Over the years I have had many clients ask how to become PCI compliant.
My answer is always the same.
It sounds too good to be true. But the problem many organizations have, which is a symptom of a larger problem, is indecisiveness. Many information security teams are busy with operational concerns, day-to-day activities and keeping systems running. Compliance is an afterthought, or it is pushed down to the team to “become compliant” without any real guidance.
Engage. But what do I mean by “engage?”
Start doing something to meet the PCI DSS requirements.
By doing “something” you are trying to move forward. The only pitfall here, and this is a small pitfall, is that to a hammer, all problems look like nails. The team that manages the firewalls will probably focus first on addressing Requirement 1, as it is the most familiar set of controls and requirements that relate to their duties. The team that manages the servers and operating systems may focus the most on Requirement 2, or Requirement 7, or Requirement 8. These items may be the most relevant to what they do day-to-day.
But is this really a problem? Embrace it! Therefore, their expertise is needed in the organization. Employees can determine the best solutions, be they process changes, configuration changes, or technology adoption, that they are the experts of.
PCI Compliance is a technical standard.
While many controls are administrative or policy-based controls, these policies are to drive enforcement of technical controls. Pick a PCI DSS requirement and engage on it. Review the requirement and pay attention to the guidance in the PCI DSS standard. For clarification, review the PCI SSC Frequently Asked Questions on the PCI SSC website.
Smaller teams may want to pick a different approach to becoming PCI DSS compliant.
While there are thousands of jack-of-all trades administrators and engineers, not all organizations are lucky enough to have a team that is highly knowledgeable in all areas of expertise. In this scenario, my recommendation to my client is to engage by determining which technical disciplines they are lacking.
In this scenario, the time and money required to hire, or train staff may be higher than the cost of outsourcing functions to another organization. By determining what expertise is missing, the organization can focus on sourcing expertise to a partner while still addressing the PCI controls that they can with their own staff. Utilizing a validated service provider, the organization can reduce their direct risk and still utilize their own skillset and experience where possible.
For example, I was recently working with a client utilizing co-locations, or their own data center, and all system administrative activities were performed by their development team. The team was highly trained in application development and database administration but had limited experience in system administration and network engineering. While they were able to operate and manage the systems, they spent more time managing their infrastructure than necessary.
They followed the path to identify their weaknesses, partnered with a third-party provider and migrated their platform to a cloud-hosted platform. Not only did they gain the scalability and resilience of a cloud-hosted solution, but they improved their compliance program by partnering with a validated Service Provider who managed the infrastructure. This freed up their time to focus on the core competency, software development, and develop policies and procedures for their compliance program.
PCI Compliance can be daunting for organizations of all sizes.
Finding the right approach can be like writers’ block. Sometimes the only path forward is to take a single step, engage, and start the process. One of the first places I recommend my clients start is with the policy requirements mandated by PCI. Define the requirements by policy first, ensure that the policies support the PCI requirements, and then verify that the organization is following those by reviewing system configurations. Almost every PCI requirement has three components: a policy objective, a system configuration (observation) and employee knowledge (interview). By starting with the policies, we can increase the knowledge level of the employees and then verify our configurations are in-line with the PCI DSS and our policy.
Learn how SecureTrust can save your team time, safeguard sensitive data and streamline the PCI compliance process.
Jason Likert is a Managing Consultant at SecureTrust, where Jason leads a team of information security professionals and oversees the execution of security audits, PCI compliance assessment, and other professional services engagements. Jason has been involved in the payment ecosystem as a consultant, auditor and assessor since 2005.
Prior to SecureTrust, he served eight years in the US Air Force and was Director of IT and large e-commerce and healthcare organizations. Jason holds the QSA, Certified ISO 27001 Lead Implementer and Certified ISO 27001 Lead Auditor certifications.