This is post is part of the Getting Started with PCI-DSS Compliance series.

The Zeroth Step: Urgent Remediation

Before we get into the meat of the series, let me emphasize the importance of taking a risk-prioritized approach from day one.  Compliance should not be your motivation.  Iron-clad protection of sensitive cardholder data should be your goal.  Compliance will follow naturally… eventually.  The subtext here is that while you develop your compliance strategy, high-risk activities should be identified and addressed immediately.

We recommend scheduling interviews with representatives from each line of business that owns a merchant account, as soon as possible.  This may be difficult if you don’t already have your cross-functional team assembled and if no one other than you knows anything about PCI compliance, yet.  But the bad guys may already be rattling the doorknobs on your systems, and there should be a sense of urgency about getting the base knowledge and the minimum number of pieces in place to make effective interviews happen sooner, rather than later.  Remember, “just because you’re paranoid, doesn’t mean they’re not out to get you.”

You have three goals with these interviews.  First, you want to be reasonably certain that nothing insane is going on, security-wise.  Second, you want to establish a rapport with the merchant account owner to promote cooperation going forward.  Third, you want to gather the information you need to complete your initial inventory of payment card-related activity.

When you approach the merchant account owner, recognize that this is the beginning of a new kind of partnership with this person.  Tell them that the organization’s ability to continue to process credit cards is contingent upon validating compliance with a new set of security standards. (Well, they’re new to you, right?)  Ask to meet with them to tell them about the new standards and to talk about the organization’s strategy for helping them confirm and maintain compliance.  Let them know that you are trying to determine the scope of “our” (vs. “their”) compliance gaps, and ask them who on their staff can talk to you about the business processes related to their merchant account, from end-to-end.  Let them know that you also will need access to the person responsible for the technologies associated with the merchant account.

By now, they’re scared (which can manifest itself as reticence, irritability, etc.), so you need to minimize the FUD factor.  That is, at least try to address the fear, uncertainty, and doubt that your initial contact inevitably generated.  You can do this upfront by sending a preliminary questionnaire ahead of the meeting.  (We’ll post a sample.)  Tell them that you just want them to know what to expect.

It is possible—and if your organization has hundreds of merchant accounts or if your business is distributed geographically it may be necessary—to do this initial inventory exclusively through a questionnaire.  But having a pair of boots on the ground serves two important purposes.  First, it puts you face-to-face with your new partner, and second it helps you gain a better sense about whether or not the situation is reasonably secure.

Going into this meeting, you will be well served if you can bring a business-process lead and a technical lead (preferably an information security specialist).  Establish with your superiors in advance the process by which any untoward findings will be escalated or addressed.  Depending upon your organization’s structure, it may be appropriate to include legal counsel in this process, which may afford some protection if attorney client privilege pertains to your findings.  At any rate, your organization needs to be prepared to take steps—perhaps painful steps—to address risky activities or, worse still, if a system is found to be compromised.

Coming out of this meeting, you will have minimal (not minimum) documentation of business processes and technologies in use.  You will have introduced the merchant account owner to the PCI Data Security Standard as an ongoing concern.  The account owner also will be aware that this is an initial inventory of the organization’s card processing environment, and that meeting the full set of requirements will involve more substantial effort.  Ideally, you have articulated the next step that pertains to the account owner and a general time frame for when that step should occur.   More likely, your plan is still forming.  In that case, keep the next action high-level.  Tell the account owner that the initial inventory will inform your planning of a more appropriate gap analysis and that you will keep them apprised of your progress.