This is the twelfth blog in a 12-part series addressing each PCI DSS Requirement and the challenges faced by companies going through this process. To view the previous posts in this series, click on the appropriate links below:
PCI Requirement 12 - Maintain a Policy That Addresses Information Security for all Personnel
Requirement 12 lays out the requirements to build out a security policy by establishing it, publishing the policies, maintaining the policies, and disseminating them to all personnel involved in the PCI program. Risk assessment processes are brought forth in requirement 12 as well, and the PCI Security Standards Council states these assessments must then be conducted at least annually. The risk management area creates a challenge to many companies I will touch on below. Awareness training, delegation and documentation of the security roles and responsibilities within your organization, and incident response are large parts of a quality information security program. Users and employees are and always will be the biggest threat to any environment. Thus, security awareness training is so critical and often pushed off or brushed up on very lightly in many companies. The PCI Council has required training for years and organizations should take notice and implement a continuous program for awareness training, not just for cardholder data, but for all activities. Assigning information security management responsibilities is often overlooked in smaller environments with limited staff. This presents a great opportunity to identify who may be up for that role on your IT Staff and allow them to grow and drive the security program. We often see this role as the Information Security Officer, or ISO. Requirement 12 is very much a documentation and process related area and less technical than some others.
Companies that require PCI Compliance face some familiar challenges within requirement 12:
- Policy Development and Review - The biggest challenge we see faced is the “one and done” thinking of policy establishment and dissemination. There needs to be oversight of the policies and at least annual review and re-publishing for all to retrain on.
- Security Awareness Training - Awareness training is becoming more integrated into our daily lives at work. With that there needs to be someone who manages this training program. Again, it’s a challenge at times when resources are limited.
- Risk Assessment - Assessing risk, this is seen as a challenge frequently because organizations don’t know where to start. Reaching out to a third party like Compass who is well versed in the risk management world can help get the ball rolling and offload the additional work needed to move the risk management process forward.
- Incident Response Program - Incident response is in the same ballpark as risk assessment, organizations don’t know where to start. By reaching out to a company like Compass, who is well versed in Incident Response, establishing and meeting this portion of the requirement much easier and quicker.
Compass IT Compliance is well versed in the PCI compliance space and can help your company with a risk assessment to determine what you need to do to comply with PCI.
These challenges are just some of the areas within the PCI DSS requirements that many of our client’s face. Another area where our client’s experience challenges is keeping track of the various requirements that must be completed on a quarterly, semi-annual, and annual basis for PCI Compliance. Therefore, Compass IT Compliance has created our PCI Compliance checklist, one for service providers and one for merchants. This simple, easy to use checklist gives you the PCI requirements, what you must do to achieve/maintain compliance, and how often you need to complete each requirement. To download your copy today, click on the button below!