Friday, December 13, 2019
Corporate Compliance Insights
  • Home
    • Home
  • About
    • About CCI
    • Writing for CCI
    • Advertise With Us
  • Articles
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Leadership and Career
  • Industry News
  • Jobs
  • Events
    • Webinars & Events
    • Submit an Event
  • Downloads
    • eBooks
    • Whitepapers
  • Podcasts
  • Videos
  • Subscribe
No Result
View All Result
  • Home
    • Home
  • About
    • About CCI
    • Writing for CCI
    • Advertise With Us
  • Articles
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Leadership and Career
  • Industry News
  • Jobs
  • Events
    • Webinars & Events
    • Submit an Event
  • Downloads
    • eBooks
    • Whitepapers
  • Podcasts
  • Videos
  • Subscribe
No Result
View All Result
Corporate Compliance Insights
Home Compliance

PCI DSS Compliance Should not Be a Check-the-Box Fire Drill

by Steven Grossman
May 24, 2016
in Compliance
Improper PCI DSS compliance practices could leave your organization exposed to cyber risk

Let’s be honest: PCI DSS compliance is viewed as a pain in the neck.  It is seen by management in many companies as a big fire drill to check the compliance box, but without real business value.  They see the scramble to test, remediate and report to achieve compliance, but they often cannot connect it to improvements in their actual security posture.  The lack of perceived value is the result of the prevalent “compliant but not secure” mode of operation.

The fire drill typically includes the following scenario: A large company with tens or hundreds of legacy systems, some of which store its most valuable information, is tasked with complying with PCI DSS requirements and validating compliance in quarterly tests and annual audits. The systems are siloed, owned by different line-of-business and application owners, sometimes with their own IT and security experts.  Each application and associated infrastructure needs to be tested, scanned or otherwise validated to be in compliance.  To minimize potentially negative impact on business critical applications, testing and scanning needs to be coordinated and scheduled with application owners.  Results need to be communicated to those same owners and coordinated with IT administrators to apply the fix.  After the fix is finally applied, the scans and tests need to be repeated to verify the exposure no longer exists.  All of this information exchanging hands starts out in vulnerability scanning and governance, risk management and compliance tools, but most often ends up in spreadsheets and emails.  Multiply those spreadsheets and emails by the number of components and stakeholders, and it is easy to see why the process overtakes the intended objective of cardholder data protection.

Meeting compliance requirements only on a quarterly and annual basis is like a CFO only reviewing and communicating financial numbers when formal reporting is required.  In reality, CFOs watch their numbers carefully every day and communicate department-specific numbers to business managers so they can manage their piece of the corporate pie.  As a result, when quarterly and annual financial reporting is required, it is a simple task to compile the data because it’s managed closely every day by every level of the organization.

A lot of ink has been spilled during the last decade talking about the concept of continuous compliance.  Taking a step back, it’s really about continuous protection, which – if done well – results in seamless compliance.  However, continuous compliance is easier said than done because, as described in the scenario above, it requires a tremendous amount of effort coordinating, assessing, remediating and reporting across potentially tens or hundreds of stakeholders.  It involves a dance between the security team that’s concerned about vulnerability management, business owners who are concerned about their application’s performance and stability and IT administrators who are tasked with patching and fixing.  Everybody is doing their best to get the job done, but the underlying focus ends up being satisfying auditors versus achieving a secure environment.

The best way to ensure that PCI DSS compliance is not a fire drill is to bake its requirements into your businesses’ daily processes and automate data collection and reporting.  Specific cyber risk information should be put into each stakeholder’s hands (such as line-of-business application owners who govern businesses most valuable assets) to enable them to take prioritized action to minimize cyber risk while fulfilling PCI requirements related to the information they govern. They can then also be held accountable by senior management for monitoring their applications and data, doing their part to protect the organization.

For example, if the PCI DSS requires businesses to implement two-factor authentication, business stakeholders and IT administrators should be provided an automated view on a daily basis into which applications have two-factor authentication implemented, the percentage of users using it, required password resets and other related information so that they know what they need to do to fulfill the requirement by the stated deadline.  As a result, when it comes time to report compliance, it is just a push of a button based on the information they have at their fingertips every day.

