Maintaining PCI DSS Compliance is a multi-team effort. And it starts with knowing what’s in scope for assessment. Your network and cardholder data flow diagrams are the heart and soul of your continuous PCI DSS Compliance program.
There’s nothing worse than finding out 36 servers stopped logging over 90 days ago.
True story. That happened in 2016.
The wasn’t enough chocolate chip cookies to make up for the painful conversations I had to have with everyone involved in the snafu.
Free master class, “How to Win at PCI Compliance” is now available!
10 Insider Secrets From a Recovering PCI ISA
Does this sound familiar?
“I feel like a fraud.”
“I have no idea what I’m doing.”
“How do I know if this evidence meets the PCI DSS requirement?”
“I don’t know how to tell a senior director their software development process is neither secure nor PCI DSS compliant.”
Running or being in charge of a PCI Compliance Program feels like you’ve been given the weight of a thousand worlds to carry.
You have all of the responsibility and zero authority.
It’s like being stuck in a dingy in the middle of the Pacific Ocean.
So, how do you get past feeling like a fraud who’s adrift in a vast ocean without any paddles?
I know how overwhelming running a PCI DSS Compliance program is.
That’s why I’m sharing How to Win At PCI Compliance: 10 Insider Secrets From an Ex PCI ISA with you today.
I want help you feel more confident and less adrift.
Keep Reading!
Don’t Start Your 2023 PCI Report on Compliance Without Doing These 10 Essential Tasks FIRST:
The end of the first quarter is quickly approaching. It’s time to get your PCI Compliance house in order.
Because nobody wants to be the next Landry’s and have a $20M fine upheld by federal court.
1. You have a copy of the signed Statement of Work with your QSA
Make sure you have this statement of work at your fingertips throughout your assessment period. This agreement protects you and your QSA for work that is contractually agreed upon.
2. Complete an end-to-end PCI Scope Assessment
The success of your PCI Report on Compliance hinges upon an accurate PCI Scope Assessment.
Your scope assessment includes the who, what, where, when, why, and how of your cardholder data environment and anything or anybody that connects to your cardholder data environment.
Have you almost quit your PCI Compliance job after submitting your organization’s Report on Compliance?
Don’t be shy. It’s okay if you walked away.
I almost quit I submitted the first PCI Report on Compliance I ever worked on.
December 21, 2012 a day that still dredges up heartburn.
But…
I didn’t quit.
I didn’t walk away.
Instead, I saw the opportunity to build a world class PCI DSS Compliance program.
I remember when I was working as an IT Security Project Manager responsible for the implementation of 10 different security projects for the new. cardholder data at a Fortune 100 Company. They had a job posting for a PCI Compliance Program Manager and I thought, why not?
The job description looked easy enough. In fact, I flipped my resume over on a whim during lunch on a Friday. Got called by the internal recruiter within 20 minutes and was interviewed on Monday and hired by Wednesday.
I had no idea what was really in store for me. Nobody did.
Because nobody I interviewed with understood HOW to run a successful PCI DSS Compliance program for a level 1 merchant.
If PCI Compliance were easy, every organization would be doing it, right?
But it’s not.
The sad statistic from the most recent Verizon Payment Security Report is that 57% of all merchants fail to sustain PCI DSS Compliance.
Why?
There are so many reasons. Where do we start?
Let’s start with the 5 PCI Compliance headaches everyone can live without.
You can do PCI Compliance the Smart Way or the Hard Way. Which way do you choose?
You know that saying, “objects appear bigger in the rearview mirror,” right?
When it comes to PCI Compliance, satisfying the requirements often looks bigger the more you stare at them. And when you look at the requirements in isolation, they often look next to impossible to implement. Your brain (and my brain) want to over complicate what needs to be in place to secure the cardholder data environment.
Maybe you jump immediately to implementing the newest shiny security tool without thinking of how it will impact other in scope systems.
Maybe you leap to more complexity by adding layers of security controls and processes when one solid, repeatable process will do.
Or maybe you bury your head in the sand and sing lalalalalalalalalalala….(honestly, there were days I wish I could’ve done that!)
PCI Compliance doesn’t have to be complicated.
Here’s 4 smart ways to stop overcomplicating your PCI Compliance program: