10 Insider Secrets From a Recovering PCI ISA

Does this sound familiar?

“I feel like a fraud.”

“I have no idea what I’m doing.”

“How do I know if this evidence meets the PCI DSS requirement?”

“I don’t know how to tell a senior director their software development process is neither secure nor PCI DSS compliant.”

Running or being in charge of a PCI Compliance Program feels like you’ve been given the weight of a thousand worlds to carry.You have all of the responsibility and zero authority. 

It’s like being stuck in a dingy in the middle of the Pacific Ocean.

So, how do you get past feeling like a fraud who’s adrift in a vast ocean without any paddles?

I know how overwhelming running a PCI DSS Compliance program is. 

That’s why I’m sharing 10 Insider Secrets From a Recovering PCI ISA with you today.

I want help you feel more confident and less adrift.

1. Experience in IT Security is a MUST

If you want to be a PCI Compliance Program Manager, you need to have at least 5 years of experience in IT security. 

This may fly in the face of what you’ve heard or what someone else told you. 

If you don’t have the experience, how will you know what to assess? 

How will know if the evidence the firewall system administrator gave you is compliant?

If you don’t have the IT security experience, you run the risk of being bamboozled and ignored, which adds to “imposter syndrome” feelings.

2. Take the Initiative

You need to be a self-starter and take the initiative.

Nobody’s going to tell you what to do or how to manage a PCI Compliance program.

Having a strong inner drive and being self-motivated are winning ingredients for a PCI ISA or PCI Compliance Program Manager.

Your company hired you because no one else knows what to do or how to do it.

3. Have a Strong Backbone

You need to have a back bone. The stronger, the better.

There are people you’ll encounter who will question your ability to interpret the PCI DSS.

They’ll question your experience and your expertise.

You may even be told by a senior director that “you’re not technical enough” to join the conversation.

A solid back bone that’s bolstered with confidence will serve you well when a colleague thinks they know more about PCI DSS Compliance than you do.

4. Savvy Project Management Skills are Critical

A solid project management skill set is a must have when it comes to running an effective and efficient PCI Compliance Program.

Knowing how to plan, manage, and execute the hundreds of tasks associated with running a successful PCI Compliance program is invaluable.

Without this critical skillset, you run the risk of having the never ending Report on Compliance. 

5. Communicate, Communicate, Communicate

I can’t stress this skill set enough.

You need to be able to communicate 360°.

That means you need to know how to communicate to system administrators, pen testers, application developers, QSAs, senior leadership, and everyone on the C-Level team.

To learn more about effective communication and leadership, I highly recommend John Maxwell’s book, The 360° Leader.

6. Cultivate a Culture of Teamwork

You can’t go it alone. 

You need allies.

You need influencers within your organization.

You need a C-suite champion.

You need to cultivate a culture of “team work makes the PCI dream work.”

7. Integrity Matters

Run your PCI Compliance program with integrity. 

Be impeccable with your word – written and spoken.

You will run into people who want you to make a PCI Compliance failure “disappear.”

You’ll have QSA’s and system administrators quit in the middle of a Report on Compliance. 

System administrators will lie to you. Harsh, but true.

Managers and senior directors will pushback when you mark their controls as “not in place.”

Integrity will help you sleep like a baby at night.

8. Don't Make PCI Personal

Don’t take anything anyone says or does personally.

Unfortunately, you’re not going to be the most favorite person at your company. 

PCI Compliance is often a thankless job. It’s a hard and stressful position.

It’s a daily practice to not take what your colleagues think, say, and do about PCI Compliance personally. 

It’s not about you. It’s about PCI Compliance. 

 

9. Trust But Verify

This is probably my favorite secret – 

Trust but verify.

Don’t make assumptions.

Remember – to assume is to make an ass out of you and me.

When I first stared as a PCI ISA in 2012, the biggest mistake I made was assuming that what people were telling me was true and real.

Rather than continue making assumptions (watching the QSA fail security controls right and left), I had to get comfortable asking questions.

You do, too. 

Ask questions from a standpoint of curiosity rather than confrontation.

People love to hear themselves talk so…

“Can you tell me more about that process?”

“Can you tell me more about how that technology works?”

“Can you tell me why that server is in the cardholder data environment?”

“Can you show me how the account data is masked?”

When in doubt, ask questions. And don’t be afraid to ask the same question in different ways.

