For the past few years my focus has been ensuring that the University of Strathclyde achieved PCI DSS compliance. Despite this, I have always had that nagging thought of “how do I ensure that this is maintained, driven forward, and built into ‘business-as-usual’ well after we complete our annual SAQ’s? It doesn’t end when the SAQ’s are submitted, quite the opposite. In fact, there are lots of things to still think about and do!
First Steps: Achieving PCI DSS Compliance
As the administrator for our online payment systems I was asked if we were PCI DSS compliant. In all honesty I had no idea and I began asking if those in my institution knew anything. There was a varying degree of sighing and rolling of eyes each time I asked the questions. I started with asking our Banking Manager; after all she was in charge of our merchant numbers. Quickly realising that she knew some answers but not all, I was directed to the IT department for those ‘techie’ questions.
IT's initial response was why was I asking these questions and where were they coming from? With that I decided it was up to me to educate myself on PCI DSS and I began attending relevant training courses. This was to help me improve my understanding as to why we needed to be compliant and what we would need to do to become compliant and so began my journey to achieving PCI DSS compliance.
My journey to achieving PCI DSS compliance is well documented and my in-depth advice and recommendations for becoming compliant can be listened to on the WPM Client Resources Portal*. This blog post however will highlight a few things that you should think about and what my next steps are.
What Was Missing?
We had achieved compliance, we had submitted our SAQ’s, but we knew we needed to do more. PCI DSS would only keep us compliant for moments in time. What could we do to ensure it happened year-round?
- Establish Ownership – You need to establish ownership of PCI DSS/payment security within the organisation. Not just ownership for overall compliance, you need to engage with the people who will actually do the required tasks throughout the year. Each department within the payment environment has to have a named member of staff who will be responsible for all audits, reports, etc., that are required. A clear chain of responsibility has to be communicated and understood throughout the organisation. Don’t make the mistake of thinking you can do it all yourself.
- Clear List of Requirements – You need to have a clear list of requirements that need to be fulfilled each year. Set reminders to ensure evidence is collected and audits are performed at the relevant intervals, by the correct staff.
- Document Your Locations - Information regarding all payment types, systems and ownership must be documented for all payment locations, even if you don’t need to report on them to your acquirer.
- Structure – You need to structure all this information in a way that can be understood and maintained by the owners within the institution.
- Strategy – Stop only thinking PCI DSS and start thinking about your payment security strategy.
- Collaboration – Start to work with other teams within your organisation. Payment security links more departments/functions than you might think; Data Protection, Information Security, Audit to name but a few. Make sure their strategies are included and aligned with your payment security strategy.
Now that we are achieving and maintaining compliance year-round, I need to continuously gather all the information in-line with my points above.
I need to work with the Finance and IT teams to introduce and push for
ward a Payment Security Strategy, a strategy that is known across the organisation, not just within Finance and IT. I need to ensure that all departments know what is required of them, whether they have an existing payment system or if they want to introduce a new one. I want to make sure that the Payment Security Strategy is clear, consistent and makes the process of maintaining payment security and ensuring year-round compliance as simple and clear as it can be. This strategy must also align with, and feed into, overarching strategies within the organisation.
Hopefully I will be able to come back and report on my progress soon.
Tracy Bennett is the PCI DSS Compliance Officer for The University of Strathclyde. She has lead the PCI DSS compliance project within Strathclyde from initiation to recently achieving compliance earlier this year. She is also responsible for all online payment systems and is heavily involved in Payment Acceptance within the University.
*If you are a WPM Education Client, you will be able to access Tracy's presentation and more via WPM Education, Client Resources Portal