The importance of policy management in meeting PCI compliance

Today, policy compliance transcends what are typically thought of as the main department drivers, namely HR and IT. A well established and supported security policy sets the tone for an organization and informs personnel of what is expected of them. A failure to measure, monitor and manage policy compliance can result in damage to corporate and personal reputations, as well as facilitating fines and lost revenues for organizations.

The security of card payments is an issue that the major credit card brands (American Express, Discover, JCB, MasterCard and Visa) take incredibly seriously. As such, Requirement 12 of the Payment Card Industry Data Security Standard (PCI DSS) aims to ensure that merchants and service providers accepting credit card payments enforce cultural change within their organizations to ensure that the security of their systems and processes are given the appropriate consideration.

The Payment Card Industry Security Standards Council (PCI SSC) responsible for PCI DSS is putting greater emphasis on the processes supporting security by improving an organizations policy and risk assessment processes. Specifically, it wants to see greater emphasis on ensuring year round adherence to the PCI DSS managed and measured on a consistent basis, as Troy Leach, CTO of the PCI SSC explains: “The question that the new standard will help merchants to answer is, ‘Do we have the culture to protect our customers’ cardholder data every day and every hour that we’re doing business?"

Toughening-up on policy management

Typically, the CEO or CFO with overall responsibility for PCI compliance is well aware of the requirement to meet this contractual requirement. However, where problems arise is in the assumption that PCI policies are actually being followed through. 

To overcome this common challenge, regular communication and education of staff who are responsible for card payments is key. 

Demonstrating robust policies and procedures

A robust policy management approach will be most effective in ensuring that any improvements required will be effectively communicated throughout the organization – to the right people, at the right time and in the right way. 

In a time when cyber-attacks are becoming more prevalent, it’s not just about doing the right thing for organizations anymore, but being seen to do it. As such, there is a requirement for policy documentation to be:

  1. Available
  2. Kept up-to-date
  3. Clearly communicated
  4. Identifiable for compliance reporting

Agreement to each policy must also be tracked, so that the organization can prove compliance and demonstrate governance.

Continuous focus

Policy management PCIIn meeting the increasingly granular requirements of the current version of the PCI DSS, businesses are realising that a ‘tick in the box’ approach is no longer acceptable. Rather, they must now prove that adherence to new policies is enterprise-wide, fully-understood and on-going.

The need to clearly demonstrate this more responsible attitude to compliance is best achieved through a combination of automated policy management and on-going employee education.

Although the initial driver for change may be to protect an the organization against fines - or worse - for non-compliance, there is an increasing recognition that the resulting processes will benefit the business and its employees as well as its customers.

Implemented effectively, everyone wins.