We all know the feeling, the holidays are over, it’s a new year, and the new projects and initiatives start rolling in. Or perhaps all of those tasks from last year that got shoved into the “next year” folder are now floating back up to the top.
The New Year is often a time to start fresh and teams are motivated to get things moving in the right direction. Although PCI compliance is a year-round task, many organizations will target the beginning of the year as the time to complete annual requirements like risk assessments, penetration testing, staff awareness training, documentation review, third-party contract reviews, and incident response plan testing. Planning for the completion of your merchant SAQs / AOCs may also begin now.
Looking back to last year’s compliance efforts, what pieces or requirements do you remember struggling with? Did you miss your compliance goal because IT wasn’t able to locate all of the IP addresses for vulnerability scanning? Did it take longer than you expected for the administration team to sign off on your payment card policies and procedures? Did the merchants get approval before purchasing new payment applications or setting up ecommerce sites? Before you dive right back in, take a moment to reflect on the challenges you had previously and see how you might to be able to avoid them by improving communications and setting realistic goals with clearly defined strategies in place.
PCI compliance is resource-intensive and requires effort from staff across the entire organization. One of the biggest pieces to compliance success and continued forward progress is collaboration between all groups – the Business Office, Information Technology (IT), the PCI Team, and all merchants/departments handling cardholder data. Proper funding and resourcing are necessary to ensure that people, processes, and technology can become and remain compliant with the DSS requirements, while reducing the overall risk to your organization.
A potential data breach can have a significant impact on operations, with fines and fees quickly exceeding $100,000. The organization may lose the ability to process payment cards and the reputational damage can take years from which to recover. Therefore, efforts to maintain PCI-compliance must be viewed as top priority for all employees, championed by leadership, and supported throughout the entire organization.
Easier said than done, right? To help you create stronger partnerships across the organization and bridge the common divide between business and IT, we recommend the following:
Communicate Goals and Priorities
The Business Office and Finance department make key strategic decisions regarding where funds should be spent, evaluating return on investment, and determining how the organization should move forward with different initiatives. The data that they need in order to make the decisions will be primarily financially based. The Information Technology team is responsible for ensuring that the infrastructure and equipment used to support it are maintained in such a way as to protect the security of the organizational data assets. The data that IT requires to make their decisions are often based on data (i.e. how will the security be increased, how with the risk of breach be decreased, what efficiencies will be gained). The metrics each use are in very different “languages” from each other, so how do they come together to create common measurements? It is important to first determine what it is that you are trying to accomplish, evaluate the different paths that can get you there, and then discuss the costs/benefits of each potential solution. Is this something that has to be done? Is this something we need to do to prevent something else from happening? Or is this something that would be convenient and potentially save some valuable time and resources? These are all legitimate reasons and should be weighed as a team so that all parties understand the end goal and, by working together, make the best decision for the organization.
Improve Awareness and Training for Everyone
“I don’t even know what PCI is…so it must not be important for my role.” It is critical that all staff handling payment card data have a basic understanding of the PCI DSS, why it exists, who it affects, what it entails, and what can happen if the organization fails to meet the requirements. By making staff aware of not only what they need to do, but why you are asking them to do it, you can help build a culture where employees think twice before handing out a shared password or writing down credit card numbers on a notepad by their desk. Ensuring that IT staff are well-trained is also important. A large majority of the PCI DSS requirements do focus on technical controls, so while IT is not a merchant accepting payment cards, they do provide the support for the infrastructure and systems that store, transmit, and/or process cardholder data. Providing them with the resources to stay up to date on best practices, and appropriate funding for logging solutions, vulnerability management programs, segmentation support, etc. will help make your overall environment more secure.
Streamline Merchant Options
Try to implement standardized payment acceptance models, including policies, processes, procedures, training, and technology across as many departments as possible to help simplify your scope and oversight efforts. By having a limited number of already-approved payment solutions from which the merchants can select, you will be able to minimize the work effort for all parties involved. Procurement won’t have to vet the new vendor, the PCI Team won’t need to request a copy of their AoC or other proof of compliance, IT won’t have to review the security and impact of a new solution, and the merchant won’t have to wait to begin accepting payments. You have done the work once, the solution is ready to go, and everyone is happy.
Look for Synergies
Take a step back and analyze some of the other projects happening within the organization. Is there also a big initiative for HIPAA compliance happening across the hall? The PCI DSS provides a great baseline for information security, and many of its requirements will also help you meet compliance requirements for standards like HIPAA, FERPA, GLBA, and more. So, before your organization goes out and purchases different solutions for a common problem, for example file integrity management, review the other project plans to see what areas may overlap. You may be able to realize some cost and/or resource sharing while accomplishing both tasks simultaneously.
Define the Leadership Team
With all this talk about organization-wide involvement, it is also important to point out that you do need to assemble a PCI leadership team that will be responsible for developing goals, maintaining communication with the involved groups, keeping things moving forward, and ultimately making decisions. Generally a five to eight member team including representation from Finance, IT, the Controller’s Office, Internal Audit, and a couple of merchant areas is the most successful. Create a clearly defined PCI Team charter and establish individual roles and responsibilities so that each member has authority to make decisions and avoid roadblocks. It is also important to allocate time to reconvene as a team and discuss the status of different initiatives (i.e. deployment of a new solution), timelines for future initiatives (i.e. reviewing and voting a new vendor), and discussing any new topics that have arisen.
Making PCI a priority for the organization at all levels will shorten the road to compliance and eliminate many of the turns and detours you may be taking if your department tries to tackle this alone.
Reach out to us if you have any questions or would like to set up a time to discuss how your teams may be able to work together for everyone’s benefit.