If you signed on the dotted line with an acquirer, did you read the fine print? Did you read where it says that you will not only be compliant with the PCI DSS but that you’ll maintain that compliance? I know, compliance is a dirty word. But when it comes to safeguarding your customers’ payment card info, it’s literally the bare minimum of the necessary security to ward off bad actors. Your customers are your number one asset – doesn’t it make sense to protect their most vital data?
In last month’s post, we tackled the seven most common challenges merchants face with it comes to achieving PCI DSS Compliance. Today, we’re going to dive into seven key reasons whey implementing a sustainability program is critical to your organization’s ability to maintain continuous compliance. Ready?
Reason Number 1: Ensure the security of the in scope systems
With a robust sustainability program, you have expert eyes on critical control areas and the people, processes, and technologies that are in scope for PCI DSS assessment.
Reason Number 2: Establish best practices
A PCI DSS sustainability program gives you the opportunity to establish best practices, mature your compliance program, fine tune processes, and implement continuous – business as usual – compliance.
Reason Number 3: Continuous process improvement
The more you can fine tune your PCI DSS Compliance processes, you’ll be able to shift process related activities to junior staff and allow your senior experts to focus on strategic projects that help refine and automate your cardholder data assessment processes or even descope them.
Reason Number 4: PCI DSS Controls have frequencies
A sustainability program focuses on requirements that have time frequencies as well as control areas that need improvement (i.e., reviewing firewall rules quarterly rather than every six months). With sustainability, you’re teams will know when they need to provide evidence on a regular cadence.
Reason Number 5: Prevent the annual RoC from becoming a fire drill
Let’s be real for a second – the report on compliance is mandatory for all level 1 merchants and any merchant regardless of level that is required to provide a report on compliance by either their acquirer or card brand. Most level 1 merchants fall out of compliance shortly after the ink is dry on their most recent report. Why? Because they don’t have a sustainability program. The RoC is treated like a bad surprise every year and that creates wasted effort, lost money, and burned out staff.
With a sustainability program, a merchant can leverage continuous compliance activities, mature their PCI DSS program, and save time, effort, and money when it comes to the annual RoC.
Reason Number 6: The ability to identify control failures and remediate in a timely manner
Facts
- Merchants that don’t have a sustainability program in place have upwards of 50% control failures
- According to the 2020 Verizon Payment Security Report, only 28% of merchants were in full compliance with the PCI DSS 6 months after their RoC
A sustainability program won’t stop things from breaking or automagically fix things but it will greatly enhance your ability to pinpoint control failures so that the processes you’ve developed prioritize the remediation, execute the remediation, and allow people to sleep better at night.
Reason Number 7: Things change and so do people
A sustainability program recognizes that change is constant and the program can adapt, grow, and flex with change. Requirements change – are you ready for PCI DSS v4.0? The threat landscape changes – war in Ukraine, Covid, and the rise of ransomware. People change roles, institutional knowledge leaves the company. Can your company withstand the change of an early retirement plan coupled with your two most senior PCI experts leaving without spending an arm and a leg for the QSA to step in?
If you don’t have one, what’s stopping you?
- Money?
- Time?
- Resources?
- Lack of knowledge?
- Who cares?
