Becoming PCI compliant can be a tall order for any organization, but it can be especially tricky when there is a single person responsible for PCI compliance. Payment Card Industry security standards are strict and may vary depending on the size of the company, number and type of transactions involved, and other factors. Staying on top of all the requirements, which continue to evolve, is not an insignificant task for one person.
While no one person should take total ownership or have complete responsibility for PCI compliance, this often becomes the case in smaller organizations. Additionally, we see that responsibilities get heaped on IT’s plate, even though, as a business requirement, senior management should help drive compliance.
The most important thing anyone in this situation can do is be a champion of PCI compliance. While they alone may be responsible for adhering to the regulations and requirements, it can be beneficial to get buy-in from other key people within the organization. These people can provide support to the cause by taking ownership of their own slice of the pie and chipping in to ensure the entire organization remains compliant from end-to-end.
Here are some things that “solo practitioners” of PCI compliance can do to keep an organization secure:
1. Keep Everyone Trained on PCI Compliance Requirements
It may seem trite, but ignorance is not bliss when it comes to PCI DSS compliance. The reality is that PCI compliance is the responsibility of every employee, from top management executives, down to the cleaning staff. Everyone should receive training on how to handle and safeguard PCI data. If an administrative assistant sees another employee doing something wrong, that assistant should have the training to understand why that employees action is wrong and should know next steps for reporting and incident response, if necessary. Documenting and enforcing policies will require an organization-wide effort.
2. Get Support From IT
You will need the support of your IT department to make any effective headway with PCI compliance. For bigger companies, this may branch out to a security team and an internal audit team. These are the people and teams who would be involved with reviews, audits, filling out SAQs, and arranging for quarterly scans. IT will need to be heavily involved with the implementation and enforcement of PCI requirements and guidelines, which can be very technical.
For some larger organizations, it may make sense to hire a Qualified Security Assessor (QSA). QSA’s are organizations that have been qualified by the PCI Security Standards Council to verify an organizations adherence to PCI-DSS.
3. Get Buy-in From Senior Management
The C-level executives of an organization are mostly likely going to be concerned about the
potential damage to their brand, perhaps moreso than the potential fines from the PCI SSC. This knowledge can be leveraged to garner support for internal initiatives such as training or to bring on outside help from vendors or through technology.
4. Work With a Seasoned Compliance Vendor
At times, too much responsibility gets heaped onto one person within an organization. That person may find it extremely difficult to hold the attention of other stakeholders whose input is needed for PCI compliance. Without an internal support system, the best bet may be to work with a seasoned compliance vendor who can take some of the responsibility off of this person’s plate and ease the burden of compliance —and perhaps reduce compliance scope.
Arrow Payments has a successful track record of working with organizations of all sizes to reduce PCI scope and keep payment card data protected. Contact us today for a free consultation.