Written by: Gill Woodcock, CISSP, CISM, GSNA, PCIP, Director of Certification Programmes, PCI Security Standards Council (UK)
Gill Woodcock is Director of Certification Programmes for the PCI Security Standards Council. Her role encompasses operational management of the Council’s existing programs (QSA, PA-QSA, ISA, ASV, PFI and PTS) as well as developing new certifications programs. Ms. Woodcock works closely with the Standards Management, Training and Assessor Quality Management teams within the Council. Ms. Woodcock joined PCI SSC in February 2010 and spent two years with the Assessor Quality Management team specialising in quality assurance for PCI DSS and PA-DSS before taking up her current position. Prior to joining the Council, Ms. Woodcock worked for a leading issuer and acquirer and has over 20 years of experience in payment cards and information security.
You want be to secure, you need to be PCI DSS compliant. Too many companies see these as two different goals, and maybe even have different departments and people looking at them. Or worse still, they treat PCI DSS compliance as a box to be ticked, involving the least amount of time, money and effort possible. This way lies madness!
I would like to argue that by looking at things differently, joining up your compliance activities and security efforts, you can achieve a more integrated, and dare I say, holistic approach. This way you can achieve both your security and compliance goals and maximize value along the way. Sounds good, right?
The key to this joined up approach is to understand risk. What are the security risks to your company? What is it that keeps the person responsible for security awake at night? Or do they sleep soundly in blissful ignorance of the data breach which is already in progress because the attacker inserted malware in your systems months ago? A risk assessment is an essential starting point to understand what your company is really facing and determine what controls need to be in place, strengthened or could in fact be relaxed. And here is an example of where compliance meets security: by doing a risk assessment you already on the way to complying with PCI DSS Requirement 12.2. To be effective at identifying new and evolving security risks it is important that risk assessments are repeated regularly, especially when a major change comes along. And again, by focusing on risk, then security you’ll get to compliance. A top down management view of risk vs. a bottom up view of risk from those working on the front-line can give valuable different perspectives and help identify risks that those not in touch with everyday ways of working could easily be unaware of.
I recommend doing a risk assessment for every third party that has access to your data. We all know that third parties can be a security risk, you don’t have direct control over them and they don’t have the same concerns about your data, customers and reputation that you do even if they say they do. So when completing a risk assessment third parties have to be considered. And depending on the service the third party is providing for you the risks could differ enormously. A third party may not represent a huge financial or customer service risk to your company, but if that third party has a lot of your customer data think about what would happen if they accidentally disclosed it or had a rogue employee who maliciously exploited their access. Use the third party requirements in PCI DSS 12.8 and 12.9 to get security controls in place. By thinking about risk and then security, you will get to compliance.
And, it is all just common sense anyway, don’t you agree?