10. Do Your Best

Always do your best.

No more. No less.

When you do your best, you’ll be less stressed and you’ll sleep better at night.

This big little secret is critical for when you need to make the hard calls.

In 2019 I stopped a Report on Compliance. 

It was one of the hardest calls I had to make in my 10 years as a PCI ISA. 

Not only did my decision ruffle feathers and cause my CISO to explain things to the CIO and CEO, but it also irritated our QSA.

After all, when I halted the Report on Compliance, I halted the QSA’s billable hours. 

Even with all the ruffled feathers, I knew I was doing the right thing. 

Before I formally announced stopping the Report on Compliance, I put a rock solid plan together. 

This plan included

  • what the blocker was and why the RoC had to stop.
  • the remediation effort that needed to be completed and its project plan
  • communication plan for the acquirer
  • completed “Prioritized Approach Document” that needed to be submitted to the acquirer
  • slide deck for the CISO to share with other C-level executives

Then I took a deep breath and pulled the plug.

When you always do your best, even when it’s the hard call, you won’t have that anxiety that keeps you awake in the middle of the night,

 

Which Secret Will You Adopt and Apply to Your PCI Compliance Program?

Hopefully, you’ll adopt all of them. 

As an ISA, I kept my IT security & project management skill set current.

As a life long learner, I read a lot of business and leadership related books. John Maxwell is one of my favorite authors in this space.

If the last 4 secrets sound familiar, that’s because they come from one of my all time favorite books, The Four Agreements by Don Miguel Ruiz.

If you don’t own a copy of this book, I highly recommend that you add it to your personal library. I’ve had it in my library since 2002. 

There you have it. How to Win at PCI Compliance: 10 Insider Secrets From an Ex PCI ISA. Drop a comment and let me know which secret you’ll be adopting this week!

Want to Dive Deeper Into PCI Compliance?

If you’re looking to dive deeper into what it takes to implement a world class PCI DSS Compliance program, subscribe to our PCI Resource Center today.

10 Essential Tasks To Do BEFORE You Start Your 2023 PCI Report On Compliance

Don’t Start Your 2023 PCI Report on Compliance Without Doing These 10 Essential Tasks FIRST:

The end of the first quarter is quickly approaching. It’s time to get your PCI Compliance house in order.

Because nobody wants to be the next Landry’s and have a $20M fine upheld by federal court.

1. You have a copy of the signed Statement of Work with your QSA

Make sure you have this statement of work at your fingertips throughout your assessment period. This agreement protects you and your QSA for work that is contractually agreed upon.

2. Complete an end-to-end PCI Scope Assessment

The success of your PCI Report on Compliance hinges upon an accurate PCI Scope Assessment.

Your scope assessment includes the who, what, where, when, why, and how of your cardholder data environment and anything or anybody that connects to your cardholder data environment.

4 Smart Ways To Stop Overcomplicating PCI Compliance

You can do PCI Compliance the Smart Way or the Hard Way. Which way do you choose?

You know that saying, “objects appear bigger in the rearview mirror,” right?

When it comes to PCI Compliance, satisfying the requirements often looks bigger the more you stare at them. And when you look at the requirements in isolation, they often look next to impossible to implement. Your brain (and my brain) want to over complicate what needs to be in place to secure the cardholder data environment.

Maybe you jump immediately to implementing the newest shiny security tool without thinking of how it will impact other in scope systems.

Maybe you leap to more complexity by adding layers of security controls and processes when one solid, repeatable process will do.

Or maybe you bury your head in the sand and sing lalalalalalalalalalala….(honestly, there were days I wish I could’ve done that!)

PCI Compliance doesn’t have to be complicated.

Here’s 4 smart ways to stop overcomplicating your PCI Compliance program:

2 Replies to “10 Insider Secrets From a Recovering PCI ISA”

  1. Jovalle Dizard 11 months ago

    This article was a great read. From a confidence standpoint of knowing your role, having the knowledge of PCI and implementing changes. Also having a great team with solid communication which working within a group is one of my whys for my journey to become a ISA. And I also am a fan of The Four Agreement, one of my best reads. Thank you for sharing your knowledge and years of experience

    1. Peggy Nolan 11 months ago

      Thank you Jovalle. I’m glad you found the article helpful!

Leave a Reply

Your email address will not be published. Required fields are marked *

This field is required.

This field is required.