How easy is it to become PCI DSS Compliant?

Chris Noell

As part of my daily ritual, I search security news for interesting articles to see how other organizations are approaching compliance and risk management.  I stumbled upon this article from ITnew.com.au – How Woolworths made IT risk a business issue – and there was a quote that stuck out:

"It's easy to become [PCI DSS] compliant, but it's really hard to maintain compliance," [Peter Cooper, Woolworths’ risk manager] noted. "You see regularly companies that have PCI breaches; it's the sustainability that's really important."

I think this is partially true.  I disagree that becoming PCI compliant is easy.  Becoming PCI DSS compliance is only easy if you either designed your payments infrastructure to be PCI compliant from the beginning.  When this is not the case, becoming PCI compliant is typically a twelve to eighteen month Odyssey.  However, I absolutely agree that sustainability is what’s really important and in my experience, this where most organizations are lacking.  Sustainability requires two things: operational discipline and process automation.  Without a commitment to operational discipline, you can forget about maintaining PCI compliance – your compliance status will look like a sine wave with a peak during your annual audit cycle.  Process automation makes operational discipline much easier to impose, making “it’s really hard to maintain compliance” less of an issue.

Here are recommended high-level steps for organizations seeking to become compliant.

First, you need to choose an authoritative data source, like the Unified Compliance Framework (UCF), as a starting point to identify all of the regulations which could apply to your organization.  There are solutions out there that provide access to the UCF as part of their offerings, such as ANX Compliance Solutions.

Then, you’ll want to identify applicable regulations. Sometimes, organizations find that PCI isn’t the only regulation they need to comply with, like state privacy laws. If PCI is the only regulation you do need to comply with, there are solutions that address PCI-only, such as TruPCI.

Once you understand which regulatory standards apply to your organization, you need to establish a comprehensive common control framework.  This process consists of translating applicable regulations into a common, harmonized set of controls.

Then, you go into maintenance-mode.  The required operational tasks need to be identified, assigned, and monitored to ensure they are performed throughout the year.  Combine regular performance with evidence collection and you have a self-documenting process.  Finally, as regulations and their interpretation evolve over time, compliance today may not be acceptable tomorrow, so you need to monitor external and internal changes.  Solutions like TruComply and TruPCI can help automate external compliance monitoring and update your control framework, ultimately simplifying the maintenance of your compliance program.

At the end of the day, having the right solution in place makes sustaining a PCI compliance program very achievable.