We have problems getting our executives to provide ongoing support for PCI DSS compliance. Even between assessments...
By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.
there's always something to be done, and they're not interested in anything but getting a report on compliance (ROC) that's A-OK. Do you have any tips for conveying the ongoing importance to them?
As you point out, PCI compliance is an ongoing process, not a once-a-year checkup. This is not only based upon best practices, but is also what organizations are contractually obligated to do under their merchant agreements. There's nothing in the agreement that says you only need to worry about compliance when it comes time for your annual self-assessment or QSA audit. If your company is found non-compliant at any point throughout the year, it will be subject to fines and other sanctions.
Ask the Expert!
Got a vexing problem for Mike Chapple or any of our other experts? Ask your enterprise-specific questions today! (All questions are anonymous
When you mention this to C-level executives at your company, I'd suggest bringing two arguments to the table. In addition to the straightforward regulatory argument above, you should explain how it's both easier and less expensive to maintain PCI compliance over the course of the year rather than scramble to become compliant right before the annual assessment. You might use an analogy of maintaining your car or personal health. If you take care of the small details continuously, the larger issues take care of themselves. On the other hand, neglecting these small details over the course of the year can lead to technical and administrative nightmares come assessment time.
Consider, for example, the PCI requirements to maintain secure system configurations. If you build a robust configuration management system based upon automated tools, administrators can respond immediately when a change in the system results in a noncompliant state. On the other hand, if you wait until the end of the year to analyze system configurations, you may find yourself with a lengthy "punch list" of changes that need to be made to production systems before the auditors arrive. This is time-consuming, and it introduces operational risks as you rapidly reconfigure systems.
All in all, you're right to seek ongoing C-level support for your PCI DSS compliance program. Speak frankly with the C-level executives at your firm and explain to them that they should no more neglect this area than they would the preservation of the integrity of the company's annual financial statements.
Dig Deeper on PCI Data Security Standard
Related Q&A from Mike Chapple
A proposed cyberattack information database in the U.K. aims to improve cyberinsurance. Expert Mike Chapple explains what collecting data breach ...continue reading
The proposed CFTC regulations on cybersecurity testing are set to finalize in 2016. Expert Mike Chapple discusses the effects these regulations have ...continue reading
Whether Apple is a HIPAA covered entity was called into question when it advertised for a health regulations lawyer. Expert Mike Chapple discusses ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.