Why Employee Culture Matters

To understand PCI Compliance you must understand the foundations of the security culture within your own organization before during and after implementation. How will you approach compliance? What departments and processes are going to be affected? Compliance should not be seen as a onetime event or something that is apart from your own experience. Further, it’s not just the configuration of your data networks that ensures an untampered flow of sensitive information between consumers, employees, and processing systems but also a culture of security that guarantees success. Weak passwords, vulnerability to phishing attacks via email and other human-powered gaps in security can undermine even the strongest of protections.

With the rise of technology based virtual transaction, tampering with and the theft of consumer account information has become a serious global threat. To increase awareness the PCI Security Standards Council was founded by American Express, Discover Financial Services, JCB International, MasterCard, and Visa Inc. If your organization has PCI Compliance in its future, then early adoption of the requirements is of the utmost importance to ensure a smooth transition.

To cultivate a healthy culture of security in your organization, you must be prepared to make fundamental changes to your business operation. Technology-oriented businesses with capable and well-operating IT departments may find adoption of security standards less of a challenge than those in other industries. Regardless, any organization that handles card account data in any way must implement increased security practices.

How PCI Compliance Works

The PCI Standard can take many forms based on the type of consumer data processing which your company engages. Call center agents taking payment data will require drug testing and criminal background checks as well as a paperless environment where sensitive data isn’t written down. The latest specification requires external network audits and scheduled penetration testing.

There are so many different ways a company can be subject to compliance requirements that the PCI Standards Council has provided copious documentation and resources for companies to use when adopting the new standards.

Documents and information on the specifics of PCI Compliance Standards are available at https://www.pcisecuritystandards.org

Valid for three years, the current revision of the standard is PCI 3.0 and represents an incremental upgrade to the existing body of requirements. Before you can successfully implement the changes to your organization needed to gain PCI Compliance, understanding how and why compliance is important is critical to your success.

Understanding Cardholder Data Security

Businesses that handle card transactions, operate POS (Point-of-Sale) devices, or interact with account holder information must adhere to a minimum level of security as defined by the PCI Compliance Standard. These standards represent an enforceable yet still commonsense approach to the very real need for end-to-end data security.

The Cardholder Data Environment (CDE)

The scope of your PCI Compliance requirements is determined by the nature of your interaction with cardholder data. The portions of your business networks that are connected by wired and wireless protocols to equipment that handles cardholder data is within the scope of the PCI Compliance requirement.

Segmentation & Isolation

As any wired or wireless device directly connected to cardholder data processing equipment must be covered by PCI Compliance, segmenting and isolating portions of your network can help organizations more narrowly define the scope of their compliance requirements. Business networks failing to adhere to proper security practices will typically possess a flat network where only the boundaries of the network are protected. While this impedes direct traffic attempting to circumvent security measures, individual servers can be targeted and compromised leading to the whole network being affected.

A properly segmented network will have several key characteristics such as firewalls and other security practices put into place that not only prevent unauthorized access, but also prevent attackers from easily gaining access to other systems within the network, even when a certain piece of hardware has been compromised.

Isolating parts of your network can reduce your compliance requirements by limiting which physical devices must be secured to remain compliant. Regular patching and updates of software to identify and fix vulnerabilities must be monitored and audited internally. Only by designing and maintaining a business data network that is as secure as it is robust can managers ensure that PCI Compliance efforts will not negatively impact network operations and initiatives.

PCI 3.0 continues on the road to more robust testing and validation of data networks within the scope of compliance. For the high-tech company, penetration testing and aggressive patching of vulnerabilities may already be in place while others may not. It doesn’t matter where your organization is now, only where it will be when your operations reaches full compliance.

Nurturing the Security Culture

Just because you’re organization is between a rock and a hard place with PCI Compliance doesn’t mean turning the office into a police state is a good idea. Only by working in a cooperative and open fashion can organizations nurture the security culture within your teams. Now, thanks in part to decades of lax security attitudes, the job of retraining users to naturally and instinctively create and remember a complex password is a challenging one. Once the security culture takes root, the mundane task of password management becomes seen as something different — something much more critical to one’s own safety.

