While the Federal Trade Commission (FTC) is stepping in to gain a better understanding of the state of PCI DSS assessments, it’s a good time to evaluate your own assessment quality and compliance policies.
Referring back to last week’s blog, it’s very rare to see a company “score” 100% on a PCI compliance assessment. This can be for a myriad of reasons - a shift in staff, a new technology, a change in the threat landscape, etc. The bottom line is that nobody is perfect and there’s always room for improvement. In that spirit of improvement, I’ve outlined five ways you can increase your own assessment quality and compliance program.
- No more fly-bys: Be selective about who you hire as your QSA. The days of using a QSA who barely interacts with you need to stop. PCI assessments can only be automated to a certain extent. If you barely know your QSA, then there may be a problem.
- Get scoping right: This is the most difficult element of the PCI DSS – not only for the assessed entity to define the scope, but for the QSA to properly assess the scope. Do not take this exercise lightly. Get the scoping right and work with your QSA to make sure that nothing is overlooked.
- There is no substitute for experience: I’ve been conducting PCI assessments and mentoring QSAs for almost 12 years. The learning curve to become a proficient QSA is six months (if they are already experienced) to two years. You should not settle for inexperienced QSAs delivering your PCI assessment (the newbies should be relegated to second-seating tasks to gain their experience). Insist on experience.
- Transparency: Your PCI assessment is just that – it’s an assessment, not an audit. The purpose of a PCI assessment is to hopefully prevent an audit from taking place if there was a perceived breach (maybe that was what inspired the FTC to become involved). Be transparent with your QSA from the beginning. There are only so many hours available to conduct a PCI assessment (they DO cost money, after all) and occasionally companies can sweep known issues under the carpet (“don’t ask, don’t tell” M.O.). This can burn you later if the issues that were overlooked were to contribute to a breach - share as much information as possible!
- It’s about the journey, not the destination: Our favorite mantra is that “PCI compliance is a by-product of a robust security and governance program”. PCI compliance is one part of the story that is influenced by the health of all of your security and governance program – daily time and attention on the program only benefits your PCI compliance!
While these five considerations may not ensure that you achieve/maintain PCI compliance, they will undoubtedly help ensure that your PCI assessment is more effective (and hopefully less painful!).