Problem solve Get help with specific problems with your technologies, process and projects.

How to secure C-level support for ongoing PCI compliance

Expert Mike Chapple offers advice on how security professionals can obtain C-level support for ongoing PCI compliance.

We have problems getting our executives to provide ongoing support for PCI DSS compliance. Even between assessments...

there's always something to be done, and they're not interested in anything but getting a report on compliance (ROC) that's A-OK. Do you have any tips for conveying the ongoing importance to them?

As you point out, PCI compliance is an ongoing process, not a once-a-year checkup. This is not only based upon best practices, but is also what organizations are contractually obligated to do under their merchant agreements. There's nothing in the agreement that says you only need to worry about compliance when it comes time for your annual self-assessment or QSA audit. If your company is found non-compliant at any point throughout the year, it will be subject to fines and other sanctions.

Ask the Expert!

Got a vexing problem for Mike Chapple or any of our other experts? Ask your enterprise-specific questions today! (All questions are anonymous

When you mention this to C-level executives at your company, I'd suggest bringing two arguments to the table. In addition to the straightforward regulatory argument above, you should explain how it's both easier and less expensive to maintain PCI compliance over the course of the year rather than scramble to become compliant right before the annual assessment. You might use an analogy of maintaining your car or personal health. If you take care of the small details continuously, the larger issues take care of themselves. On the other hand, neglecting these small details over the course of the year can lead to technical and administrative nightmares come assessment time.

Consider, for example, the PCI requirements to maintain secure system configurations. If you build a robust configuration management system based upon automated tools, administrators can respond immediately when a change in the system results in a noncompliant state. On the other hand, if you wait until the end of the year to analyze system configurations, you may find yourself with a lengthy "punch list" of changes that need to be made to production systems before the auditors arrive. This is time-consuming, and it introduces operational risks as you rapidly reconfigure systems.

All in all, you're right to seek ongoing C-level support for your PCI DSS compliance program. Speak frankly with the C-level executives at your firm and explain to them that they should no more neglect this area than they would the preservation of the integrity of the company's annual financial statements.

This was last published in October 2012

Dig Deeper on PCI Data Security Standard

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Start the conversation

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.