How to Stop PCI DSS Control Failures Without Losing Your Cool

Hot coffee in hand, you sit down at your desk.

You’re humming that catchy tune from the Lego Movie, 

“everything is awesome 

everything is cool 

when you’re part of a team.” 

You power up your laptop. 

Connect to your company’s network. 

Launch email. 

You stop humming. 

A red flag message from the vulnerability team.

“This can’t be good,” you think to yourself.

You suck in your breath and open the email.

“Hey Peggy, I was running the quarterly scan of the in scope vLAN and discovered a bunch of new servers…”

The coffee you drank goes sour in your stomach.

If I had a dollar for every time I received an email like that, I’d be rich. Especially when I was just starting out as a PCI ISA. 

Changing the culture of the wild wild west where anything goes and who cares about security payment card data is a gargantuan and arduous task.

  • hosting adding new servers into production without the hardening PCI DSS required, 
  • application developers pushing new code for billing apps into production without following secure coding procedures, and 
  • IT security leaving the keys to the kingdom unguarded with any-any rules in the firewall policy

PCI DSS Compliance is the big eye roll. People complain. 

  • “It’s too hard.”
  • “We need this change in the billing app yesterday.”
  • “The CIO told me to do it.”

Not gonna lie or sugar coat this…PCI DSS compliance causes a lot of friction for businesses. 

Especially when businesses don’t understand the basics of good security practices to protect their customers’ payment card data.

If you’re a PCI ISA, PCIP, or PCI DSS Compliance just landed in your lap, your primary responsibility is to ensure your company has the right security controls in place to meet the hundreds of requirements in the PCI DSS. 

I know, easier said than done.

IF you’re up to the task, FOCUS on reducing the friction and heartburn the DSS causes. 


👉Keep a full bottle of antacid on your desk or nearby. 

👉Regularly schedule times to chat with Finance, IT Security, GRC, and other teams with PCI DSS responsibilities. 

👉Make time to educate your subject matter experts responsible for 

  • application security
  • network security 
  • change management 
  • asset management 
  • incident response 
  • third party risk management
  • etc., the list goes on and on

👉Start an internal blog or a wiki page that teams can go to for simplification of the PCI DSS, additional help or information. 

👉Better yet – implement a PCI DSS Sustainability (continuous) program. Not sure how? Payment Card Assessments, LLC can teach you. 

Lisa Cressey & Peggy Nolan have a combined 20+ years of PCI DSS wisdom and trial by fire. They know what works and what doesn’t work when it comes to implementing and maintaining PCI DSS continuous compliance.


Join Us November 10 in St. Petersburg, Florida

4 Smart Ways To Stop Overcomplicating PCI Compliance

You can do PCI Compliance the Smart Way or the Hard Way. Which way do you choose?

You know that saying, “objects appear bigger in the rearview mirror,” right?

When it comes to PCI Compliance, satisfying the requirements often looks bigger the more you stare at them. And when you look at the requirements in isolation, they often look next to impossible to implement. Your brain (and my brain) want to over complicate what needs to be in place to secure the cardholder data environment.

Maybe you jump immediately to implementing the newest shiny security tool without thinking of how it will impact other in scope systems.

Maybe you leap to more complexity by adding layers of security controls and processes when one solid, repeatable process will do.

Or maybe you bury your head in the sand and sing lalalalalalalalalalala….(honestly, there were days I wish I could’ve done that!)

PCI Compliance doesn’t have to be complicated.

Here’s 4 smart ways to stop overcomplicating your PCI Compliance program:

Leave a Reply

Your email address will not be published. Required fields are marked *

This field is required.

This field is required.