Let’s be honest for a moment. Going through PCI DSS compliance can be an enormous pain in the a$$. If you’ve been through the annual compliance cycle before, this is a reality you’re reliving every few months. Like Groundhog Day, it’s the same crap every year:
- The same realization that the compliance season started a couple weeks ago and you haven’t done anything yet.
- The same mad scramble to gather up all of your evidence and documentation from every nook and cranny of your organization.
- The same tortuous reality of trying to manage your activities and track your files in that rat’s nest of a spreadsheet.
- And the same dreadful existence of constantly hounding your various team members to do the tasks you’ve assigned them.
Everyone dreams of crossing the compliance finish line like you’re in a scene from Chariots of Fire. The music swells, your chest is out, and you break the tape as you stride across the finish line with your hair blowing in the wind.
The reality? You stumble to the finish line, skidding over it on your cheek with your heels over your head.
At TCT, we believe that managing compliance doesn’t have to suck. And our clients have discovered how to run a smooth, automated, well-oiled compliance program that saves hundreds of man-hours per year.
Here’s our short list of steps to get your PCI compliance program in shape for your next Assessment.
Figure Out PCI DSS 4.0
When you went through PCI for the first time, more than likely you were going up against a version of PCI DSS that had been in existence for some time and there were plenty of answers for virtually any question you had. Experts knew the current version of PCI like the back of their hand, and you could get the answers you needed quickly — and with confidence.
With PCI 4.0, everyone is learning as they go. Not only is the learning curve steep for you, it’s steep for everyone who deals with PCI DSS — Assessors, Consultants, service providers, you name it.
This won’t be a transition you can make in a month or two. While you have until 2024 to switch to v4.0, you don’t want to wait so long that you end up with your back against a wall.
End the Cycle of Chaos
Without an organized, streamlined compliance program in place, every year will feel like you’re making your way through PCI compliance for the first time. And it will be ugly — as you’ve probably already discovered.
Here are seven key best practices to build a streamlined compliance program that ends that cycle of chaos.
- Do a post-mortem on your previous cycle. Pinpoint the problems you’re dealing with — not just the symptoms, but the underlying causes.
- Develop a process. Create a process that captures everything you need to do and need to have in place.
- Turn on Operational Mode. Don’t think of compliance as something you achieve, but as something you maintain. In PCI, there are over 35 separate things that need regular ongoing attention throughout the compliance cycle.
- Build a compliance review process. Use a QA process to ensure you’re doing compliance correctly.
- Don’t procrastinate. Don’t wait until the last minute to get your compliance tasks completed. You’ve done the mad scramble before, and hated it. Learn from those mistakes.
- Create a culture of compliance. This should start from the highest levels of your organization. If your executives don’t prioritize compliance, no one else has a reason to.
- Be patient. You won’t see transformation overnight. Progress typically comes over two or three compliance cycles.
Podcast: PCI Lessons from the Master
Find the Tools You Need
If you’re using spreadsheets, or a spreadsheet-based system, stop. Spreadsheets only create more work for you, and they’re incredibly painful to use. They’re also easy to break and horribly unsecure.
Instead, find a compliance management system that’s designed for PCI compliance from the ground up. Many off-the-shelf applications are actually spreadsheet-based, so be sure you know what you’re getting.
TCT Portal was designed by compliance professionals who got their start with PCI DSS. The compliance software is a holistic platform that takes out the most tedious and inefficient tasks, and streamlines your entire PCI program, from start to finish.
End the compliance chaos, for good.
Hire a Kick-a$$ Assessor
A great Assessor can make all the difference between a painful compliance engagement and one that’s as smooth as silk. Here are some best practices to find a compliance Assessor who’s a great fit for your organization.
- Get recommendations. Talk to people in your network and see who they love working with.
- Hire the expertise you need. Make sure the Assessor has experience with the certification you’re going up against — as well as the certifications you may add in the future.
- Find a good culture fit. Your Assessor is like an employee in many ways, because they work for you and alongside you. Culture fit is an important part of that working relationship.
- Search far and wide. Don’t limit your search to your immediate geographical area. Assessors can do most of their work remotely.
- Don’t throw away your money. Don’t hire the cheapest firm or the most expensive one. Neither one will be worth your money.
- Ask about system requirements. Some Assessment firms require you to store all of your compliance data in their proprietary system, which is great for them but leaves you without control of your data.
Your No-B.S. Guide to Hit the Ground Running for PCI DSS 4.0
Our latest ebook expands on each of these steps, with practical advice for implementation. It also provides a helpful checklist and incredible resources you’ll want to have in your back pocket.
Don’t spend another compliance cycle trying to feel your way around in the dark. Download TCT’s ebook, The No-B.S. Guide to Hit the Ground Running for PCI DSS 4.0, and discover how to get your PCI DSS crap together. Stop reliving the compliance equivalent of Groundhog Day and start running a smooth, streamlined compliance program today at your organization.