The great and the good of Europe's PCI community including representatives from Barclaycard, John Lewis and CheckPoint gathered in London recently for PCI London to discuss Payment Card Industry Data Security Standards (PCI DSS).
If you're involved in storing, processing or transmitting any cardholder data - manually or electronically - you have to be PCI DSS compliant. And that means meeting with tough standards that enhance payment card data security…or face the prospect of fines and fraud costs.
I was lucky enough to join the delegates in discussing the latest thinking in risk and security management. My presentation stressed to the group that businesses need to be more prepared for audits and adopt a continuous compliance approach. This will ensure enterprise network and application policies conform with industry regulations and corporate policies. Unfortunately, many organizations don't bother thinking about PCI compliance until they are due to be audited which, at best, leaves them playing catch-up or at worst, means they fail because they haven't met the requirements. In fact research by the Ponemon Institute suggests that as many as 67% of companies fail credit card security compliance.
Tips for PCI Compliance
One slide which gives some 'dos' and 'don'ts for preparing for your audit sparked discussion and debate so I thought I'd share it with you: Do:
- Pick a Qualified Security Assessor (QSA) partner you trust. QSAs are organizations that have been qualified by the PCI Security Standards Council to have their employees assess compliance to the PCI DSS standard. You'll need to work as a team with your QSA, so do your research well.
- Prepare yourself by asking the QSA what you need to do and what reports will you be asked to prepare. Make sure you have all the pieces in place.
- Technology - make sure your company is using systems that will help you manage your audit and comply with the standards, and make sure you are using the tools available to you regularly.
- Support what you say with documentation - documents will back up your words, and are required for the audit.
- Don't annoy, argue or try to BS your QSA! They've have heard it all before.
- Don't make mistakes identifying PCI relevant servers/systems - in security terms, that means being able to clearly map out the changes to network access, who made them and why they were approved.
- Don't forget the IROC - initial report of compliance. The first time only 20% will generally be ready when they do the IROC report. The second time only 20% are still compliant. It's bad news and could be avoided if you continuously monitor compliance and not wait until the audit looms.
Bottom line: old adage 'if you fail to prepare, prepare to fail' definitely applies where PCI compliance is concerned.