So, this is a first for me. I’ve never written (or been invited to write) a blog post before! My teenagers are nowhere in sight so here goes…
Tackling PCI DSS at Loughborough University
I’ve been working on PCI DSS and Payment Security for over six years and I thought I’d share my tips from my experience in gaining compliance in the hope of making others’ journeys less turbulent! Here are my top tips to survival...and sanity.
Tip 1: Put Together a Project Proposal (Without PCI in the Title!)
I had endless questions around compliance and so, with the help of some documentation on the SIG forum, I put together an Initial Business Case to my Head of Department stating the need for compliance. I was blunt (in a polite way obviously) and to the point – there was no leadership around PCI DSS, and it would be a good opportunity to assess our procedures and payment systems.
On the back of this success, I put a project proposal together entitled ‘Standardising and simplifying card payments across the network’. Now it doesn’t sound fun, but it also doesn’t have the words PCI DSS in the title. Those fateful words will instantly make everyone’s eyes glaze over. A QSA at a WPM Payment Security roundtable event gave me the great advice to omit those words in my project title and it worked!
Tip 2: Break it Down Into SMART Manageable Work Packages
However you approach it, and I hope you start it with a project, make sure you break it down into manageable chunks.
The first thing we did was assess our position in line with the PCI DSS Security Standards Council Prioritized Approach, so we could see what needed work first. Tenant Assessment was next – I didn’t want to find out that there were tenants taking payments on our network. This was followed by Card Data Discovery, which involves talking to departments, checking systems and emails for card data etc.
Finally we broke each requirement into individual work packages. This made it so much more manageable and less scary! Making each work package SMART (Specific, Measurable, Attainable, Relevant and Time related) even if the timed part of this was a long way off greatly helped. Having the work packages allowed us to measure, achieve and time it so much easier.
Tip 3: Collect Evidence (You Cannot be Proven Innocent Without it!)
At the start we had nothing! Really the evidence collecting can start before your project is even approved. The first job I had was to get a Card Payment Policy in place which stipulated what departments could or couldn’t use, processes and procedures including things like what to do if they wanted a payment terminal/what to do if it breaks etc. This took about 9 months as it needed to jump through all the usual university bureaucracy.
Expanding the very basic list of MIDs, getting network/data flow diagrams, creating a PDQ checklist for departments etc were all needed. In addition, I created a site on our VLE for PCI training where we host the SIG SCORM package as well as downloadable documentation.
Tip 4: There’s no ‘I’ in TEAM. Get help!
Build a team. You are not Ethan Hunt, and yes it feels like Mission Impossible, you cannot do it all alone! Senior Buy In is critical (that’s where the project proposal helps) but you can’t do all the day to day stuff or decision making alone. Even if there are a couple of people who know something about Payment Security and can back you up or help you gather evidence, this will help you greatly in the long run
A point to note here, which I found invaluable – is if you can, get a QSA in for a Gap Analysis and Assessment for your first compliance. This helped me understand the process so much clearer as I shadowed him for the whole three days. I learned how they work, and it gave me reassurance I was on the right lines. It also helps that if your landscape does not change you should feel more confident about self-assessing.
Tip 5: There Will be Issues – Take a Deep Breath, They Will be Fixed
There will be bumps along the way. There are three keys issues:
- Understanding - What is PCI DSS? Keep explanations simple (use Payment Security not PCI DSS) with no acronyms. The staff training will help with this.
- People – There may well be some that think they can still go about things their own way e.g. set up a new payment system, get a PQD machine. Here at Loughborough we have a Software as a Service (SAAS) form for departments to complete for new projects that require software. We now have PCI related questions on there so it is clear at the start of the project and not an afterthought. For example, have we been provided with the 3rd party’s AoC?
- Time - Compliance is a slow (and continual) process, so when the Deputy Finance Director asked if we would be compliant by Christmas, 3 months after starting the project I just laughed and said which Christmas? It took a good couple of years and it really needs to be built into a job role so it is a continuous process.
Tip 6: Join the SIG – it Really is Worth the Money
I expect many of you reading this already are, but I cannot emphasise enough how much the SIG helped me. They too are part of your ‘Team’ as everyone is in the proverbial ‘same boat’. If I hadn’t had the SIG I would not have had half the documentation for PCI DSS or the helpful advice from others on the Forum. It has also given me the training to be an ISA (again an invaluable tool in the pursuit of compliance). When you consider the cost associated with the ISA qualification alone SIG membership is a bargain!
Tip 7: Make Use of WPM's PSMS
WPM's Payment Security Management System (PSMS) is a really useful tool. It would have saved me loads of time if I‘d had this at the start of compliance. Some key parts of it I really like:
- Templates – there are loads of templates in there for you to use/adapt to your Institution. I spent ages contemplating how to draw our workflow diagrams. The templates in the PSMS are already drawn, simple, clear and have information in there I would never have considered putting in.
- Compliance reporting – there is a section with the standard detailed out with space for supporting/test notes, who oversees that requirement, dates tested and by whom. This is great as it automatically calculates how compliant you are when you complete it. It’s a one stop shop for you to put all your compliance information.
- PSE Management – This is the part I use the most. It has MID analysis (that’s the first time I’ve ever managed to get the info from Finance so a massive win!), list of staff involved in payments, 3rd Party Suppliers and Device Management. Again, in here, there are bits I would not have considered putting in but are really useful.
- Evidence – Well it speaks for itself really. A single place you can store all your evidence.
Admittedly I am probably not fully using all parts of the system but for an institution just starting their compliance journey, it really is worth it. For those more established, I still think it is well worth using. Consider this - what if you left your Institution? Who else knows all the information about compliance? Not many, if any, I expect. At least with this system someone can access it and quickly understand your environment, where all your payment channels are and what they are being used for, your 3rd party suppliers, where and what all your payment devices are, policies/procedures, evidence and your last completed SAQ all in one place.
Tip 8: Don’t Give Up!
My final tip is don’t despair and don’t give up. Set time aside each week (maybe a day) that is dedicated to compliance. If you miss it due to other urgent work, make sure you make up for it the following week. This way it keeps it manageable and constant rather than a sudden whirlwind of panic!
Sometimes you may feel you are ‘flogging a dead horse’ but keep going it is a marathon not a sprint. We are all in the same boat and there are many people in the WPM ‘family’ that would be more than happy to advise.
Well, I hope you found those tips useful. If you have any questions or queries I’d love to hear from you. Feel free to drop me an email on firstname.lastname@example.org.
Jo is an IT specialist at Loughborough University, specialising in E-Payments and has been working in her current role for over 10 years. She currently manages the Online Store and oversees all university online payments. For the past 5 years Jo has been Loughborough’s Internal Security Assessor (ISA) and manages the university’s PCI compliance.