these tasks and allocate the time needed to track changes, make updates, monitor equipment, etc. Define goals and objectives based on the DSS requirements so that, as you meet each deadline, you can celebrate successes along the way. Dedicate a shared, central location for collecting and storing all documentation and evidence necessary for attesting compliance, and provide access to responsible staff. Track the collection of departmental procedures, logs, scan reports, etc. so that, when your attestation date rolls around, merchants will have all that they need in one place thereby reducing the time needed to research/respond to the SAQ questions.
5. Third-Parties
   Using a third-party organization to help with your payments may alleviate some PCI DSS requirement considerations. However, you can NEVER completely outsource your compliance responsibility, and should therefore select partners carefully. It is especially important to evaluate vendors before entering into a contract. Work with your Procurement Team so that, prior to signing a new agreement with an organization that will be involved in the payment flow, the agreement is reviewed by the PCI Team. This team is well versed in the five key elements defined by Requirement 12.8 that must be in-place for any payment-related vendor. Having them review the new agreement will ensure that these requirements are properly included. Consider publicizing a list of approved payment vendors internally so that departments considering taking payments have a starting point. Monitor ongoing vendor compliance and annual Attestation collection centrally, where possible, to ensure you know the status of all vendors the organization is using. Define and disseminate an escalation process to handle a breach of a payment vendor.

So celebrate that success, enjoy the submission of your compliant SAQ/AOC, but don’t lose focus on those things that helped you get there in the first place. Stay the course, keep doing all those things that you have been doing, and you will be celebrating again next year.

Some additional guidance from our Security Advisor team below:

[Hopkins]: Too often, PCI compliance is considered a project with a defined beginning and an ending that includes the annual submission of your SAQ to your acquirer as mentioned above. The PCI Security Standards Council recommends a business-as-usual approach to compliance, making compliance an ongoing process rather than an annual project. The key to implementation is the design and documentation of the business processes. Processes that should be considered:

• A granular change control process that documents changes to include the entire cardholder data environment (CDE)
• Inventory control process for all equipment and devices in the CDE
• An onboarding process for all staff that will have access to the CDE
• An onboarding process for new merchants
• A process for initiation of scheduled compliance activities such as quarterly vulnerability scans, bi-annual review of firewall configurations, and the annual review of PCI policy documents
• An educational process that monitors staff training in policy and security awareness

Incorporating well documented process that have assigned roles and responsibilities can avoid compliance requirements falling through the cracks and jeopardizing your compliance program.