PCI DSS and Corporate Governance Go Hand in Hand

This article looks at why PCI DSS cannot be divorced from the business, corporate governance and regulatory frameworks that already exist within an organisation, and the benefits of integrating it within a compliance framework.

PCI DSS often stands alone

PCI DSS is an important contractual issue for many organisations for whom payment cards are central to their business. It is often seen as a stand-alone compliance project, separate or different to other compliance areas that need to be serviced within the business. But dealing with PCI DSS separately or differently is often counterproductive.

Treating PCI DSS as stand-alone can:

  • Waste valuable resources
  • Obstruct overall continuity of the business
  • Divert scarce business resources

Don’t divorce PCI DSS from your corporate governance framework

At Ascentor we strongly believe that PCI DSS shouldn’t be divorced from the business, corporate and regulatory frameworks that already exist within organisations, such as Internal Audit, the UK Corporate Governance Code (formerly the Combined Code), Sarbanes Oxley and the Companies Act 2006.

These are some of the basic frameworks within which internal controls work within businesses. To deal with one aspect of compliance outside of these frameworks is to weaken the overall structure.

PCI DSS and the continuity issue

PCI DSS can also have a continuity problem. In the first place a programme is set up to help the business become compliant – a programme manager is appointed, a budget is agreed and the project gets underway. The remediation is successful, the QSA signs off the Report on Compliance and the Merchant Acquirer is happy. Then it starts to go wrong. The programme manager goes on to other things, the project team separates and things return to normal. And normal is not where we want to be.

Integrating PCI DSS within a compliance framework

Where we want PCI DSS to be is within a compliance framework. This will ensure that all the good work that has cost us so much is not wasted because a trivial mistake hasn’t been picked up by the internal control checks and balances.

We believe that every organisation needs an overall structure for internal control. This sets out the responsibilities and resources needed to maintain PCI DSS compliance as business-as-usual within an achievable governance structure.

Doing it this way will benefit IT departments who would otherwise be struggling to maintain PCI DSS controls within a compliance vacuum. It can also help the Board to keep a check on the big risks the company is managing.

In Turnbull’s interpretation of the Hampel combined code he sets out what it describes as a “sound system of internal control” requiring organisations to demonstrate that its risks are understood and properly managed. These risks must include the potential for the loss or compromise of Cardholder Data because the implications are so great.

What we need to do is to include PCI DSS within this overall compliance structure.

Article by Colin Dixon, Principal Consultant at Ascentor and leading authority on Corporate Governance and PCI DSS.

Related Content from Ascentor:

You may also be interested in:

Building business resilience

Building business resilience - through Information Security, Business Continuity and Disaster Recovery

How strong is your business resilience to threats to IT, information and physical security? And how can security standards like ISO 27001 and ISO 22301 help?

Ascentor's cyber security review 2020

Ascentor’s cyber security review of 2020

It was the year a different kind of virus dominated. But that didn’t stop cyber criminals exploiting it. We look back at 2020.

Cyber security myths of SMEs

Cyber security myths putting SMEs at risk

SMEs have long been a favourite hunting ground for cyber criminals and, in the worst case scenario, may not survive. We look at some of the myths that put SMEs at risk of cyber crime.