Common PCI DSS Mistakes
When it comes to the Payment Card Industry Data Security Standard (PCI DSS), there are common mistakes that every QSA or ISA sees, regardless of sector and organization size.
Addressing the following five points within your organization will go a long way in eliminating that frantic scramble in the month before an audit, where everyone is feverishly checking payment card terminals, modifying dates on documents and checklists, and ‘refreshing’ staff on all things relating to information security.
1. Focusing only on compliance
Many organizations miss the point that the objective of PCI DSS is protecting cardholder data through sustainable payment security, which is evidenced by compliance. Always keep in mind that the annual audit is a point in time assessment of your payment card security efforts. If the wheels fall off the moment the assessor leaves, your organization is failing to meet its obligations to protect cardholder data.
2. Organisations forget that the PCI DSS is the MINIMUM
The PCI DSS has the challenge of being a global standard that needs to be applied to legacy systems as well as the latest technologies in everything from multi-national conglomerates to less mature organizations. Any organization that has chosen to accept card payments is responsible for applying the relevant controls applicable to its environment, as well as any other controls that support the goal of securing cardholder data. This may require using other information security standards alongside the PCI DSS.
3. A lack of governance and structure in managing a PCI DSS program
Ensuring controls are not only in place, but working as they should be day in day out requires a plan. The PCI DSS touches many areas of the organization, and it must be acknowledged that it is a business requirement. It’s not the sole responsibility of the IT department because it mentions firewalls, just as it’s not the sole responsibility of the finance department because it involves payments. The day-to-day management of PCI DSS requires a coordinated effort across the whole organization and should be included as part of overall information security and data protection efforts.
4. Creating policies, processes, and procedures purely for compliance
Failing to embed PCI DSS controls as business as usual will have all the hard work undone in the blink of an eye. Often organizations will create these documents to meet what they assume an assessor wants to read, but creating the required document set needs to involve key staff to discuss and work through the requirements, as well as analysing how staff need to carry out their day-to-day responsibilities. The inclusion of key staff is vital to the success and practical application of policies, processes and procedures.
5. Believing that payments are not ‘core’ or ‘critical’ to the organization
What happens to the organization if card payments are no longer accepted? How does that impact the day-to-day operations? The expectations of the customer? Without the formal acknowledgment of the importance of payment acceptance, many organizations fail to secure the required budget or staff resources to maintain the security controls.
The PCI DSS does not have to be an overwhelming burden on your organization – by making the changes above in terms of how you approach it and with a change in mindset from compliance to security, you can help your organization not only achieve compliance, but maintain the controls that are in place to protect cardholder data.
SureCloud is a provider of Gartner recognized GRC software and Cyber & Risk Advisory services. Whether buying products or services, your organization would benefit from automated workflows and insight from the award-winning SureCloud platform. All of SureCloud’s service offerings are fully compatible with the GRC suite of products enabling a seamless integration of information, taking your risk programs to the next level.