You’ve just finished a project successfully, on time, (mostly) on budget, and maybe even exactly what was asked for. You turn up to work the next day and there’s a new project waiting for you. Something called “PCI”. Suddenly, you’ve been dropped into a world of compliance, standards, security, reporting, and things you’ve never had to deal with before. And now you’re in charge of managing PCI compliance for your organisation. “It can’t be that hard,” you tell yourself. And then someone drops a 200-page set of standards on to your desk and tells you that your first meeting with the assessor is in 6 weeks.
In this article, we approach PCI from a project managers point of view. While we know some project managers have a security or technology background, we understand that not all do. And sometimes you are thrown into PCI purely because you’ve done well at managing large projects in the past.
In this article, we’ve detailed some of our key recommendations on how to approach PCI as a PM with the aim of both reaching compliance, but more importantly being able to manage cyber risk to your organisations payment channels as a part of ongoing BAU.
Know the standard. Know its value
The Payment Card Industry Data Security Standard (PCI DSS) is a set of twelve high-level requirements which all merchants and service providers who take card payments or who manage systems that are involved in card payment transactions are contractually required to follow. PCI DSS impacts organisations across a wide range of industries. We’ve explored the requirements in more detail here, which take a look at all 12 in detail, as well as help you understand the level of evidence and reporting required based on your annual transaction volumes.
Requirements aside, it is just as important to note that the value of PCI DSS doesn’t lie in a tick of approval against each item, but rather in the enhanced and mature risk posture your organisation will be able to adopt, particularly as it relates to your card and payment channels. Areas of critical importance to the customers and citizens you serve.
Know the Teams and Players
As a merchant (or a service provider), you will be responsible for maintaining PCI compliance, which is annually assessed and reported to your acquiring bank. The below diagram illustrates some of the key parts of the PCI ecosystem and show’s how many different players there are in helping you achieve and maintain PCI DSS compliance. It’s important is to understand what external and internal teams you will need to engage as part of the PCI process, and support from Senior Leadership can be the factor that makes or breaks an effective PCI compliance programme.
Understand the scope, risks and timelines
One of the biggest challenges for organisations is to accurately understand their scope for PCI DSS. Even if you do not directly store, process, or transmit cardholder data, but you accept credit or debit cards as payment or you impact the security of someone else’s cardholder data environment (CDE) you still have certain obligations under PCI DSS. The key thing is to be able to show the transaction flow and have accurate network diagrams so that the assessor can accurately validate what they think your scope is.
Cyber-Risk Oversight also plays a big part in any PCI project. It’s important to understand how each of the organisations and teams you are working with view PCI risk and how. Acquirers want to ensure that you do not have a cardholder data breach. Having a breach puts your ability to take payments at risk.
Sometimes it’s easy to forget the end consumer when thinking about risk. They are the ones who at the end of the day risk their personal card information being stolen by a malicious third party – something not only inconvenient, but stressful and time consuming to address.
It’s also important to understand what timelines everyone is working towards. Our biggest recommendation on this is to engage your bank, service providers, and internal teams early in the PCI process. All of these parties want you to achieve compliance and will be more than willing to discuss a reasonable timeline to achieve this.
Validate your assumptions
One of the biggest challenges we see organisations face as PCI assessors is when they successfully complete their project and achieve PCI compliance, they then fail to go-on and proactively manage their risk over the course of an assessment year. While a PCI assessment takes place at a ‘point in time’, PCI itself is a minimum level of security that is required on an ongoing basis – that’s why the standard includes requirements for annual, quarterly, monthly and even daily checks, where changes are assessed and security improvements can be made in a timely manner. This is why during an assessment you need to be able to show evidence of what’s happened in the past to ensure that you can continue to meet that minimum level of security assurance.
We’ve been doing quite a bit of thinking about this challenge at Confide which has resulted in the development of our “Managed Assurance Programme” which is now being used with success by many of our customers. This programme offers not only an in-depth PCI assessment, but also ongoing consultation, check-ins and scanning activity over the course of an assessment year.
Whatever stage of the PCI and security journey you and your organisation find yourself in, as NZ’s leading QSA Assessment company Confide stands ready to help. Get in touch today!
Handover to responsible Business-As-Usual (BAU) teams. Keep PCI alive.
One of the biggest challenges we see organisations face as PCI assessors is when they successfully complete their project and achieve PCI compliance, they then fail to go-on and proactively manage their risk over the course of an assessment year. While a PCI assessment takes place at a ‘point in time’, PCI itself is a minimum level of security that is required on an ongoing basis – that’s why the standard includes requirements for annual, quarterly, monthly and even daily checks, where changes are assessed and security improvements can be made in a timely manner. This is why during an assessment you need to be able to show evidence of what’s happened in the past to ensure that you can continue to meet that minimum level of security assurance.
We’ve been doing quite a bit of thinking about this challenge at Confide which has resulted in the development of our “Managed Assurance Programme” which is now being used with success by many of our customers. This programme offers not only an in-depth PCI assessment, but also ongoing consultation, check-ins and scanning activity over the course of an assessment year.
Whatever stage of the PCI and security journey you and your organisation find yourself in, as NZ’s leading QSA Assessment company Confide stands ready to help. Get in touch today!