This article looks at why PCI DSS cannot be divorced from the business, corporate governance and regulatory frameworks that already exist within an organisation, and the benefits of integrating it within a compliance framework.
PCI DSS often stands alone
PCI DSS is an important contractual issue for many organisations for whom payment cards are central to their business. It is often seen as a stand-alone compliance project, separate or different to other compliance areas that need to be serviced within the business. But dealing with PCI DSS separately or differently is often counterproductive.
Treating PCI DSS as stand-alone can:
- Waste valuable resources
- Obstruct overall continuity of the business
- Divert scarce business resources
Don’t divorce PCI DSS from your corporate governance framework
At Ascentor we strongly believe that PCI DSS shouldn’t be divorced from the business, corporate and regulatory frameworks that already exist within organisations, such as Internal Audit, the UK Corporate Governance Code (formerly the Combined Code), Sarbanes Oxley and the Companies Act 2006.
These are some of the basic frameworks within which internal controls work within businesses. To deal with one aspect of compliance outside of these frameworks is to weaken the overall structure.
PCI DSS and the continuity issue
PCI DSS can also have a continuity problem. In the first place a programme is set up to help the business become compliant – a programme manager is appointed, a budget is agreed and the project gets underway. The remediation is successful, the QSA signs off the Report on Compliance and the Merchant Acquirer is happy. Then it starts to go wrong. The programme manager goes on to other things, the project team separates and things return to normal. And normal is not where we want to be.
Integrating PCI DSS within a compliance framework
Where we want PCI DSS to be is within a compliance framework. This will ensure that all the good work that has cost us so much is not wasted because a trivial mistake hasn’t been picked up by the internal control checks and balances.
We believe that every organisation needs an overall structure for internal control. This sets out the responsibilities and resources needed to maintain PCI DSS compliance as business-as-usual within an achievable governance structure.
Doing it this way will benefit IT departments who would otherwise be struggling to maintain PCI DSS controls within a compliance vacuum. It can also help the Board to keep a check on the big risks the company is managing.
In Turnbull’s interpretation of the Hampel combined code he sets out what it describes as a “sound system of internal control” requiring organisations to demonstrate that its risks are understood and properly managed. These risks must include the potential for the loss or compromise of Cardholder Data because the implications are so great.
What we need to do is to include PCI DSS within this overall compliance structure.
Article by Colin Dixon, Principal Consultant at Ascentor and leading authority on Corporate Governance and PCI DSS.