Have you almost quit your PCI Compliance job after submitting your organization’s Report on Compliance?

Don’t be shy. It’s okay if you walked away.

I almost quit I submitted the first PCI Report on Compliance I ever worked on.

But…

I didn’t quit. 

I didn’t walk away.

Instead, I saw the opportunity to build a world class PCI DSS Compliance program.

Over the course of my 10 years managing a complex continuous PCI Compliance program at a level 1 merchant, I created a laundry list of do’s and don’ts. 

I captured a lot of up front work that must be done *before* you start your PCI Report on Compliance.

Understanding your scope before you begin assessing is critical to the success of your Report on compliance. That upfront work must be done before you start the RoC.

I don’t believe in reinventing the wheel with every assessment so I created a Report on Compliance Planner as well as a Consolidated Interview and Observation Schedule.

Why? There are so many moving parts during a Report on Compliance. Without

  • repeatable processes
  • clear milestones
  • a communication’s plan
  • an escalation path
  • and who does what directory

All you’ll have is a big ball of goo.

And that’s no fun.

I’m also lazy.

The more efficiently I can work, the more time I have to play word games…I mean work on process improvement.

Together with Lisa Cressey, we automated critical controls so that we could self-collect the evidence and not depend on squirrely system administrators.

We also automated the entire Report on Compliance assessment process

Yes.

We did.

Why?

Because there were only two of us running a PCI Compliance program at a Fortune 100 Company and Level 1 merchant.

It was nerve wrecking to say the least.

Now…

Keep reading (and watch the video at the end) because I’ve got 5 actionable tips that you can implement today or this week so that you can crush your next PCI Report on Compliance.

And the Report on Compliance next year, and the next, and so on and so on…

Previous
Next
Learn More About the Nolan & Cressey PCI Resource Center

1. Begin with the end in mind

In other words, if you don’t know where you’re going how will you know how to get there?

2. Plan the work; work the plan

I was in my master degree program when I first heard this gem. I was learning project management for software development (eons ago) and this made So. Much. Sense.

This tip goes hand in hand with tip #1.

Once you know where you’re going, plan the work.

Then work the plan.

Adjust the plan as needed. 

3. Complete an end to end scope assessment BEFORE you kick off your Report on Compliance

I can’t begin to tell you how much easier your next PCI assessment will be when you have a complete and accurate scope. 

It’s almost mind blowing how much time you’ll save because you won’t be suffering the pains of email hell or chasing things down from the QSA.

In our course, How to Manage Your PCI Scope Without Losing Your Mind, we share our simple 6 step process to continuously manage your scope.

Trust me, you’re going to need this repeatable process for PCI DSS v4.0. 

There’s 11 new requirements that depend on an accurate scope of people, processes, and technologies.

Previous
Next
Book a PCI Compliance Coaching Package or Consulting Call

4. Don’t just blindly pick a QSA company. Vet them

Picking the right QSA company matters. Your QSA is an integral part of your ability to successfully navigate the level 5 rapids of a Report on Compliance. 

QSAs who assess with integrity are the best.

5. Consolidate the interviews and observations and SAVE at least 100 hours (or 20k) in wasted, mindless, unnecessary churn

Powerful, right?

Want to save even more? Email support@paymentcardassessments.com and let’s schedule a time to chat!

Tags: , , , , , , ,

Blog Posts

20 Feb 2023
PCI DSS, PCI Report on Compliance

4 Smart Ways To Stop Overcomplicating PCI Compliance

You can do PCI Compliance the Smart Way or the Hard Way. Which way do you choose?

You know that saying, “objects appear bigger in the rearview mirror,” right?

When it comes to PCI Compliance, satisfying the requirements often looks bigger the more you stare at them. And when you look at the requirements in isolation, they often look next to impossible to implement. Your brain (and my brain) want to over complicate what needs to be in place to secure the cardholder data environment.

Maybe you jump immediately to implementing the newest shiny security tool without thinking of how it will impact other in scope systems.

Maybe you leap to more complexity by adding layers of security controls and processes when one solid, repeatable process will do.

Or maybe you bury your head in the sand and sing lalalalalalalalalalala….(honestly, there were days I wish I could’ve done that!)

PCI Compliance doesn’t have to be complicated.

Here’s 4 smart ways to stop overcomplicating your PCI Compliance program:

02 Aug 2021
PCI DSS, PCI Report on Compliance

Firewalls and Routers: How to Take Control of Unruly Firewall Rules, Configurations and Network Connections

Best Practice: Developers and system administrators request changes to firewall rule sets all the time. Whether it’s to do work on system components or test system components, these changes can make a mess out of your rule sets. It’s so easy for someone to unintentionally request an “any” rule which is prohibited in the cardholder data environment. Our best advice is to insert your ISA or someone on the compliance team into the firewall rule change review.

Leave a Reply

Your email address will not be published. Required fields are marked *

This field is required.

This field is required.