PCI DSS Compliance: Critical Roles and Responsibilities

PCI DSS Compliance: Critical Roles and Responsibilities

Customers depend on companies to protect their payment card information. You may be a vendor taking payments online or a major company collecting millions of swiped payment cards each year. Either way, it is crucial to understand fully and manage your compliance program. Unfortunately, many stakeholders are not aware of what the Payment Card Industry Data Security Standards (PCI DSS) are or what role they need to play to ensure compliance.  If you’re wondering how to be PCI DSS compliant, one key step is to set up a PCI DSS compliance committee with appropriate roles and responsibilities.

What Is PCI DSS Compliance?

PCI DSS compliance refers to meeting all of the requirements published by the PCI Security Standards Council. The requirements are in place to make it more difficult for hackers to access your network and your customer’s payment card information. Generally speaking, companies provide evidence for PCI DSS compliance through the implementation and documentation of information security controls. The controls include point of sale hardware and software, anti-virus software, vulnerability scanning, password policies, and team member training. As the name implies, PCI DSS compliance is required for organizations that store, process, or transmit cardholder data. 

How Do You Comply with PCI DSS?

A significant aspect of addressing PCI DSS compliance is defining ownership within your organization. Depending on your internal complexity, many departments could be involved. For example, the finance department is responsible for collecting the transactions. The IT department is responsible for the technical environment. The compliance team is responsible for adherence to the PCI DSS requirements. With so many people involved in payment card industry data, the most realistic approach to information security is often a group approach. 

What Are the Benefits of a PCI DSS Compliance Committee?

Some organizations manage PCI DSS compliance as an annual IT compliance exercise. Trying to manage PCI DSS requirements separate from other control frameworks can be inefficient and damaging to the overall control environment. PCI compliance is a process that should be a component of your organization’s corporate governance framework. An approach that works well for unifying the compliance approach is to create a formal committee to address PCI DSS compliance guidelines. 

Having a formalized committee provides your team with the benefit of direction, clarification, and accountability for each applicable business unit. Your committee also initiates and helps manage PCI security processes into daily business and operational procedures (e.g. Compliance by Design). They also monitor security controls to maintain compliance throughout all processes, procedures, and technologies.

Another benefit of having a PCI-focused committee in place at your organization is your program’s further improvement. Often, the effectiveness of an organization’s PCI DSS security controls and their overall compliance state will decline after completing the initial assessment. By creating a committee and revisiting the effectiveness of controls, your organization is making an effort to maintain a more consistent security and compliance state.

Who Should Be in Your PCI DSS Compliance Committee?

Your PCI DSS compliance committee should include people from business units that handle payment card industry data and those involved in data security. The departments may include:

  • Finance
  • Information Technology
  • Risk Management
  • Compliance
  • Legal
  • Internal Audit

Diversifying the committee members will help implement controls throughout the organization and ensure the removal of a siloed approach to PCI compliance.

The InfoSec Survival Guide: Achieving Continuous Compliance

 

What Is the PCI DSS Compliance Committee Project Manager Role?

Once the committee is selected, committee members should assign different roles. One of the most critical committee roles is a dedicated project manager. As part of your PCI DSS compliance committee, having a project manager is critical for continuous compliance and minimizing any potential “fire drills” you may encounter during the annual PCI compliance validation or quarterly internal reviews. Ongoing compliance requires centralized coordination of numerous resources, actions, projects, and people. A project manager should collect, collate, and store evidence to demonstrate how ongoing PCI security controls operate effectively and continuously.

Achieving Continuous Compliance

Building a common internal controls framework is the key to simplifying annual PCI DSS compliance certification. Organizations often have to comply with multiple frameworks. Building a framework crosswalk allows you to map your controls to multiple frameworks at once and reduce or eliminate redundant testing. The committee project manager can lead the process for identifying the potential control frameworks to include in the crosswalk. The most commonly combined frameworks include PCI DSS, NIST CSF, and ISO 27001. An effective crosswalk allows you to test more efficiently and reduce audit fatigue.

Mapping your common control framework is a powerful exercise. Using purpose-built software like AuditBoard’s integrated compliance management solution, organizations streamline framework gap assessments and easily create a standard controls framework to avoid redundant testing. 

Tony

Tony Luciani is a Senior Manager of Product Solutions at AuditBoard. Prior to AuditBoard, Tony served as IT Risk and Compliance Manager at Sony Pictures. As a former InfoSec consultant, PCI QSA, and CCSFP Assessor, his experience ranges from performing gap/attestation assessments (i.e. NIST, ISO, CIS, SOC2, PCI, HITRUST, etc.) to facilitating IT risk management programs for customers across multiple industries. Connect with Tony on LinkedIn.