The HR & Management Dynamic Duo

You won't have a positive effect on company culture if all you do is blast edicts onto an unsuspecting populace. Neither will your project deadlines be tenable if Managers do not have an integrated support system to power change from within your organization. The challenge of gaining and maintaining PCI 3.0 Compliance is an undertaking that requires a continuous commitment from all levels of your organization. The best way to lay the groundwork for a successful transition to PCI Compliance is to clearly define who has top-line responsibility for security compliance within the organization.

Of course, your organization is different and so your situation-specific solutions will vary, but failing to appoint a C-level officer for compliance that reports directly to the CEO is a risk an increasing number of businesses are refusing to take. Treating compliance as a hassle and a set of responsibilities that some unlucky soul should have laid upon them is not only shortsighted but quite often will lead to situations resulting in liability and damage to hard won brand reputation.

Changing Behaviors, Changing Attitudes

To foster change, the organization must change and that always starts at the top. Presenting the case for PCI Compliance to your workforce in a manner that engages discourse and engagement relies on your ability to show the commonsense logic of PCI Compliance in a way that is meaningful to your resources. When top managers are all aligned for the same purpose, your organization will thrive.

Establish a new Policy Baseline

Specifically testing and developing an updated set of policies for baseline behavior expectations will go a long way to smooth out problem implementation areas. But, without a top-down commitment to establishing a security culture, PCI Compliance will end up being more painful than it has to be.

• Review working groups and teams to segment your strategies, the objective is to not leave any one element out of the planning
• Study social interactions and how they affect security at all levels of the operation, the point being that companies are made of people and people do things and so people are what we need to focus on guiding the most
• Isolate the mechanisms by which the organization must become compliant and reinforce the how and why of gaining PCI Compliance; change that makes sense and is expected can be managed

When redesigning policy manuals, penalties and punishments must go hand in hand with an updated picture of the employee model of conduct. Each situation is different, many times within the same organization and your implementation strategy must be purpose-built to match.

Make things easier on your teams and begin immediately training new hires on the updated compliance rules and start them off right while you phase in the existing workers to meet your deadlines and upgrades to your operation.

PCI Compliance Lessons

The takeaways from implementing PCI Compliance are myriad and organizations that embrace compliance as the next step in a company’s development are better off for many reasons.

• Increased Efficiency and Security of Data Networks
• Collaborative Environments that encourage Cross-Pollination
• Respect and Cooperative Traits Take Root

The PCI Compliance Penalties

Companies can face severe and lasting damage from a breach of cardholder data and it only takes a single vulnerability to take down your entire operation. The standard retaliation for your mishandling of consumer data is litigation, fees from payment card issuers, and the most damaging of all, the loss of consumer trust. The modern data criminal doesn’t fear targeting the largest and most robust networks and when all that is needed is a pinprick to subvert the most advanced defenses.

Security is everyone’s problem and compliance is everyone’s responsibility.

Getting Started Right with PCI 3.0

Now that you have started thinking down the right path with respect to positively influencing your organization’s employee culture it is time to get started. Planning and development processes cannot be upgraded or created if you don’t have an accurate picture of what your compliance requirements are or will be for any given scenario. Get a jumpstart on the process by sinking your teeth into some of the following PCI starter projects.

1. Start by interfacing with teams to determine how current business plans will affect the Cardholder Data Environment
2. Begin by creating an inventory including data on each component with function and use — for any system, process, or element that handles sensitive data
3. Begin defining which components of your organization will and won’t be affected by the new compliance measures
4. Prepare for external audits and regularly scheduled penetration testing by keeping records and processes transparent

The PCI Takeaway

Congratulations, as you embark upon a higher level of compliance culture in your organization you are helping to contribute to an overall stronger Internet. The interdependence with which the modern global transaction system exists requires diligence and a continuous commitment to secure practices in order to sustain itself.

PCI Compliance will help your organization maintain a solid and robust operation but compliance alone will not keep pace with the advancement of techniques for manipulating data security systems. Only by creating and nurturing a continual culture of security will your organization be that much stronger and that much more capable of handling the obstacles of the future.