You know the old saying, “you reap what you sow.” If you don’t already have the structure or a sustainable set of processes in place or you’re not planning your PCI DSS activities, your next PCI Report on Compliance will be a fire drill at best and you might not even get at pass from your QSA when all is said and done. 

Q1 2022 is almost over. Have you completed the following:

  • Is your statement of work in place with your QSA?
  • Do you have any remediation efforts underway? If so, are they on track to complete before your PCI Report on Compliance assessment kicks off?
  • Have you planned out all the activities that need to happen this year? 
  • Have you completed your first quarter internal and external vulnerability scans? 
  • Has your CISO, CTO, or CIO reviewed the organization’s Information Security Policy and all the standards that fall under it? 
  • Have you organized the annual PCI training for everyone involved in PCI activities? 
  • Have you gathered the documents you need from your service providers? 

Or are you flying by the seat of your pants?

And if you’re flying by the seat of your pants, you may want to implement a PCI DSS Sustainability program. I remember all too well what it was like the first year I spent in the churn of PCI. It was crazy making. All I could think about was quitting but that’s not who I am. Once upon a time I turned the worst (and I mean the worst) unit in the 3800th Air Base Group at Keesler AFB into the best unit. How? By implementing structure, repeatable processes, accountability, and ownership. 

No matter where I’ve worked I have a knack for creating structure to help me make sense of what needs to be done, who needs to do it, when it’s due and maybe some guidance around the how. I realized long ago that as long as I was crystal clear on what needed to be done, the how figures itself out. 

When my career landed in the realm of PCI, I knew I needed to create structure and sustainability and turn the churning chaos into calm.

What is PCI DSS Sustainability?

PCI DSS Sustainability: A system or structure of processes and procedures that support and enable PCI Compliance without adding significant overhead to control owners, subject matter experts, and other resources involved with PCI Compliance.

When my business partner and I began working together, we knew we needed to create something that would make assessing PCI DSS Requirements effective and efficient for the QSA, SMEs, and ourselves. We needed metrics that could be easily understood by senior leadership. And we needed to train anyone and everyone involved with PCI DSS so everyone was on the same page, same paragraph, and same sentence. 

A PCI DSS Sustainability Program clearly defines and articulates:

  • Any remediation activities that must be mitigated, fixed, or otherwise cleared before the start of an assessment.
  • The outcome that’s desired (a Report on Compliance, Attestation of Compliance, Prioritized Approach Document, etc.)
  • An executable plan with defined milestones and critical activities.
  • The standards that must be met for all requirements to be assessed as “in place.”
  • A method or “machine” to track and collect documentation and evidence (i.e., screen shots of configuration settings) to be assessed.
  • A dashboard that gives senior executives and leadership the metrics they need to make informed decisions.
  • Clearly defined and communicated roles and responsibilities for accountability and ownership.

Are you ready to sow the right seeds to meet the requirements of PCI DSS? Request a call back today!

If you’re like most merchants, your PCI DSS program needs a sustainable structure in place for you to achieve and maintain adherence to the PCI DSS requirements. If you’re not sure where to start, we can help. At Payment Card Assessments, we envision a future where merchants can consistently meet the rigors of the PCI DSS while saving time, effort, and money.

Build Clean Keep Clean: The Secret Sauce to Maintain Continuous PCI DSS Configuration Compliance

The founders of Payment Card Assessments know all to well what it’s like to receive a scan report with over 2,000 configuration failures, a standards team that didn’t communicate changes to the scanning team, and an implementation team that had no idea what they were supposed to do to an in-scope asset before it went into production. 

Leave a Reply

Your email address will not be published. Required fields are marked *

This field is required.

This field is required.