For those who have been in the trenches for years, a series about how to begin to grapple with PCI compliance may come as a surprise.  After all, the compliance deadlines are all long past.  However, we recently sat down with an advisee who received marching orders to tackle PCI compliance for his employer, a merchant who only just learned of their compliance obligations.  If you find yourself swimming in similar straits, this series will provide some basic advice on where to begin and point you to important resources.  We invite our more experienced readers to provide additional resources in the comments!

It Begins…

So you’ve gotten a letter or a call or a visit from your merchant bank.  They’ve told you about this PCI Compliance thing-a-ma-bob, and now you’re preparing to explain it to the next level up.  What do you tell them?

Whatever it is, you need to be prepared to respond to the following questions: What are we expected to do?  How much is it going to cost?   How long will it take?  Should we bring in a QSA?  (I’m just kidding: they’ve never heard of a QSA.)  Is this mandatory?*  Are you sure?  Who says?  OK then, shouldn’t this be owned by [insert any other department!]?

Or maybe it was your boss who brought PCI compliance into your world.  Chances are s/he didn’t bring this compliance challenge neatly packaged and topped with a bow.  S/he had similar questions to those above, and your first monumental task is just getting your arms around this thing.

Well, get ready.  In the first stage of your effort, you’ll need to educate yourself, your superiors, and their counterparts in relevant departments (which probably haven’t been identified, yet); create a sense of shared ownership; establish executive sponsorship; develop a road map for achieving compliance; secure cross-functional resource commitments; and find ways to tackle high-risk activities despite business impact.  Oh, and you’ll need to do this while continuing your other duties (at least until it becomes clear to everyone that this is a full-time job).

Don’t worry.  It’s all cake from there…

A Road Map for Building a Road Map

The good news is that you aren’t covering new ground here.  The PCI Security Standards Council provides many useful resources, including their own guide to getting started and an even more useful approach to pursuing recommended compliance priorities†.  Our guide doesn’t depart from the PCI SSC advice.   But where the PCI SSC guides help you understand what you need to do, this series attempts to help you decide how to go about it.  Moreover, the PCI SSC (perhaps appropriately) provides no guidance on how to overcome the organizational inertia that one inevitably faces on such pervasive change management projects.  We do, though your mileage may vary.

In the course of this series, we will describe each of these steps, many of which must be pursued in parallel:

Program Initialization
0. Urgent remediation.
1. Educate yourself on PCI and your organization.
2. Create a sense of shared ownership.
3. Establish executive sponsorship and governance structures.

Compliance Attainment
4. Inventory the merchant card processing environment and conduct a gap analysis
5. Develop a phased (prioritized) remediation plan.
6. Create project plans and secure cross-functional resources by phase.

Compliance Maintenance
7. Revise governance.
8. Establish compliance monitoring
9. Reporting.

* A variation might be, “What will happen if we just ignore it?”
† This guide is accompanied by this Excel tool for pursuing this prioritized approach.