PCI compliance may sound like an annual exercise to those that haven’t been through an assessment, but organizations that have built successful, mature compliance programs know that it is a continuous process that requires commitment from all walks of the organization. Strong governance and risk management programs are foundational to build efficient, sustainable and effective compliance programs. When governance and risk management become “business as usual” as opposed to annual, check-the-box events, companies accelerate their journey toward that ideal state of continuous compliance.
Where do I fit in? Establishing Clear Roles and Responsibilities
Establishing clear roles and responsibilities throughout the organization is not only a requirement you will find throughout the PCI Data Security Standard (DSS), but it will lay the groundwork for a mature and effective continuous compliance program. This includes designating (and documenting) the individuals or teams who are responsible for implementing and maintaining the security controls, monitoring the organization’s compliance efforts and status, responding to incidents and identifying deviations from company approved processes and procedures. By establishing and communicating the roles and responsibilities through the formal compliance program, organizations will have greater assurance that all required compliance elements are in place and effective.
Documenting Policies and Procedures
Documented roles and responsibilities should be integrated into the organization’s security policies and procedures and clearly communicated to all involved parties (internal personnel as well as business partners or service providers with responsibility for relevant compliance and security elements). Security policies and procedures should be aligned with the PCI DSS requirements, and this is a fantastic way to ensure all elements required for compliance are present. Policies regarding access control, network security, data classification, incident response procedures and security awareness training are just a few examples of the required policies. These documents are intended to provide clear guidance and serve as the organization’s governance foundation. Regular reviews and updates to security policies and procedures are required to adjust the security program for constantly evolving threats and industry best practices. An organization’s policies and procedures are critical assessment evidence, and your QSA will likely ask for them at the onset of the assessment.
Another fundamental component of a robust compliance and security program, risk assessments provide the opportunity to identify and mitigate potential vulnerabilities and threats in the organization which can affect the security of cardholder data and the surrounding infrastructure. Risk assessments should include both technical risks, such as system vulnerabilities and infrastructure weaknesses, and non-technical risks, such as human error. If an organization regularly assesses its security program against the evolving risk landscape, resources can be more effectively allocated to address the threats with the highest potential impact and likelihood.
A mature risk management program doesn’t stop with regularly scheduled risk assessments. Risk assessments are critical elements of an organization’s incident response plan and should be conducted after an organization has experienced a significant security incident. Performing a risk assessment at this time allows the organization to evaluate whether it is focused on the right controls and strengthen the security program where needed to mitigate the now-known risk.
Regular Assessments and Audits
While not every organization is required to have an external PCI DSS assessment, a third-party assessment by a QSA can provide a unique perspective and offer valuable best practice guidance collected from the assessor’s experience. A third-party assessment can also provide leadership with outside validation that the security program and related controls are in place and operating effectively to address the risks identified by the organization during their periodic risk assessments.
Strong governance and risk management programs are critical elements in a successful PCI compliance program. Clear roles and responsibilities, documented processes, procedures, and policies, conducting regular and responsive risk assessments, implementing and monitoring the efficacy of controls and continually improving security posture are all required for organizations to comply with the PCI DSS and protect cardholder data.