Why your next PCI Assessment can be smoother than you think

PCI Compliance is here to stay:Typically, IT managers dread the annual PCI assessment. With publicized credit card breaches on the rise, meeting PCI compliancy will be even more so of a requirement with potential increases in punitive actions for companies not meeting that compliancy. To add to the existing complexity of PCI DSS, with emerging threats of capabilities to breach corporate networks on a consistent basis, PCI requirements will remain in a perpetual state of change.Business as usual:Every year managers fight the same tasks over and over. Trying to get budget for all of the things that keeps you PCI compliant, making sure policies are up to date and available, patch management keeping up with quarterly vulnerability scans and the list goes on and on. Not to mention executive management asking “Are we protected against people trying to steal our credit card data?” that always comes the day after media screaming of yet another credit card breach. And regardless of the real answer, the only word heard is yes. And last but not least, is my all-time favorite from that wonderful PCI Company you hired informing you of a new PCI DSS control requirement the week before the onsite portion of the assessment that you are not even remotely ready for.There is a smoother way to do annual PCI Assessments:Before signing a proposal for this year’s assessment from the same PCI Company ask yourself these simple questions:

• Does this company have my compliancy needs in mind?
• Can this company help me with compliancy deficiencies?
• Does this company treat me like a partner or just another engagement?

If you can’t answer yes to all of the above questions maybe it’s time to partner with another PCI Company. Here is a checklist you can use in selecting a different PCI Company:

• Does this company understand what managers must go through to perform a PCI assessment and what is needed operationally throughout the year to maintain compliancy?
• Is there a clearly defined methodology that focuses on making sure you the manager has a high degree of successful compliancy?
• Are they available to answer questions anytime during the engagement and willing to take the time to explain not only what PCI DSS controls require but also willing to explain how to be compliant for those controls?
• Do they have as part of the engagement is there a project manager assigned?
• Does this company have expertise on staff to assist or perform additional services in the event specific PCI goals fall short of compliancy?

After performing your vetting process looking for a new partner to perform PCI assessments, if you come to the conclusion a perspective company leaves you with the impression their goals are to make you successful rather than adding to their sales bottom line and a genuine interest in not only making sure you are compliant but willing to work with you operationally on an ongoing basis so you maintain compliancy, your future PCI assessments will go much smoother.