How to comply with PCI DSS 4.0 while juggling day-to-day tasks

Image

In our webinar, Insights for Navigating PCI DSS 4.0 Milestones, we discuss some of the challenges organizations face as they try to comprehend the new requirements of PCI DSS 4.0. One of the questions we commonly hear is, “How do we prepare for PCI 4.0 deadlines while still maintaining day-to-day operations?”

The discussion involved David Bruce, our Head of Product Management, and guest experts, Shubhra Deo, Head of Data Privacy and Security, Angus Macrae, Head of Cybersecurity, and Funso Richard, Information Security Officer, who offer some valuable insights:  

• Begin with the end in mind. The first step in any compliance process is to benchmark where you are currently and identify the gaps between you and where you want to be. Identify who is in charge of what, which teams own which requirements, and what their objectives will be (by what time).
   
• Create the right culture. If PCI 4.0 is ever to be seen beyond the silo of a security context, it needs to be adopted enterprise-wide. That requires buy-in from strong and powerful supporters like the CISO and CEO, and infuses every division of the company: HR, IT, security architects, research and development, and so on. A top-down approach is particularly helpful for driving the culture, and remember: Aligning compliance with security and business goals gives it longer legs than pushing it out as ‘compliance’ alone.
   
• Recognize PCI DSS 4.0 as a business function. It doesn’t take much experience to know that ‘compliance’ doesn’t sell; at least not in board rooms. Ask for $1M towards a ‘compliance initiative’ and you can expect disappointment. Ask for $1M towards ransomware protection and you can expect a listening ear. PCI DSS is what it always has been – a business objective for reducing risk. PCI 4.0 is no different, allowing even further leeway to customize controls among different industries. It’s too easy to misinterpret this initiative as a “security thing” and undermine its value to the organization.

As with all compliance objectives, the point is to secure the assets that represent the bottom line. In plain terms, the point is to save companies (and customers) from losing a lot of money. If this isn’t drilled home, organizations risk shoving this latest iteration of PCI DSS to the back of the pile and (literally) paying for it later.

• Weave compliance documentation into your standard processes. PCI 4.0 adherence isn’t a one-and-done type of thing. It needs to be part of the walk and talk of any organization and baked into the daily practices on which the company runs. Organizations should be ready at any time to respond to an audit, and maintaining compliance with new PCI guidelines should be more like weekly upkeep than once-yearly spring cleaning.
   
• When the rubber hits the road, here are 3 steps for practical PCI DSS 4.0 implementation:
  1. Show the business value. This is critical to gaining buy-in, and buy-in is critical to launching long-lasting changes. When framed as a business need, C-levels see this ‘obscure compliance requirement’ for what it really is: a risk reduction strategy that will cut down on malware, ransomware, and social engineering risks across the enterprise. This should catch the interest of not only the CISO, but the CEO and all invested stakeholders, reducing the risk of future obstructions and easing the road to implementation.
  2. Present PCI DSS 4.0 as a business program. PCI DSS 4.0 adherence shouldn’t be a question: it should be a mandatory policy taken for granted as part of business best practices. The reality is that security compliance is something that every strong, successful company abides by as a matter of course. Can you imagine another Enron scandal? Who would do business outside the realm of Sarbanes-Oxley? So it is with PCI DSS and every iteration thereof, and stakeholders need to understand this and make room in their schedules, roadmaps, and daily practices for it.
  3. Manage each program like a project. Each implementation effort should have a start and an end date. Assign a project manager and align via regular meetings. PCI DSS 4.0 compliance efforts should not be languishing in the back corner of a System Administrator’s desk. By tackling the project head-on, you create the necessary momentum to make critical decisions (what do we want, how will we get there?) and assign them to the right parties (who will own this policy change) and practices (how will we weave this requirement into the workflow so it never gets neglected?).

When done correctly, PCI 4.0 adherence should make day-to-day security easier, not more difficult. Just like a rocket uses most of its fuel breaking the atmosphere, there will be an initial surge in effort as you try to get PCI 4.0 measures off the ground. It may take effort to create the pattern once, but once systems are in place, interwoven PCI DSS security policies will prove a huge lift to securing the payment card industry on the company’s own terms.

Learn more about protecting your customer payment data and staying audit-ready here:  https://www.tripwire.com/solutions/compliance/pci-dss