I remember when I was working as an IT Security Project Manager responsible for the implementation of 10 different security projects for the new. cardholder data at a Fortune 100 Company. They had a job posting for a PCI Compliance Program Manager and I thought, why not?
The job description looked easy enough. In fact, I flipped my resume over on a whim during lunch on a Friday. Got called by the internal recruiter within 20 minutes and was interviewed on Monday and hired by Wednesday.
I had no idea what was really in store for me. Nobody did.
Because nobody I interviewed with understood HOW to run a successful PCI DSS Compliance program for a level 1 merchant.
I’ve got over 10 years of experience running a PCI Compliance Program under my belt. that’s over 20,000 hours of living and breathing PCI Monday – Friday and sometimes on weekends and holidays and even on vacation.
I’ve got 10 critical responsibilities a great PCI ISA must shoulder to run a world class PCI DSS Compliance program.
Let’s dive in.
As a PCI ISA, you manage every aspect of the PCI Report on Compliance
You must have killer project management skills.
From scope assessment to lessons learned and every single point in between, your mission, if you accept it, is to plan, organize, and deliver the annual Report on Compliance on time and on budget
You’ve got to be super cool with nagging system administrators. Some might even call this part of your responsibilities as baby sitting adults.
Not everyone cares about PCI Compliance the way you do.
The clearer you are about what you need from every team that has a PCI Compliance responsibility, the better the evidence will be and it most likely will be delivered on time.
As a PCI ISA you'll be responsible for scheduling all the interviews and real time observations
A smart PCI ISA will use the consolidated interview and observation schedule. There’s no reason a QSA needs to interview the firewall administrator 10 times.
Now, if you know that you’ve got system administrators who are new to PCI or get nervous being interviewed, the best thing you can do is to schedule mock interviews and get your sys admins prepared before they sit with the QSA.
You'll assess evidence BEFORE assigning it to the QSA
This is where experience and a background in IT Security come into play.
You need to know enough IT Security stuff (very technical term here) to assess the evidence.
You need to reject evidence that won’t pass the QSA’s assessment.
Don’t waste your time sending the QSA evidence you know will fail. Send it back to the system administrator with clear instructions on what they need to provide.
Yes. YOU have the power to reject evidence and mark controls “not in place.”
Assigns evidence to the QSA for their assessment
That’s right. You tee up the evidence for the QSA to assess.
Don’t wait for the QSA to send you a disjointed list of things they need to assess from you.
With Polaris PCA, you can easily assign tasks to your System Administrators and assign tasks to your QSA to assess evidence.
It’s a beautiful thing.
Communicates status of RoC during weekly PCI stakeholder meetings that you lead
You’re in charge of leading, running, and managing the communications of the PCI Compliance program.
You can’t be afraid to be in the hot seat.
Communicate clearly and concisely so everyone from the top down understand the state of the state of your PCI Compliance program.
Influences C-level leadership and teams with PCI DSS responsibilities
A GREAT PCI ISA will master the art of communication and influencing.
You’ll spend a lot of your time influencing designs, influencing compliance remediation, influencing compliance strategy, etc.
Getting everyone involved with the success of your organization’s PCI Compliance program is not for the feint of heart.
Get great at this and you’ll see how much smoother your next assessment goes
Leads PCI remediation activities
I bet you didn’t see this one coming.
Yes, you will be in charge of leading remediation efforts.
This is another responsibility where your kick ass project management skills come into play.
Must review all business and technical projects that impact the security of the cardholder data environment
It’s so much better to be in the know than to have someone tell you six months after the fact that your company outsourced call center activities to two new third party service providers.
Cultivate allies in other departments and teams.
Grow your own reliable grapevine.
Don’t make assumptions.
There’s nothing worse than backing into PCI DSS Compliance.
Trust me. It sucks.
You need to know as much if not more than your QSA
You need to be able to prove that you and your organization have done the due diligence to have a defensible position.
You can’t be scared to have hard conversations with your QSA (and your acquirer for that matter).
Sometimes you’ll find yourself training junior QSAs that are brought on to help assess for your Report on Compliance.
It’s okay to be helpful.
And it’s okay to push back and tell the lead QSA that it’s not your responsibility to train their QSAs.
Bonus: Must have ESP and strong telepathic abilities to know about changes to the CDE before they happen
A magic wand, pixie dust, and perhaps a crystal ball are required of all great PCI ISAs.
Change happens. And you need to know about it before it’s thought of…or at the very least, before the change takes place.