Have you almost quit your PCI Compliance job after submitting your organization’s Report on Compliance?
Don’t be shy. It’s okay if you walked away.
I almost quit I submitted the first PCI Report on Compliance I ever worked on.
December 21, 2012 a day that still dredges up heartburn.
But…
I didn’t quit.
I didn’t walk away.
Instead, I saw the opportunity to build a world class PCI DSS Compliance program.
I remember when I was working as an IT Security Project Manager responsible for the implementation of 10 different security projects for the new. cardholder data at a Fortune 100 Company. They had a job posting for a PCI Compliance Program Manager and I thought, why not?
The job description looked easy enough. In fact, I flipped my resume over on a whim during lunch on a Friday. Got called by the internal recruiter within 20 minutes and was interviewed on Monday and hired by Wednesday.
I had no idea what was really in store for me. Nobody did.
Because nobody I interviewed with understood HOW to run a successful PCI DSS Compliance program for a level 1 merchant.
If PCI Compliance were easy, every organization would be doing it, right?
But it’s not.
The sad statistic from the most recent Verizon Payment Security Report is that 57% of all merchants fail to sustain PCI DSS Compliance.
Why?
There are so many reasons. Where do we start?
Let’s start with the 5 PCI Compliance headaches everyone can live without.
You can do PCI Compliance the Smart Way or the Hard Way. Which way do you choose?
You know that saying, “objects appear bigger in the rearview mirror,” right?
When it comes to PCI Compliance, satisfying the requirements often looks bigger the more you stare at them. And when you look at the requirements in isolation, they often look next to impossible to implement. Your brain (and my brain) want to over complicate what needs to be in place to secure the cardholder data environment.
Maybe you jump immediately to implementing the newest shiny security tool without thinking of how it will impact other in scope systems.
Maybe you leap to more complexity by adding layers of security controls and processes when one solid, repeatable process will do.
Or maybe you bury your head in the sand and sing lalalalalalalalalalala….(honestly, there were days I wish I could’ve done that!)
PCI Compliance doesn’t have to be complicated.
Here’s 4 smart ways to stop overcomplicating your PCI Compliance program:
Wait a second.
There’s a painless way to complete a PCI Report on Compliance?
You’ve got to be kidding me.
I’m not kidding you.
Ready? Keep reading!
I wish I had had the PCI workshops and resources that included easy to follow directions and targeted training back in 2012.
If you’re not already managing your scope for PCI DSS v3.2.1, you’ll be in for a rude awakening with the requirements in PCI DSS v4.0 that need to be in place by March 31, 2024.
The founders of Payment Card Assessments know all to well what it’s like to receive a scan report with over 2,000 configuration failures, a standards team that didn’t communicate changes to the scanning team, and an implementation team that had no idea what they were supposed to do to an in-scope asset before it went into production.
