PCI DSS for Security Leaders – How to Take a Proactive Approach
If you’re a newly hired CISO or Director for an organization that’s required to achieve and maintain PCI DSS, you may be wondering how and where you can get started so that you’re ready when it comes time for the assessment to begin.
No one wants to hear, “I’m putting you in charge of this year’s PCI assessment. The assessor will be on-site within the hour.” I should know, because that’s what my manager said to me out of the blue back in 2011—I was a newly hired Compliance Analyst who had never even heard of PCI, though, thankfully, our QSA took me under his wing, and we completed the assessment.
Now, after 10+ years of work as a security leader—work that involved PCI DSS assessments against versions 1.1 through 4.0—I’m on the other side of the table, working for Schellman as a QSA, and I want to offer some insight the same way that first QSA did for me.
In this article, I’ll detail 7 helpful strategies I learned during my time as a security leader so that those in that position now can avoid the mistakes I made and more easily achieve their first PCI DSS attestation (or maintain their current PCI initiatives).
6 Things Security Leaders Must Do for PCI DSS Compliance
1. Determine Your Current Compliance Level
If you’re just coming in, your priority will be to get a sense of where the organization stands with PCI by:
- Meeting with your staff—if you have any—and review the list of current compliance gaps; and
- Obtaining a copy of the PCI Prioritized Approach spreadsheet (or completing it, if it’s not yet been done)
- This will be particularly helpful in both prioritizing your gaps and targeting which remediations will meet the most requirements, helping you achieve compliance more quickly.
Achieving PCI compliance will require spending over multiple areas—you may need to hire staff, upgrade servers and network devices, or purchase software such as anti-malware, security information, and event management (SIEM), as well as various scanning tools. Not only that but you’ll also need to obtain an ASV (Approved Scanning Vendor) and penetration testers to satisfy all the PCI DSS requirements.
But once you’ve ascertained what you still need to remediate gaps, it’ll be easier to prepare your budget for presentation to your executives or board.
2. Create/Maintain Corporate Culture
There’s a great quote that says, “PCI should be baked in, not bolted on.” In other words, compliance must be a 365-day-a-year activity and should not be treated as merely an annual assessment event. As a security leader, it’s part of your job to sell that idea, particularly because the overall attitude toward PCI DSS compliance within your company can play a huge role in how successful you will be in achieving it.
To help establish a PCI DSS-forward culture, meet with the appropriate department leaders that impact compliance such as IT, Networking, and your help desk and try to get a sense of their approach to PCI, and when you do, keep in mind that you’ll need their assistance to achieve compliance (so try not to swing any hammer).
You’ll also need to look upward as well since executive leadership is also key in both changing corporate culture and achieving compliance. Hiring a security leader hopefully means they’re already on board, but I still recommend getting to know the CFO very well if possible since you‘ll need their support when budget time comes around.
3. Establish and Maintain a Reporting/Communication Structure
Speaking of your execs, you’ll need to communicate with them regularly regarding the status of the assessment—I recommend quarterly communication that covers the status of the assessment, remediation efforts, new budget items, and any new security awareness training (phishing campaigns, etc.).
If possible, these reports should demonstrate the potential financial impact of either not achieving or achieving PCI DSS compliance, since a monetary figure will go a long way in obtaining executive attention (and support).
Overall though, keep communication concise and to the point—an extensive PowerPoint is not the way to go, since you want executives to read and absorb what you are sending among the many other things they have going on.
4. Staff Your Teams
Regarding your own team, if you already have one in place, that’s great. If not, you may need to bring in some help—depending on your organization’s size—because you cannot achieve PCI DSS compliance yourself. (I tried, and it didn’t work.)
At a minimum, you’ll need:
- Someone to handle the day-in and day-out security tasks (log reviews, etc.); and
- Someone to wrangle the compliance program(s)—filling this role becomes even more important if you have more than just PCI assessments to handle.
Together, this compliance team should take the meetings and evidence collection out of your hands and only pull you in should an issue arise.
Meanwhile, you should meet with your security team regularly so you stay well informed on how the gap remediations are progressing—consider a daily call for that and discussions regarding any roadblocks in meeting PCI requirements.
Despite all this delegation, PCI DSS does require that you as a leader perform a quarterly review of security processes, which basically means you must evaluate all the activities performed by your staff and ensure they’re completed properly, per your internal processes, and that they meet PCI requirements.
5. Meet Your Assessor
Together with your compliance and security staff, you’ll need to convene with your PCI QSA for a “get to know you” type meeting to first establish a partnership with your assessor (rather than an adversarial relationship).
A free flow of information between you and your QSA will be essential to your compliance, so here are some things to keep in mind throughout the engagement:
- Most assessors want to achieve compliance and will bend over backward to help you get there.
- They are not asking for evidence based on their personal decisions—rather, they’re following the standard and are bound to follow its direction.
- Communicate internally about your QSA and plainly state that at no time should anyone attempt to hide anything or mislead the QSA—all questions during interviews should be answered with open honesty and evidence should be complete and accurate.
6. Handle Administrative and Technical Controls
In my experience, reviewing and implementing this list of administrative and technical controls will close quite a few major PCI DSS gaps that may have been identified within your organization:
- Policies and Procedures: Review them all, including your Information Security Policy, Acceptable Use, and Patch Management Policy, as they all should be aligned with the appropriate PCI requirements.
- System Hardening Guides: Review and ensure the systems are configured as described in the documentation and align with PCI requirements.
- Vulnerability Scanning: Ensure you have both internal and external tools.
- Cloud-based SIEM and/or Security Orchestration, Automation, and Response (SOAR) Solutions: Use these to avoid maintaining local instances.
- Security Operations Center (SOC) as a Service: This can be an incredibly economical solution that covers incident response, and daily log reviews while also reducing the amount of security staff needed.
- Cloud-based EDR Solutions: Consider implementing these, as they can cover anti-malware, file integrity monitoring, and system firewall configurations.
- Third-Party Service Providers (TPSP): Create and maintain a list of these, as well as all current TPSP attestations of compliance documents (AOCs).
7. Complete These Post-Assessment Activities
Once you’ve made it through your first assessment at the organization and are PCI compliant, remember these few things over the next year to ensure your next assessment goes smoothly:
- Collect and store your TPSP’s new AOCs as they expire.
- Perform and pass external ASV scans quarterly—collect and store those attestations.
- Perform quarterly internal scans—while PCI DSS requires quarterly evidence of scans, a monthly cadence is recommended as handling a single month of vulnerabilities is much more manageable than three months of them.
- Conduct a quarterly review of processes. (Set yourself a calendar reminder to perform this task.)
- Maintain the business-as-usual mentality.
Next Steps for PCI DSS Compliance
While I know these points don’t encompass everything you’ll need to do, covering these aspects—a proactive culture, executive support, security & compliance staff, along with a solid relationship with your QSA—will help you achieve success in your PCI DSS compliance.
For more information that can further streamline your PCI DSS experiences, check out our other content regarding more specific details of the standard and assessment:
About Bill Soverns
Bill Soverns is a Senior Associate with Schellman based in Dallas, Texas. Prior to joining Schellman, Inc in 2021, Bill worked as the CISO, for a nationwide Contact Center specializing in Information Security oversight and all compliance initiatives including PCI, SOC1, SOC2, HITRUST, and HIPAA. Bill also led and supported various other projects including enterprise wide implementations of various antivirus, FIM, SIEM solutions. Bill has over 30 years of experience comprised of serving clients in various industries, including Contact Centers, Payment processing switches, and financial institutions. Bill is now focused primarily on PCI-DSS assessments for organizations across various industries.