10 Insider Secrets From a Recovering PCI ISA
Does this sound familiar?
“I feel like a fraud.”
“I have no idea what I’m doing.”
“How do I know if this evidence meets the PCI DSS requirement?”
“I don’t know how to tell a senior director their software development process is neither secure nor PCI DSS compliant.”
Running or being in charge of a PCI Compliance Program feels like you’ve been given the weight of a thousand worlds to carry.You have all of the responsibility and zero authority.
It’s like being stuck in a dingy in the middle of the Pacific Ocean.
So, how do you get past feeling like a fraud who’s adrift in a vast ocean without any paddles?
I know how overwhelming running a PCI DSS Compliance program is.
That’s why I’m sharing 10 Insider Secrets From a Recovering PCI ISA with you today.
I want help you feel more confident and less adrift.
1. Experience in IT Security is a MUST
If you want to be a PCI Compliance Program Manager, you need to have at least 5 years of experience in IT security.
This may fly in the face of what you’ve heard or what someone else told you.
If you don’t have the experience, how will you know what to assess?
How will know if the evidence the firewall system administrator gave you is compliant?
If you don’t have the IT security experience, you run the risk of being bamboozled and ignored, which adds to “imposter syndrome” feelings.
2. Take the Initiative
You need to be a self-starter and take the initiative.
Nobody’s going to tell you what to do or how to manage a PCI Compliance program.
Having a strong inner drive and being self-motivated are winning ingredients for a PCI ISA or PCI Compliance Program Manager.
Your company hired you because no one else knows what to do or how to do it.
3. Have a Strong Backbone
You need to have a back bone. The stronger, the better.
There are people you’ll encounter who will question your ability to interpret the PCI DSS.
They’ll question your experience and your expertise.
You may even be told by a senior director that “you’re not technical enough” to join the conversation.
A solid back bone that’s bolstered with confidence will serve you well when a colleague thinks they know more about PCI DSS Compliance than you do.
4. Savvy Project Management Skills are Critical
A solid project management skill set is a must have when it comes to running an effective and efficient PCI Compliance Program.
Knowing how to plan, manage, and execute the hundreds of tasks associated with running a successful PCI Compliance program is invaluable.
Without this critical skillset, you run the risk of having the never ending Report on Compliance.
5. Communicate, Communicate, Communicate
I can’t stress this skill set enough.
You need to be able to communicate 360°.
That means you need to know how to communicate to system administrators, pen testers, application developers, QSAs, senior leadership, and everyone on the C-Level team.
To learn more about effective communication and leadership, I highly recommend John Maxwell’s book, The 360° Leader.
6. Cultivate a Culture of Teamwork
You can’t go it alone.
You need allies.
You need influencers within your organization.
You need a C-suite champion.
You need to cultivate a culture of “team work makes the PCI dream work.”
7. Integrity Matters
Run your PCI Compliance program with integrity.
Be impeccable with your word – written and spoken.
You will run into people who want you to make a PCI Compliance failure “disappear.”
You’ll have QSA’s and system administrators quit in the middle of a Report on Compliance.
System administrators will lie to you. Harsh, but true.
Managers and senior directors will pushback when you mark their controls as “not in place.”
Integrity will help you sleep like a baby at night.
8. Don't Make PCI Personal
Don’t take anything anyone says or does personally.
Unfortunately, you’re not going to be the most favorite person at your company.
PCI Compliance is often a thankless job. It’s a hard and stressful position.
It’s a daily practice to not take what your colleagues think, say, and do about PCI Compliance personally.
It’s not about you. It’s about PCI Compliance.
9. Trust But Verify
This is probably my favorite secret –
Trust but verify.
Don’t make assumptions.
Remember – to assume is to make an ass out of you and me.
When I first stared as a PCI ISA in 2012, the biggest mistake I made was assuming that what people were telling me was true and real.
Rather than continue making assumptions (watching the QSA fail security controls right and left), I had to get comfortable asking questions.
You do, too.
Ask questions from a standpoint of curiosity rather than confrontation.
People love to hear themselves talk so…
“Can you tell me more about that process?”
“Can you tell me more about how that technology works?”
“Can you tell me why that server is in the cardholder data environment?”
“Can you show me how the account data is masked?”
When in doubt, ask questions. And don’t be afraid to ask the same question in different ways.
10. Do Your Best
Always do your best.
No more. No less.
When you do your best, you’ll be less stressed and you’ll sleep better at night.
This big little secret is critical for when you need to make the hard calls.
In 2019 I stopped a Report on Compliance.
It was one of the hardest calls I had to make in my 10 years as a PCI ISA.
Not only did my decision ruffle feathers and cause my CISO to explain things to the CIO and CEO, but it also irritated our QSA.
After all, when I halted the Report on Compliance, I halted the QSA’s billable hours.
Even with all the ruffled feathers, I knew I was doing the right thing.
Before I formally announced stopping the Report on Compliance, I put a rock solid plan together.
This plan included
- what the blocker was and why the RoC had to stop.
- the remediation effort that needed to be completed and its project plan
- communication plan for the acquirer
- completed “Prioritized Approach Document” that needed to be submitted to the acquirer
- slide deck for the CISO to share with other C-level executives
Then I took a deep breath and pulled the plug.
When you always do your best, even when it’s the hard call, you won’t have that anxiety that keeps you awake in the middle of the night,
Which Secret Will You Adopt and Apply to Your PCI Compliance Program?
Hopefully, you’ll adopt all of them.
As an ISA, I kept my IT security & project management skill set current.
As a life long learner, I read a lot of business and leadership related books. John Maxwell is one of my favorite authors in this space.
If the last 4 secrets sound familiar, that’s because they come from one of my all time favorite books, The Four Agreements by Don Miguel Ruiz.
If you don’t own a copy of this book, I highly recommend that you add it to your personal library. I’ve had it in my library since 2002.
There you have it. How to Win at PCI Compliance: 10 Insider Secrets From an Ex PCI ISA. Drop a comment and let me know which secret you’ll be adopting this week!
Want to Dive Deeper Into PCI Compliance?
If you’re looking to dive deeper into what it takes to implement a world class PCI DSS Compliance program, subscribe to our PCI Resource Center today.