Learn how to get your organization PCI compliant.  

By: George Mateaki
Security Analyst
CISSP, QSA
When it comes to PCI compliance, enterprise organizations have their own unique challenges in managing data security.

One problem enterprise organizations have is the large amounts of card data they store and transmit. Due to their larger environment, the organization’s reaction time to policy changes and security vulnerabilities is often slower.

Because there are often many different entities and groups involved in management, contradictory decisions can be made with security, causing confusion. It’s also not always apparent which group is supposed to be in charge of which element of security, which can create confusion and often ends up with a security task not getting done.
Here are 5 tips to help enterprise organizations to get PCI compliant.
SEE ALSO: The Importance of the PCI DSS: Why You Should Get Compliant

1. Standardize PCI compliance in your company 

enterprise complianceEnterprises will often have multiple merchant IDs. As a result, there can be a lot of confusion when it comes to delegating responsibilities. For example, franchises may often have difficulties coordinating with each store/location, making sure every shop is PCI compliant.

You need to standardize PCI policies throughout your organization. I highly recommend using an employee manual that shows what each group/location is to do with PCI. A manual will help standardize the PCI policies, preventing confusion and policy inconsistencies. This helps the locations feel more ownership. Employees in large organizations often aren’t fully aware of what they have to do from a PCI perspective.

Enterprise organizations should also have a self-auditing process to make sure security practices are set in place throughout the year. This keeps organizations from turning PCI compliance into an annual PCI audit.

Note: Having a self-auditing process is critical and is a new requirement for Service Providers to do quarterly (12.11). 

Tips 
  • Notify employees of PCI requirements: make sure all locations and departments are aware of their roles in PCI security and compliance
  • Have the incident response plan centralized: in the event of a breach, their individual plan points to the big plan for instructions on how to properly handle it 
  • Standardize policies: Give each department/location their own set of templates to make sure all policies are the same 

SEE ALSO: 6 Ways to Make Data Security Consistent in Your Business

2. Have proper communication within departments

With enterprise organizations comes multiple locations and departments. For many, coordinating with all these different groups is difficult.

One issue held by many enterprise organizations with multiple locations is they may never get out to said locations to help their groups and show them what’s required. Because of this, smaller groups within the organizations don’t always have the proper knowledge of what the organization wants in data security.

Tips 
  • Standardize communicating in general: updates to policy, changes to the PCI standard. 
  • Have a well-defined process to getting updates out to the different merchants: schedule regular emails, and have a strategy in notifying merchants
  • Clearly define responsibilities: Make sure all departments know their own responsibilities and what is being managed from a centralized location. 
  • Set up regular communications with each group: the more you communicate with your other merchants, the easier it is to find and remediate issues in the security process

3. Assign people in charge of PCI compliance

Many enterprise organizations think that by giving PCI responsibilities to their IT department, that’s enough. You may think that handing it over to your IT head will be sufficient to get compliant.

However, PCI compliance is a lot bigger and more complex than you may think. IT can’t handle PCI responsibilities on their own; it will soon overwhelm them. You’ll want to have an employee (or a group of employees) take charge of PCI compliance, which should be their sole responsibility. There also needs to be someone to remind employees to get compliant.

Tips
  • Assign a department to be in charge of compliance: don’t just give the responsibilities to your IT department
  • Set aside a budget for staffing for PCI compliance: It may look like it costs a lot, but it will save you more costs in the long run
  • Have someone to remind employees of compliance: doing regular notifications will help departments and employees keep PCI compliance on the brain 

4. Train your employees and learn more on security

PCI DSS complianceOne of the biggest problems enterprise organizations have is that they simply don’t know that much about PCI compliance. And because they don’t know it or understand it, it doesn’t get done.

Organizations need to train employees on PCI compliance and data security and make it a part of their daily routine. Keeping data secure should always be on the back of their minds as they do their jobs.

Tips
  • Attend conferences/join forums: the treasurers for universities have forums where they can share info. Try to find industry-specific groups to learn about PCI challenges
  • Set up regular training schedules for employees: you should train employees on security at least quarterly, if not monthly
  • Do daily reminders about some aspect of security: employees should be constantly reminded about security 
  • Use resources: there are many blogs, videos, white papers, reports, and infographics that can help you and your employees better understand PCI compliance 
SEE ALSO: Employee Data Security Training: What You Should Do

5. Do backups and redundancy

One way to further protect your data and your organizations is to make secure backups in your data and processes.

For example, say your main POS system goes down. It’s a good idea to have backup systems to make sure your organization doesn’t lose business. Just make sure these backups are also PCI compliant and secure.

Another reason to back up your data is to combat ransomware. Having a backup of data makes ransomware holding data hostage much less threatening.

Tips
  • Have backup systems for your critical payment systems: this will help you keep your business going securely should any systems fail 
  • Have secure data backups of your critical data: having a backup can protect your business should your critical data get corrupted by malware
  • Have security procedures in place: make sure you secure these backups so they aren't vulnerable to data attacks

Additional tips

Here are a few more things to consider in getting PCI compliant:
  • Configure firewalls properly: your firewall won’t protect you if it isn’t configured to filter traffic in and out of your environment
  • Secure your remote access: unsecured remote access is still the number one pathway to data breaches. Make sure yours is properly secured
  • Talk to your QSA: working with a data security expert will help you figure out what is missing in your security
Remember that getting compliant takes a team effort. You need to work with all of your departments, employees, and locations.

Need help in getting compliant? Let’s see how you’re doing. 

George Mateaki (CISSP, CISA, QSA, PA-QSA) is a Security Analyst at SecurityMetrics with an extensive background in Information Security and 20+ years in IT.

SecurityMetrics Guide to PCI DSS Compliance

1 comment:

  1. Standardization across locations and systems is huge. For example, cloud technology can standardize employee access to data, permissions by job role etc. Without it, individuals at different locations tend to make up their own rules.

    ReplyDelete