I’ve been involved with PCI-DSS in some way, shape, or form over the past eight years. For most of this time, I worked for corporations that needed to achieve or maintain PCI DSS compliance. A little over a year ago, I received Qualified Security Assessor (QSA) training and became a full-fledged QSA. It’s quite different being on the other side of the fence. I also understand my clients’ struggles better than most assessors.
To those folks working on PCI-DSS compliance year after year, I feel your pain! I know it’s hard to get priority. I know it can seem like herding cats at times. Let’s make one thing clear: I may be your QSA, but I’m here to help you achieve or maintain compliance. I’m not just coming in, ticking boxes, and giving you a report and saying, “Good luck!”
If you remember Susan Powter’s weight loss commercials back in the 90s, this post's title, "STOP THE INSANITY!" may resonate. Let me share a personal story showing how my weight loss journey relates to achieving and maintaining PCI DSS compliance.
Back in 2001, I was fat. There’s no nice way to put it. I weighed 389 pounds and had never exercised a day in my life. I was over it. I knew that if I didn’t get serious about my health that there would be severe consequences in the future. So, I did a ton of research, bought some supplements, removed all the junk food from my apartment, and took baby steps towards a regular exercise routine. I didn't do much more than using a stair stepper for five to ten minutes a day during my first month. Over time, I added more cardio and eventually, weight training. I lost 194 pounds over three years. It was the greatest feeling ever!
However, once I achieved my goal weight, I had to maintain it, and I still continue to do so to this day. My weight loss required a plan, a goal, some motivation, and most importantly, a lifestyle change.
PCI DSS compliance is not so different from a weight loss regimen. Organizations need:
- A Plan: Start at a high level with the DSS and dig deeper into each of the 12 sections. Assign the proper resources to each of the tasks. Realize that many of these tasks are time-based and require continuous care and feeding from those resources. Make sure you’re taking baby steps – you’ll end up failing if you try to tackle the entire DSS in a matter of weeks or months.
- A Goal: The goal shouldn’t simply be to achieve PCI DSS compliance because your acquirer demands it or your customers demand it. Make it a larger goal to help increase your security posture as well – maybe just one facet of your security posture each year.
- Motivation: You need buy-in from the top-down. The entire company needs to be behind you. Many folks fail to realize that PCI isn’t just about technology. It’s about people, processes, and technology. If one of those three areas fails, the entire PCI program at your company can and will fail.
- A Lifestyle Change: PCI DSS is not a project. Let me say that one more time: PCI DSS is not a project! Many companies treat PCI as something they can start internally a month or so before the QSA arrives on-site. The problem then becomes that none of the time-based controls that must be performed daily, weekly, monthly, quarterly, etc. are complete. Everybody starts scrambling and finger pointing. By the time the QSA comes on site, the client is no better than they were a month or so ago.
PCI is something that everybody needs to realize is a part of their work life and they need to adjust accordingly. Telling your QSA, “Well, that requirement is really hard for us to meet,” does not mean that we’re going to help with a compensating control or justify not testing that requirement.
Though the PCI DSS has its flaws, just like every other form of regulatory compliance out there, it’s still necessary if you store, transmit, or process credit cards. However, with the proper planning, knowledge, and motivation, it can be much less of a daunting change to a company than it seems.
This post is by Chris Blow, Senior Security Advisor at Rook Security, an IT Security firm providing security strategy, crisis management, and next generation security operations services.