Just when you think you are making good progress on your PCI compliance, you run into a colleague at a staff meeting and they casually mention the new payment solution that they are implementing in their department. He goes on to say how excited they are that they will now be able to accept credit cards, so you casually ask if anyone checked to see if the solution and proposed implementation were PCI compliant? “No.” he says, to which you reply, sarcastically, “Perfect.” Other departments can be so focused on implementing new technology that is going to reduce everyone’s workload that they fail to include the PCI Team in their list of “everyone.”
So, how can you get ahead of situations like these and ensure new solutions are evaluated for PCI compliance, and implemented in a PCI compliant manner from the onset, instead of spending more time and resources after the fact to correct them?
Your Procurement Team can be a great resource and should have you on their short list to contact when new proposals or requests for information are created. They should know that anytime they receive a contract that mentions payment card information in any way, they need to involve the PCI Team. That way you can review what is being proposed, assist in the determination of the compliance status of the vendor, and provide the appropriate contract language regarding PCI compliance responsibilities, necessary documentation, etc. For example, are you requiring all new service providers deliver an up to date Attestation of Compliance? Have you clarified who is responsible for reviewing these contracts annually and ensuring the appropriate documentation is collected? Do the contracts clearly state who is responsible for securing payment card information at each step in the payment process and who is liable in the event of a data breach? Each of these questions should be addressed in all payment card-related contracts.
Partner with your Procurement Team by including them in your annual PCI training. This education will make it easier for them to identify any new payment-related contracts and report them to you. If you have a purchasing application, you may want to review it to see if flags can be set to automatically alert the PCI Team when specific words are included in a contract (e.g. “payment”, “credit”, “PCI”).
Campus-wide education is also key to creating a culture of awareness regarding PCI across your organization. All merchants should be participating in PCI awareness training and signing off on your payment card policies and procedures annually. Throughout the year, you can help to maintain that awareness by sending out occasional notices regarding updates to the PCI DSS Requirements, new risks and threats as they are announced, and lessons learned from other publications.
By keeping PCI in front of your staff, when they do decide to implement the latest technology, they are more likely to think about the potential PCI impact and reach out to the PCI Team before any further investment is made. Ensure that your policies and procedures require that any change within the cardholder data environment, i.e. new PCs, new POS devices, network configuration, etc., must be submitted for review and approval by the PCI Team. This will help the PCI Team to be seen as assisting with the project, rather than as a “late-to-the-game” roadblock. It won’t happen overnight, but by continually engaging staff from all levels and from all departments, your ongoing efforts to maintain PCI compliance will become business as usual.
Reach out to us if you have any questions or would like to discuss how you can involve your Procurement Team in your PCI compliance.
Some additional guidance from the CampusGuard team:
[Grant]: There are many ways to partner with your Procurement Department within a University. Ask them to have representation on the PCI Team, this will ensure they are actively engaged and can communicate information back to their department. Ask them to add a term or condition in the University standard contract templates in which all payment technology must be approved by the appropriate University representative and must be PCI DSS and PA DSS compliant. Ask Procurement to assist in wording for contractual pieces needed from the services providers, i.e. 12.8.2, this will get them invested in your PCI foundation. Colleges and Universities are like small towns, sometimes individuals don’t know where to go for assistance or that protocols exist for these scenarios, Procurement can be that added layer of protection to catch those purchases before they happen.