The PCI DSS is a set of requirements designed to ensure effective data
security for merchants that handle credit card transactions. However,
even if your company or department has nothing to do with accepting
credit cards, there’s a lot to be learned from the way the PCI
Security Standards Council has organized its compliance guidance. They’ve
provided a stellar example of how to do it right.
Here are some key points about the way the PCI Security Standards Council
has organized compliance around PCI DSS that I’d like to see you
to leverage into your compliance program:
Key Point # 1: Build an Effective Website for Communication
It seems obvious in this day and age, but I’ve seen too many
websites that are hard to navigate and confusing to use. This usually
happens when the compliance website is of little importance to the
overall effort, and the responsibility falls on whoever happens to
volunteer for the task. This is a mistake. Communication is key in
any compliance program, and your website is a primary tool to accomplish
this.
What I like about the PCI Security Standards Council’s website,
is that it’s very easy to find any and all the information you
need to know. The home page is organized in blocks. This makes it
easy to quickly find what I need to know. Also, in a few clicks I
can download the actual standard (currently in version 1.2), which
is very well done.
Key Point # 2: Communicate your High Level Policy Briefly
and in a Prominent Location
As soon as I navigate to the PCI DSS section of the website (the
council handles more standards than the PCI DSS), I get a brief overview
of what PCI DSS is all about, and I get a 30-second look at all 12
requirements, grouped into 6 sections. Within minutes, you can effectively
digest exactly what PCI DSS is trying to accomplish, and the high
level requirements that will support these goals.
This is very similar to what we’ve seen at Recovery.gov. Within
once click from the home page, you have a one page, quickly consumable
outline of everything involved. This is exactly what you want to do
for your program, both for your own internal efforts, and for easy
communication externally.
Key Point # 3: Build a Detailed Specification Document with
Assessment Instructions
The PCI DSS Specification that you can download from the website
is one of the best I’ve seen, and it is a great example of how
yours should be constructed. To illustrate how thorough it is, it
takes 73 pages to flush out only 12 requirements. Although it’s
detailed, it’s not superfluous or boring. The pages are spent
very carefully explaining each requirement in detail with supporting
information for full comprehension.
But it provides more than information; it provides specific instructions
for how to properly execute compliance. Each of the 12 requirements
is broken down into a hierarchy of lower level requirements, and each
lower level requirement contains a testing procedure. The testing
procedure tells auditors exactly what to do to make sure the requirement
is met.
In addition, the specification includes:
- Instructions for how to report on compliance
- A very good discussion on compensating controls, and how they
may be used
- A worksheet for companies that want to use compensating controls,
including example entries
- Templates for attestation
It’s obvious that a lot of thought was put into organizing the
PCI compliance effort, and in my professional opinion it’s a job
well done. When you get a chance, take a look at their website, and
specification, even if your business has nothing to do with accepting
credit cards. If your program is put together in the same spirit, you’ll
be in good shape.
