Whether you are a merchant looking to meet your acquiring bank’s requirements, or a potential client is expecting a PCI Attestation of Compliance in order to partner with you, it is important to fully understand and manage your compliance initiative. Unfortunately, many stakeholders are not aware of what the Payment Card Industry Data Security Standards (PCI DSS) are, or what role they need to play to ensure compliance.
A significant aspect of addressing PCI DSS compliance is ownership within your organization, as there are many departments that are relevant:
- Finance – PCI deals with monetary transactions
- Information Technology – the PCI framework is technical in nature
- Compliance – PCI is a set of standards that your organization needs to comply with
Forming a Committee
Often, PCI DSS is treated as a stand-alone compliance project, separated from other compliance areas such as Sarbanes-Oxley, HIPAA Security, and ISO. Trying to manage PCI DSS requirements separately instead of in conjunction with other control frameworks can, unfortunately, be a waste of time and resources, while simultaneously weakening the overall structure.
PCI compliance is a process that should be looped into your organization’s corporate governance framework. In some cases however, this might not be possible. If your organization does not have this luxury, it is highly recommended that you work internally to create a formalized committee to address PCI DSS compliance guidelines.
Having a formalized committee provides your team with the benefit of direction, clarification, and accountability for each applicable business unit. Your committee, by virtue of it being a central pillar of your compliance program, initiates and helps manage the integration of PCI security processes into daily business and operational procedures. They will also assist in monitoring security controls on a continuous basis, and working to maintain compliance throughout all processes, procedures, and technologies – all of which works directly toward Requirements 12.4 and 12.5.
Another benefit of having a PCI focused committee in place at your organization is the further improvement of your program. Often, the effectiveness of an organization’s PCI DSS security controls – and their overall state of compliance – will see a decline after the initial assessment is completed. By creating a committee and revisiting the effectiveness of controls, your organization is taking an effort to continue to maintain a more consistent state of security and compliance.
Who Should be in Your Committee?
Your PCI DSS compliance committee can and should be made up of people from various business units:
- Finance
- Information Technology
- Risk Management
- Compliance
- Legal
- Internal Audit
- Others
Mixing members from multiple groups is ultimately what helps implement controls throughout the entire organization, and can ensure the removal of a siloed approach to PCI compliance.
One of the most important aspects of the committee that needs to be in place is the assignment of a dedicated project manager. Having a project manager as a part of your PCI committee is critical in order to keep ongoing compliance, as well as to help minimize any potential “fire drills” you may encounter during the annual PCI compliance validation or quarterly internal reviews. Ongoing compliance requires centralized coordination of numerous resources, actions, projects, and people. A project manager should be responsible for collecting, collating, and storing evidence in order to demonstrate how ongoing PCI security controls are operating effectively, and on a continuous basis.
Determining the responsibilities and resources needed to maintain PCI compliance as a company-wide expectation, through an achievable governance structure is critical. By doing so, you are less likely to use your valuable resources inefficiently, obstruct the continuity of any aspect of the business, achieve ongoing compliance in an orderly manner, and effectively keep the Board educated.