Achieving PCI DSS compliance does not need to be a fire drill. If businesses treat it as an enabling force to guide the protection of valuable information on a daily basis, they will not need to scramble at the last minute. Compliance will be baked in.


Tags: DOJ pilot program
Previous Post

Reading the Tea Leaves: Expansion and Interpretations of PRC Anti-Corruption Legislation

Next Post

Opimas - Running Enterprise Risk Management as a Business

Steven Grossman

Steven GrossmanSteven Grossman is Vice President of Program Management at Bay Dynamics.  Steven has more than 20 years of management consulting and industry experience working with technology, security and business executives. At Bay Dynamics, Steven is responsible for ensuring businesses are successful in achieving their security and risk management goals.  Prior to Bay Dynamics, Steven held senior positions at top-tier consultancies such as PwC and EMC, where he architected and managed programs focused on security, risk, business intelligence/big data analytics, enterprise Program Management Offices, corporate legal operations, data privacy, cloud architecture and business continuity planning for global clients in the financial services and health care industries. Steven holds a B.A. in Economics and Computer Science from Queens College and has achieved his CISSP certification.

Related Posts

change is coming text on city background at sunset

Future-Proofing the Compliance Professional

December 13, 2019
new york city skyline at sunset

The Early Days: The Birth of the Independent Monitoring Concept

December 11, 2019
job candidates awaiting inerview

An Unconventional Interview Question: “Do You Have an HR Department?”

December 5, 2019
closeup of magnifying glass on gray background

DiCianni’s Idea: How It All Got Started

December 4, 2019
Next Post

Opimas - Running Enterprise Risk Management as a Business

Free Downloads

OFAC whitepaper cover
Compliance Job Interview Q&A
Reputation Risk Management Research

RSS SEC Litigation News

  • John Special, Defendant, and Michael Murphy, Relief Defendant, John Kenneth Davidson December 12, 2019
    SEC Obtains $3 Million Settlement in Insider Trading Action
  • Palm Beach Atlantic Financial Group, LLC and William A. Smith December 11, 2019
    SEC Charges Florida Resident and His Corporate Entity for Fraudulent Securities Offerings
  • Nanotech Engineering, Inc., Michael James Sweaney (also known as Michael Hatton), David Sweaney, and Jeffery Gange December 11, 2019
    SEC Obtains Asset Freeze to Halt Alleged Offering Fraud

Jump to a Topic:

anti-corruption anti-money laundering/AML Artificial Intelligence/A.I. automation banks Big Data blockchain board of directors board risk oversight bribery CCPA/California Consumer Privacy Act Cloud Compliance communications management corporate culture corporate governance culture of ethics cyber risk data analytics data breach data governance decision-making Dodd-Frank DOJ due diligence fcpa enforcement actions GDPR GRC HIPAA information security internal audit internet of things (IoT) KYC/know your customer machine learning monitoring regtech reputation risk risk assessment Sanctions SEC social media risk technology third party risk management tone at the top training whistleblowing
No Result
View All Result

Privacy Policy

Follow Us

  • Facebook
  • Twitter
  • LinkedIn
  • RSS Feed

Category

  • Audit
  • Compliance
  • Compliance Podcasts
  • Cybersecurity
  • Data Privacy
  • eBooks
  • Ethics
  • FCPA
  • Featured
  • Financial Services
  • Fraud
  • Governance
  • HR Compliance
  • Leadership and Career
  • News
  • Opinion
  • Resource Library
  • Risk
  • Uncategorized
  • Videos
  • Webinars
  • Whitepapers

© 2019 Corporate Compliance Insights

No Result
View All Result
  • Home
  • About
  • Articles
  • News
  • Podcasts
  • Videos
  • Whitepapers
  • eBooks
  • Events
  • Jobs
  • Subscribe

© 2019 Corporate Compliance Insights