Learn How to Adopt a Stress-Free PCI Compliance Process
May 12, 2021
At a glance:
- The main takeaway: For many payment facilitators, the PCI compliance process is notoriously stressful and often inefficient, leading to constant fire drills that disrupt business operations.
- Impact on your business: By viewing PCI compliance as an iterative process and adopting a more methodical approach, you can eliminate unnecessary headaches and better protect your business over the long term.
- Next steps: If you need help overhauling your PCI compliance process with an approach that delivers results, contact Aprio today.
The full story:
If you’re a payment facilitator, then you are already aware of the rigid security standards you must uphold, including the well-known Payment Card Industry Data Security Standard (PCI DSS). The PCI DSS is a set of security standards that ensures all companies that process, transmit or store credit card data maintain a secure environment.
Unfortunately, for many payment facilitators, the typical approach to PCI compliance is drama-filled and ineffective. Every year, hundreds of data breaches befall retailers, financial institutions and fintech companies due to inefficient PCI compliance processes.
So, what’s happening? Why are these seemingly PCI compliant organizations falling victim to preventable attacks?
PCI compliance must be an iterative process
The root of the problem is the misguided notion that compliance should be focused on a specific point in time. The PCI Security Standards Council (PCI SSC) deserves some credit for attempting to dispel this misconception with its introduction of the “Business as Usual” (BAU) concept, which is an approach suggesting that compliance activities should be baked into an organization’s ongoing security strategy and operations.
However, the BAU mindset is still not prevalent and widely known among payment facilitators; in fact, many businesses still perform the once-a-year rush to compliance, instead of upholding an iterative process.
See if you recognize this scenario: Your PCI Qualified Security Assessor (QSA) shows up in the weeks just before your Report on Compliance expiry date, which does not leave you enough time to understand your PCI cardholder data environment (CDE) in a meaningful way. The QSA identifies concerns that you should have addressed months ago, and your report is stuck in a quality assurance black hole — leaving you (and those depending on your Attestation of Compliance) biting your nails as the clock ticks toward your expiry date.
This compliance fire drill drains your business’s time and energy, and it doesn’t effectively address the state of your CDE during the other 10 or 11 months of the year. In addition, the fire drill sends the message that your compliance controls are only in place to achieve the “checkmark” of PCI compliance — not to protect your business or customers.
A better way to comply: institutionalized risk management
You don’t have to accept compliance fire drills and dysfunction as the norm. To break out of this cycle, take a step back and incorporate PCI DSS requirements into your business’s ongoing risk management approach.
First, consider how your organization can apply the PCI SSC’s best practices for implementing PCI DSS into your BAU activities. For example, review changes to your CDE or to your organizational structure before you implement them, and then follow these three steps:
1. Determine the potential impact of environmental or organizational changes on the PCI DSS scope
2. Identify PCI DSS requirements applicable to systems and networks affected by the changes
3. Update the PCI DSS scope and implement security controls as appropriate
The previously mentioned scope changes are the culprit for most PCI compliance drama. Think about it in the context of the scenario we reviewed above: Your infrastructure is constantly changing, as you bring new functionality, new connections and new types of data online several times a year. In the absence of a BAU approach, these scope changes are sure to contribute to the fire drill that happens in the weeks prior to your PCI compliance assessment. A BAU approach, on the other hand, means that you make these changes with full knowledge of how they can contribute to vulnerabilities in the CDE or any other risks.
From high-drama to no-drama
When you adopt a BAU approach, you need to maintain and monitor controls on a continuous basis — and you also need to ensure that your auditors test those controls throughout the year. CPAs understand this; the BAU mindset is akin to the concept of “operational effectiveness,” which is baked into CPAs’ attestation standards.
At Aprio, we have extended this concept into an agile approach to auditing that parses testing throughout the year. Organizations that schedule the ongoing monitoring and testing of controls throughout the year find that the process is more efficient and provides greater peace of mind. By starting as early as possible, businesses can prioritize areas that were deemed most risky by their risk assessment, allowing plenty of time to remediate those issues.
With institutionalized risk management and agile auditing, PCI compliance transitions from a high-drama, anxiety-producing fire drill to a non-event where the Report on Compliance is produced as a byproduct of ongoing monitoring and testing. This approach promotes maximum buy-in and awareness, gives the most attention to high-risk areas, builds risk into business decision-making throughout the year and creates minimal disruption in the company.
Related Resources
- Aprio PCI DSS Services and Compliance
- Aprio Information Services and Risk Management
- Top 4 Basic Cybersecurity Steps Payment Facilitators Should Take
Are you ready to revamp your PCI compliance approach and adopt an iterative, no-drama process? Contact Aprio today.
Recent Articles
About the Author
Dan Schroeder
As a Partner of Aprio’s Information Assurance Services team, Dan applies his over 25 years of experience in IT, operational and risk management functions to provide guidance on cybersecurity and privacy risk management strategies to the CISOs, CIOs and Internal Counsel of domestic and international technology-based businesses. In addition to helping clients establish, monitor and maintain effective information security and privacy risk management programs, Dan specializes in providing risk assessments and attestation services to address PCI, ISO, CMMC, FedRAMP and other leading privacy and security protocols.
Stay informed with Aprio.
Get industry news and leading insights delivered straight to your inbox.