PCI compliance is treated differently within every organization. For some, it is a priority project with dedicated full-time staff responsible for achieving and maintaining compliance. Some organization will even have an Internal Security Advisor (ISA) on staff.
For others, it is just another responsibility that is given to one or two individuals that it seems to fit best with. If your organization falls into this latter group and you are tasked with achieving PCI compliance, you should know locations, multiple departments, and multiple methods of accepting and processing payments common to these environments. Unlike McDonald’s or WalMart, that have lots of locations but all with the same setup, campus-based environments are more complicated. Most success stories involve a team or committee that work together to ensure there are adequate support and resources.
So, how do you go about structuring your compliance and security team and who needs to be involved?
Assembling a team from various departments is an essential component. This team will be responsible for developing goals, identifying relevant departments and processes throughout the campus(es), and maintaining communication with the rest of the campus community.
Organizations that are able to achieve and maintain their compliance program typically have a team consisting of five to eight individuals, with representation from the following areas:
Leadership: You will need buy-in from the executive level in order to receive the support necessary to dedicate resources, allocate funding, and implement change. These C-level individuals may or may not be involved in your weekly or monthly meetings, but rather brought in quarterly for updates so you can fill them in on progress, discuss any barriers you are facing, and prioritize next steps.
Finance: Changes may be needed to meet a compliance requirement and those changes will likely require funding. Involving someone from Finance as part of the project team ensures that they are aware of and in support of the proposed changes. Finance is also typically in charge of handling the day to day processes within departments, implementing financial policies and procedures, providing training, etc. so will bring that knowledge to the team. Possible positions to consider include the VP of Finance, Controller, or representatives from Treasury.
Internal Audit: Internal Audit should be involved so that any changes to policies and/or procedures are discussed and adjusted to fit the organization right at inception. Since Internal Audit typically leads the annual risk assessment effort, they will also help the team to discern potential impact(s) of proposed changes.
Information Technology: Consider the PCI DSS – the most prescriptive of the information security standards. Approximately two-thirds of the requirements are technology-related so your team will need IT representation to implement security controls. The Australian Data Breach Notification Law and GDPR will both require IT support to help identify areas of stored data, accessing that data, and potential disposal or remediation options. Depending on how your organization is structured, you may have a separate Information Security and Networking group from which you would benefit by including.
Departmental Staff: We also suggest adding at least two department-level team members to bring in a user perspective. These members may be from your high risk areas, your low compliance areas, or high volume areas. By keeping the departments in the loop, they better understand why they are being required to follow the prescribed controls and in turn, why it is so important to comply. Reinforcing the consequences of non-compliance (i.e. fines, penalties, etc.) can go a long way in getting all departments to accept their security responsibilities and view compliance as something that needs to be done, versus just another task to be checked off with little thought. The department staff provide valuable input regarding the impact of proposed changes and, after changes are made, how effective the new policies and procedures are.
Once you have recruited your core team, we recommend scheduling regular meetings in order to make sure you are actively working towards compliance. During these meetings you can provide updates on progress, define campus-wide strategies and standardize on technologies, and determine what projects are next on the priority list. Retaining these meetings will also help to ensure that the team can more quickly come together to address new requirements or standards as they are published.
We would recommend, as a first step, that the team create a high level project plan with clearly defined milestones and timelines. Goals should be set so you can monitor your progress and celebrate your successes along the way. Achieving and maintaining compliance can be daunting, but if you define clear goals and next steps, your progress can be easily tracked and reported to your Board of Directors as needed.
Each organization is different and compliance responsibilities may fall to individuals with various job titles and positions. Regardless of who is leading the project, ensuring ongoing collaboration from a collective team, as well as having the support at the executive level, will be critical in order to achieve and maintain your compliance and security program over time.
Some additional guidance from the Customer Advocate team below:
[Pfeifer]: Creating the right team can be challenging, but it’s important to take the structure advice mentioned here and have the necessary representation/support. It’s understandable for new team members to be apprehensive about joining the PCI Compliance effort. Usually, it’s only one part of their position and it’s difficult for them to understand what they will bring to the team. However, we see that with time, those members become the best cheerleaders for PCI Compliance objectives and are able to share their perspective with the PCI team and then with their areas they are representing. Rather than viewing their PCI responsibilities as an obligation, they will start to consider it a privilege to be an integral part of the institution’s progress and growth!