You Know You Need PCI Compliance Help When...Tips for Realizing When You Just Can't Go it Alone
Imagine that your internal resources are of the highest caliber and have bandwidth to spare; that your internal audit personnel possess broad and deep compliance framework experience; and that a team member has successfully completed a PCI DSS compliance assessment in the past. Exactly when should you consider bringing in expert assistance from the outside? Based on experience, here are a few scenarios that illustrate when such a decision might just be the best:
When Compliance Looks EasySo, you are familiar with ISO:27001? You have spoken with a colleague who indicated that their SAQ was a simple matter of checking all the 'Yes' boxes and signing it?
Despite the PCI DSS standard's ability to be mapped to other frameworks, its area of focus is explicitly cardholder data security. This fundamental difference provides unique context. For example, while business requirements may be taken into account, the residual risk directly affecting cardholder data is what will ultimately determine compliance. As such, general experience in industry best practices, alone, often proves to be of limited benefit.
Exactly when should you consider bringing in expert assistance from the outside?
Also, compliance is never as easy as just checking all the 'Yes' boxes. Remember, when you sign the Attestation Of Compliance you are providing confirmation of the assessment's accuracy, and often that can only be determined after extensive review of implemented controls, supporting documentation, and processes.
When You Receive an E-mail Identifying Still Another Data RepositoryYou have identified your stakeholders, developed a coherent strategy, and achieved your first milestones along the way to compliance in alignment with the PCI Security Standard Council's Prioritized Approach. It is at moments such as these when a previously unidentified data repository can threaten momentum, lower morale and generally derail compliance efforts.
Identifying all payment flows through a combination of both human and automated means including surveys, interviews and data analytics early in your compliance efforts is essential to both defining and properly limiting the scope of your cardholder data environment. It is only then that you can confidently move into the next phase without fearing that late-in-the-game discoveries might cause you to miss your target dates, incur unforeseen penalties or require re-work to remediate issues which you hadn't anticipated.
When You Re-Read the Same Requirement and Interpret It in Yet Another WayYou have read the PCI DSS, attended seminars, poured over various forum threads and blog postings and steadily progressed on the road toward compliance. Then, empowered with your increased knowledge, you begin to second-guess your original understanding of a particular requirement. Was that one really non-applicable? Does your planned compensating control truly go above and beyond the rigor and intent of the original requirement? Is your "business justification" for leaving open a particular port or protocol sufficient?
Time to Seek HelpYou may be able to resolve these and other questions by consulting the Security Standards Council's web site or searching through its knowledgebase. However, wrestling with these questions may also prove a good indication that expert guidance is warranted.
Just remember, when it is time to seek help, good counsel may at first seem to be in abundance, but identifying the appropriate resource to provide accurate direction is critical. Suggestions that a different business's compliance approach may also apply to your own environment, that you can simply repeat last year's response, or that it does not take an expert to address the "low hanging fruit" should be considered with a healthy dose of skepticism.
About the authors:
Peter Spier is President of the ISACA, Western New York Chapter and Manager Professional Services at Fortrex Technologies based in Frederick, Maryland.
Jim Raub is a Senior Director of Information Security, Compliance and Fraud, at PAETEC Holding Corporation and has held a wide range of IT positions over the past 30 years, with a concentration on security for the past decade.