We have problems getting our executives to provide ongoing support for PCI DSS compliance. Even between assessments...
By submitting your email address, you agree to receive emails regarding relevant topic offers from TechTarget and its partners. You can withdraw your consent at any time. Contact TechTarget at 275 Grove Street, Newton, MA.
there's always something to be done, and they're not interested in anything but getting a report on compliance (ROC) that's A-OK. Do you have any tips for conveying the ongoing importance to them?
As you point out, PCI compliance is an ongoing process, not a once-a-year checkup. This is not only based upon best practices, but is also what organizations are contractually obligated to do under their merchant agreements. There's nothing in the agreement that says you only need to worry about compliance when it comes time for your annual self-assessment or QSA audit. If your company is found non-compliant at any point throughout the year, it will be subject to fines and other sanctions.
Ask the Expert!
Got a vexing problem for Mike Chapple or any of our other experts? Ask your enterprise-specific questions today! (All questions are anonymous
When you mention this to C-level executives at your company, I'd suggest bringing two arguments to the table. In addition to the straightforward regulatory argument above, you should explain how it's both easier and less expensive to maintain PCI compliance over the course of the year rather than scramble to become compliant right before the annual assessment. You might use an analogy of maintaining your car or personal health. If you take care of the small details continuously, the larger issues take care of themselves. On the other hand, neglecting these small details over the course of the year can lead to technical and administrative nightmares come assessment time.
Consider, for example, the PCI requirements to maintain secure system configurations. If you build a robust configuration management system based upon automated tools, administrators can respond immediately when a change in the system results in a noncompliant state. On the other hand, if you wait until the end of the year to analyze system configurations, you may find yourself with a lengthy "punch list" of changes that need to be made to production systems before the auditors arrive. This is time-consuming, and it introduces operational risks as you rapidly reconfigure systems.
All in all, you're right to seek ongoing C-level support for your PCI DSS compliance program. Speak frankly with the C-level executives at your firm and explain to them that they should no more neglect this area than they would the preservation of the integrity of the company's annual financial statements.
Dig Deeper on PCI Data Security Standard
Related Q&A from Mike Chapple
Encrypting data going to the cloud is a security best practice, but does it add extra challenges for regulators that might need to access the data? ...continue reading
Merchants that sell at off-site venues need to take extra care to follow PCI compliance standards. Expert Mike Chapple discusses how organizations ...continue reading
The FTC's order for PCI DSS compliance assessments is odd since PCI isn't a government regulation. Expert Mike Chapple explains the motivation ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.