We have problems getting our executives to provide ongoing support for PCI DSS compliance. Even between assessments there's always something to be done, and they're not interested in anything but getting a report on compliance (ROC) that's A-OK. Do you have any tips for conveying the ongoing importance to them?
As you point out, PCI compliance is an ongoing process, not a once-a-year checkup. This is not only based upon best practices, but is also what organizations are contractually obligated to do under their merchant agreements. There's nothing in the agreement that says you only need to worry about compliance when it comes time for your annual self-assessment or QSA audit. If your company is found non-compliant at any point throughout the year, it will be subject to fines and other sanctions.
Ask the Expert!
Got a vexing problem for Mike Chapple or any of our other experts? Ask your enterprise-specific questions today! (All questions are anonymous
When you mention this to C-level executives at your company, I'd suggest bringing two arguments to the table. In addition to the straightforward regulatory argument above, you should explain how it's both easier and less expensive to maintain PCI compliance over the course of the year rather than scramble to become compliant right before the annual assessment. You might use an analogy of maintaining your car or personal health. If you take care of the small details continuously, the larger issues take care of themselves. On the other hand, neglecting these small details over the course of the year can lead to technical and administrative nightmares come assessment time.
Consider, for example, the PCI requirements to maintain secure system configurations. If you build a robust configuration management system based upon automated tools, administrators can respond immediately when a change in the system results in a noncompliant state. On the other hand, if you wait until the end of the year to analyze system configurations, you may find yourself with a lengthy "punch list" of changes that need to be made to production systems before the auditors arrive. This is time-consuming, and it introduces operational risks as you rapidly reconfigure systems.
All in all, you're right to seek ongoing C-level support for your PCI DSS compliance program. Speak frankly with the C-level executives at your firm and explain to them that they should no more neglect this area than they would the preservation of the integrity of the company's annual financial statements.
This was first published in October 2012