How to Stop PCI DSS Control Failures Without Losing Your Cool

Hot coffee in hand, you sit down at your desk.

You’re humming that catchy tune from the Lego Movie, 

“everything is awesome 

everything is cool 

when you’re part of a team.” 

You power up your laptop. 

Connect to your company’s network. 

Launch email. 

You stop humming. 

A red flag message from the vulnerability team.

“This can’t be good,” you think to yourself.

You suck in your breath and open the email.

“Hey Peggy, I was running the quarterly scan of the in scope vLAN and discovered a bunch of new servers…”

The coffee you drank goes sour in your stomach.

If I had a dollar for every time I received an email like that, I’d be rich. Especially when I was just starting out as a PCI ISA. 

Changing the culture of the wild wild west where anything goes and who cares about security payment card data is a gargantuan and arduous task.

  • hosting adding new servers into production without the hardening PCI DSS required, 
  • application developers pushing new code for billing apps into production without following secure coding procedures, and 
  • IT security leaving the keys to the kingdom unguarded with any-any rules in the firewall policy

PCI DSS Compliance is the big eye roll. People complain. 

  • “It’s too hard.”
  • “We need this change in the billing app yesterday.”
  • “The CIO told me to do it.”

Not gonna lie or sugar coat this…PCI DSS compliance causes a lot of friction for businesses. 

Especially when businesses don’t understand the basics of good security practices to protect their customers’ payment card data.

If you’re a PCI ISA, PCIP, or PCI DSS Compliance just landed in your lap, your primary responsibility is to ensure your company has the right security controls in place to meet the hundreds of requirements in the PCI DSS. 

I know, easier said than done.

IF you’re up to the task, FOCUS on reducing the friction and heartburn the DSS causes. 


👉Keep a full bottle of antacid on your desk or nearby. 

👉Regularly schedule times to chat with Finance, IT Security, GRC, and other teams with PCI DSS responsibilities. 

👉Make time to educate your subject matter experts responsible for 

  • application security
  • network security 
  • change management 
  • asset management 
  • incident response 
  • third party risk management
  • etc., the list goes on and on

👉Start an internal blog or a wiki page that teams can go to for simplification of the PCI DSS, additional help or information. 

👉Better yet – implement a PCI DSS Sustainability (continuous) program. Not sure how? Payment Card Assessments, LLC can teach you. 

Lisa Cressey & Peggy Nolan have a combined 20+ years of PCI DSS wisdom and trial by fire. They know what works and what doesn’t work when it comes to implementing and maintaining PCI DSS continuous compliance.


Join Us November 10 in St. Petersburg, Florida

Firewalls and Routers: How to Take Control of Unruly Firewall Rules, Configurations and Network Connections

Best Practice: Developers and system administrators request changes to firewall rule sets all the time. Whether it’s to do work on system components or test system components, these changes can make a mess out of your rule sets. It’s so easy for someone to unintentionally request an “any” rule which is prohibited in the cardholder data environment. Our best advice is to insert your ISA or someone on the compliance team into the firewall rule change review.

Leave a Reply

Your email address will not be published. Required fields are marked *

This field is required.

This field is required.