5 Steps to Build a PCI Program That Makes Managing Compliance Easy

PCI Data Security Standard (PCI DSS) compliance isn’t new, but it does constantly change. Maybe you’ve sorted it out, maybe not. Regardless, making it easier should be a goal for every security or compliance leader. A strong compliance management program will maintain compliance for you. It can also be a great tool to help bolster security and justify budget allocation. So how do you do it?

1. Reduce Your Scope

PCI DSS has levels - check pcisecuritystandards.org for the most current definitions.  This makes PCI about "relative risk" - the more risk you have, the more work there is to do. And that risk only applies to the PCI environment you have. Have a flat network? Then your whole business is in PCI scope. If you segment your PCI processes and systems from the rest of your operations, you get less scope. Regardless of your level, you want to have data flow diagrams (DFDs). This is the easiest way to understand your process and build a tactical plan for scope reduction.

In nearly every assessment I’ve conducted (PCI or otherwise), I’ve seen there are three ways things are “done”: 1. The way it’s documented, 2. The way management thinks it work, or 3. The way it actually works. The assesor asks a question about a process, and they must get another person in the room to answer that question.  This happens again, and by the end, there are multiple people in the room for one flow. Most people didn’t realize all these people and systems were involved in one process. Doing this validation will speed up (or can be part of) step 2.

2. Mind the Gap

This is the part where you figure out what you have and what you need. Your compliance requirements are based upon your PCI DSS level. It is a good idea to look at the entire set of requirements though. Consider some of the additional things you may not be required to do. This is partly because in the future, things may change. You’re already investing time and resources now, so take advantage and find other areas of improvement to reduce risk.

Assess the current state against your requirements and test. Document what you have and create a list of gaps that need remediation. From these gaps, you’ll build out project plans specific to each. Some may be as simple as documenting a process while others could require implementing new technology or services.

Depending on your complexity, you can do the assessment and remediation yourself or work with an experienced partner. It’s important to note that while PCI has Qualified Security Assessors (QSA), you don’t need them at this stage. This is a great place to leverage your trusted security partners who know PCI.

3. Remediate

This is where change happens. You may still be implementing segmentation to reduce your scope from step 1, and now you are working on implementing all the policies, controls, and processes that PCI requires. This will be different for everyone. A key recommendation here is to leverage a strong project management process. Staying on track and on budget is necessary. You need to make these projects a priority to meet your compliance deadlines.

You must also “Build the Program.” PCI is not a “one and done” task. With all programs, you need the technology, the processes, and most importantly, the people. People are what ensure the processes run. They create proactivity for change. They ensure integrations with other areas of the business; they communicate risk, value, and change. Without people, you will struggle to maintain compliance, or it could become a “fire drill” every year. The number of people (FTEs) will vary. Honestly look at everything you must do and quantify that so you can have the right support. There are services you can use to manage your PCI (or any GRC) program. Even with those services, you still need someone internal with the knowledge, integrations, and time to deal with it.

4. Pre-Audit & Certify/Attest

Whether you’ve done everything yourself or with partners, this is where having a third party will drive improvement. The “outside eyes” doing the evaluation will give you a fresh perspective. If you do require a QSA and a Report on Compliance (ROC) to be submitted, pre-audits reduce risk. Don't waste time and money on the audit if you're not sure you'll pass.

If you haven't already, then now is the time to get testing done. Use an Approved Scanning Vendor (ASV) for your required scanning and conduct penetration testing to validate your segmentation. Test anything else that you may need to provide evidence for based on your scope and level. Often this is for a compensating control around a non-compliant answer.

If all is well with this assessment, you can move on, but you may find some things that require remediation. You can see how managing time and resources is very important for this entire process. Once you have all your ducks in a row, store your evidence, and submit your forms (or engage your QSA for the audit & ROC).

5. Manage the Program and Be Prepared for Change

The people and/or services you put in place now go into “management mode.” Continually monitor your PCI environment for changes that could knock you out of compliance. Ensure that change control accounts for PCI. Conduct your periodic ASV scans as part of your vulnerability management program. Maintain the evidence you use for audit and update it when the environment changes. Doing this ensures the next audit will go just as smoothly as this one did. Monitor PCI DSS regulation for changes, clarifications, release notes - anything that you may have to address. You also want to take advantage of other GRC programs in place and gain efficiencies across all your frameworks.

Managing compliance can be made easier.  Segmentation can help to narrow the scope.  Consider the gaps in both what needs to be remediated to meet compliance as well as areas that might not fall in scope but should be considered.  Remediation requires strong project management as there will likely be multiple projects to address.  Utilize a third party to test remediation and essentially pre-audit your environment, followed by the actual audit.  And finally commit to regular management of the PCI program to stay on top of changes or updates.  Using these five steps will help you and your organization to make the road to PCI compliance a smoother ride. 

If you are looking to simplify the process by leaning on a knowledgeable partner, contact us – or 888-277-8320.

Wil Klusovsky has worked in cybersecurity for many decades. He’s been on “both sides of the table” as a client of security firms and working with consulting, managed services, product and resellers. His skills span most domains of security, having worked on or built multiple teams and service lines. Wil works across client support, go-to-market, strategy, service development, and as a former C-Level executive leadership. He’s a partner and advisor to CISOs, CIOs, and business leaders. He hosts a podcast discussing the business of security (The Keyboard Samurai), a home brewer and consumer of wine, craft beer, and spirits. As a true Star Wars fan he believes all Star Wars is good.