"Compliance needs to be actively maintained," Simonetti says. "It's a year-round activity. It should be embedded in the normal business process."
In other words, maintaining PCI compliance must become your "business as usual." And that means recognizing that it's not just about technology, Simonetti says, it's about your business processes and staff education. A key element of embedding PCI compliance into your everyday is to build compliance into your corporate change-management program: Make PCI compliance reviews an item in your weekly change control meetings and allocate time to track all changes to every compliance environment.
You should also stress that maintaining compliance is not a task for your security team alone. It involves application developers, system administrators, executives and customer-facing staff in stores and call centers.
3. Think of PCI Compliance in a Wider Context
It's important to think of PCI compliance as a piece that should be integrated into a wider security program, not a blueprint for security. Think of PCI DSS as the minimum standards for what you should be doing, not as a checklist.
Simonetti notes that you should seek to understand the intent of each requirement you implement.
"In particular, each control should be understood in the context of how it helps prevent a data breach by eliminating one of the three elements that form any data breach — data, access and egress (the "data breach triangle")," van Oosten writes. "For example, by limiting what is stored, you reduce the amount of data that could conceivably be breached. By identifying and closing system vulnerabilities, you can block the number of routes an attacker could use to gain access. By implementing DLP solutions, you can make the egress (exfiltration) of data harder."
"The best thing you can do to simplify your PCI compliance workload is to put your PCI compliance strategy within the organization's larger governance, risk and compliance (GRC) strategy," van Oosten adds. "It's essential to ensure that your PCI compliance efforts support a broader control environment, and for all activities in the compliance program to be properly specified and governed in line with your unique operational environment and risk profile."
4. Leverage Compliance as an Opportunity
While PCI compliance can feel onerous, Simonetti says it is more effective to stop looking at it as a cost of doing business and instead view it as an investment. You have to map all CHD flows across your systems and processes to understand what you need to protect. While you need that understanding for compliance purposes, it's also incredibly valuable for providing insight into your business.
Verizon notes you could use that information to identify opportunities to accomplish the following:
- Consolidate systems, allowing you to reduce scope while cutting software licensing, maintenance and facilities costs.
- Rationalize your list of suppliers and clarify roles and responsibilities.
- Transform or streamline outdated processes and reduce staffing.
- Improve system performance and uptime by better applying patches and configuration best practices.
- Consolidate existing merchant contracts with your acquiring banks and payment processors to achieve better transaction fees.