PCI DSS“Swim” Safely to Compliance; Your QSA Can Help You Get to Shore
When it’s summer here in Australia many of us spend a lot of time at the beach. Most “Aussies” will tell you a great deal of their childhood was also spent there, and while we love spending time at the beach, we are also taught to know the dangers. One key lesson is being wary of rip currents.
Rips are complex, and they can quickly change shape and location. At times they are also difficult to see. If you are caught in one while swimming, it can be life threatening, but there are things you can do to survive. Swimming parallel to the shore and towards breaking waves, using the waves to help you in, is one way. Another is to raise your hand and look for rescue by lifeguards. If you try to swim against a rip, you will just wear yourself out to the point of drowning. Understanding this gives a whole new meaning to “going with the flow”.
When undergoing a Payment Card Industry Data Security Standard (PCI DSS) assessment, you will be working with a Qualified Security Assessor (QSA). A QSA can be a trusted advisor as well, a lifeguard if you will. Sometimes you just need to raise your hand and ask for help. You may not understand a particular control or what you need to demonstrate compliance – your QSA can help guide you. You may also engage a qualified consultant to help identify issues that may impact compliance before your assessment, because just like a rip, problems can be difficult to identify at times.
What won’t work is swimming against advice. At times I hear clients say things like “you need to be reasonable” or “you can’t expect us to comply with that, given the costs to our business” as if a QSA controls the current. The standard is set by the PCI Security Standards Council and a QSA’s job is to assess against the standard, but that doesn’t mean a trusted advisor can’t help you swim with the current until a wave takes you into compliance. Often you will find there are alternative solutions that don’t break the bank but ensure compliance. Engaging a qualified consultant in advance of your assessment can ensure your swim to compliance is gradual and controlled with solutions and advice that are practical and pragmatic and designed to be the best solution for your business while still meeting the applicable controls of the PCI DSS
Liken your QSA to your lifeguard who is trying to rescue you from a rip; they aren’t working to take you out to sea. The QSA is there to help you to the “beach”, but getting some help beforehand in identifying potential issues can ensure an easier journey to compliance.
My advice, have a gap assessment done by a qualified consultant well before your compliance date, especially if your acquiring bank changes your merchant/service provider level or your cardholder data environment (CDE) changes, to help identify any potential issues for compliance. That is even more true if you are a new entity or this is the first time you have been asked to comply with the PCI DSS. Often the ones swimming at an Australian beach for the first time can find themselves in the middle of a rip not knowing what to look for.
When your assessment rolls around, work with your QSA and not against him or her. The QSA is not there to hinder your compliance; the QSA would love nothing more than to help you to the “beach”. One thing is for sure – the more you swim at an Australian beach, the more adept you become at spotting the dangers and the more you enjoy it. While you may never enjoy being assessed, the former is true when it comes to compliance.
_______________________
SecureTrust, a Sysnet company, leads the industry in innovation and processes for achieving and maintaining compliance and security. SecureTrust delivers world-class consulting, compliance and risk assessment services and solutions for the enterprise market as well as tailored merchant risk management programs and solutions for merchant program sponsors around the globe.
CLICK HERE to contact us for all Enterprise Compliance, Merchant Risk Management and Compliance Technology needs.
_______________________
Brian Odian is the Director of Asia Pacific Global Compliance & Risk Services Consulting at SecureTrust, based in Sydney. He has over 32 years IT industry experience including roles as a Security Delivery Manager and Global Security and Transformation Lead for large worldwide information technology corporations. During his career he has been across a wide range of industries and roles, including global management experience across multiple cultures and business environments.
Experienced in running global security programs, and some of the largest regional projects in Asia Pacific, Brian brings a mix of project management, security and compliance credentials together (CISM, CRISC,PMP, QSA, ISO27001 IA) to achieve the best results in delivering security solutions and compliance programs. He has been published by the Project Management Institute (PMI) and MSSP Alert along with conducting webinars on the General Data Protection Regulation (GDPR) and Compliance Intelligence. He has also presented on PCI Compliance for some of the “big four” banks and the Customer Owned Banking Association (COBA).