Any merchant that interacts with customer cardholder data must be PCI (Payment Card Industry) compliant. Achieving PCI compliance can be a complicated business, which is why some businesses need a PCI compliance manager to help the process. A compliance manager can reduce the scope of PCI, cut costs, and simplify the compliance process. To understand the role of a PCI Compliance Manager, we’ll quickly overview PCI Compliance requirements and the PCI auditing process before diving into what a PCI Compliance Manager does.
What is PCI Compliance?
PCI DSS (Payment Card Industry Data Security Standard) compliance is mandated for anyone who interacts with payment card data by the PCI Security Standards Council. The standard was created by Visa, Mastercard, Discover, JCB, and American Express to protect their customer’s cardholder data wherever it was used.
PCI DSS requires multiple security measures for all card data, no matter the size of the business. This includes protecting cardholder data with encryption or tokenization, maintaining a secure firewall, and updating antivirus software. Some of these tasks are deceptively simple, the larger the organization the harder maintaining compliance will be. You can check out a full PCI compliance checklist here.
PCI compliance should be important to every merchant who wishes to avoid the nightmare that is a company data breach. A breach of customer data will often result in heavy lawsuits, costly investigations, and a shattering blow to the brand’s reputation. In case that wasn’t enough motivation, the PCI Security Standards Council also imposes heavy fines on businesses that are out of compliance. Failing to maintain compliance with PCI DSS can result in fines of $100,000, or more, for every month a company remains out of compliance.
What is a PCI Compliance Audit?
A PCI QSA (Qualified Security Assessor) will audit large businesses (businesses with more than 6 million card transactions) for PCI DSS compliance once a year. Companies that have experienced a breach also must undergo audits once a year. The QSA will assess everything that’s within the scope of PCI, which is every system that interacts with cardholder data. If everything is up to PCI DSS protocols, the QSA will produce a PCI Attestation of Compliance (AOC) for the business if they pass.
For smaller businesses that don’t need to go through an audit with a QSA, they still need to check their PCI compliance. Once these businesses check their compliance, they can fill out a self-assessment questionnaire and submit an attestation of compliance (AOC) for themselves.
What Does a PCI Compliance Manager Do?
While a QSA performs the official PCI audit, a PCI compliance manager will work with a company to ensure they maintain compliance. PCI compliance managers are useful for larger businesses, or businesses that have experienced data breaches and are high risk.
A PCI Compliance Manager will be responsible for ensuring the business meets all the qualifications of PCI compliance. They will also develop plans to ensure continued compliance as the company scales and the data security landscape changes.
Some companies choose to have a single PCI Compliance Manager, others choose to form a committee to take on the responsibilities of compliance. Either way, those responsible for managing a company’s PCI compliance will focus on the 12 following compliance requirements:
- The manager will ensure proper firewall configurations are installed and maintained in order to protect the cardholder data within the business’s scope
- The manager will ensure certain security parameters, such as using proper passwords instead of vendor supplied passwords, are used within the business
- The manager will ensure that all stored cardholder data is adequately protected against unauthorized access
- The manager will ensure a proper encryption solution is used whenever cardholder data is transferred across open networks
- The manager will ensure that regularly updated anti-virus software is used to mitigate threats
- The manager will help develop or maintain secure systems and applications where cardholder data is used
- The manager will make sure cardholder data is only accessed on a need-to-know basis
- The manager will ensure a unique ID is assigned to every person with computer access
- The manager will ensure any physical access to the cardholder data is adequately restricted
- The manager will regularly monitor access to cardholder data and network resources
- The manager will ensure that all security systems and processes are regularly tested
- The manager will introduce or maintain an information security policy for employees and relevant contractors
It should be noted that the scope of these 12 requirements for PCI Compliance may fall on multiple individuals within an organization. However, a PCI compliance manager will be the one to ensure all these requirements are met. Especially in larger organizations, a PCI compliance manager may only do a few of the above jobs, such as monitoring security systems and managing cardholder data access. They can do this while working with a larger security team for objectives that affect the entire company, like firewall configurations.
PCI compliance requirements should not be treated separately from the rest of the organization’s IT or compliance initiatives. If a PCI manager is siloed, they cannot perform their job as well as they could if they were integrated into a larger team.
A PCI compliance manager should have access to, or work alongside, personnel from IT, finance, risk management, compliance, and legal. Integrated within a larger team, they can contribute to systems that ensure consistent and effective data security policies. In this way they can not only help with PCI compliance, but also contribute to holistic data security solutions.
PCI Compliance Manager Qualifications
A PCI compliance manager could be the difference between monthly $100,000 fines or a secure payment system, and as such should be chosen carefully. Basic qualifications, like a relevant college degree and experience in compliance management, cyber security, data security, or PCI management should be expected. Additional certifications to look for include:
- CISSP (Certified Information Systems Security Professional)
- CISM (Certified Information Security Manager)
- CISA (Cybersecurity and Infrastructure Security Agency)
- ISA (Internal Security Assessor)
- PA-DSS (Payment Application Data Security Standard)
- PMP (Project Management Professional)
- QSA (Qualified Security Assessor)
Finding a good PCI manager can simplify the complex process of attaining PCI Compliance for larger businesses. If you’re looking to reduce the complexity of the PCI compliance process, also consider reducing the scope of internal systems that interact with cardholder data. Solutions like tokenization can remove cardholder data from internal systems while maintaining their utility, reducing PCI scope, and cutting compliance costs. Read more here: