Your first step with any compliance effort should be figuring out if you need to comply with a regulation. Regardless of the state of the economy, no company wants to waste time putting in measures that you are not required to have. Once you have figured out if you need to comply and what your validation requirements are, you will be in a good position to make your case to management.

Once you determine that you have to comply, you need to look at the other compliance plans you have in place (if any). One sure way to fast track your PCI DSS compliance program is to leverage investments made for other compliance or security initiatives. Compliance and information security initiatives often overlap (as shown in Fig. 10.1) because most of the regulations are based on good business and security practices. So, pull out your Health Insurance Portability and Accountability Act (HIPAA) of 1996 and Sarbanes–Oxley (SOX) compliance plans, and figure out which components you can reuse for your PCI DSS compliance plan. You might find that you are already in compliance but need to document that the measures you have in place are consistent with the PCI DSS regulations. For more information on how common compliance initiatives overlap, see Chapter 14, “PCI and Other Laws, Mandates, and Frameworks.”

The best place to start to figure out how to leverage your other compliance efforts is to set up a meeting with the team leaders from that project. You need to get an idea of how the project performed and how it was accepted by management. The main point is to find out what the other teams have done in their compliance effort and see what elements you can bring over into your PCI DSS compliance plan. For example, HIPAA and PCI DSS both have rules regarding encrypting data. Can you use your encryption policy and procedure from HIPAA for PCI DSS compliance? That answer will come as you talk to your HIPAA compliance team leaders and review the policy and procedure to see if it already fits the PCI DSS encryption requirements found in Requirements 3.4 through 3.6. Your company policy for HIPAA compliance should mandate that you have encryption in place as you transmit protected health information across public networks like the Internet. PCI DSS Requirement 4 mandates the encryption of cardholder data as it moves across public networks. In this case, you do not need to recreate the wheel; you might just need to reclassify what type of data is required to be encrypted. Any efforts spent in leveraging your existing regulatory compliance will help to shorten the time it will take for you to become PCI DSS compliant.

Now that you are on your way to planning your PCI DSS compliance project, you need to figure out at which level you need to validate. Unlike other regulations that present you with an all or nothing stance on how to validate your compliance, PCI DSS validation levels are based on how many credit-card transactions a merchant processes or a service provider processes/stores as well as on other related items you already read in Chapter 3, “Why Is PCI Here?” The more transactions that are processed, the more validation activities you may have to perform.

For most organizations, validation consists of passing quarterly security network scans and completing an SAQ. If you process transactions in the millions, you need to have a QSA to validate your PCI DSS compliance through an on-site assessment. Remember, the five individual card brands set the enforcement requirements for PCI DSS, not the council. It is possible (by volume, but level reciprocity will make the merchant a Level 1 across the board) to be a Level 1 American Express merchant, a Level 2 MasterCard merchant, and Level 3 Visa Merchant all at the same time! To help you determine your merchant or service provider level, you can review the information in Chapter 3, “Why Is PCI Here?” Keep in mind, card brands frequently alter their programs, so before you go too far into this process, visit the links in Chapter 3 to get the most recent levels from each of the card brands. Or better yet, call your acquirer(s) and ask them to help you determine your level.

The question that should be answered during your justification process is: “What is the cost for not complying with PCI DSS?” In all cases, the costs (assuming the worst) associated with a breach far outweigh the costs of being compliant. Can your organization afford the fines and penalties, bad media press, and damage to its reputation? Breaches cost more during recessions as companies face dwindling or flat growth while doing everything possible to protect their cash reserves.

Your risk managers will tell you that the three things you can do with a risk is to resolve the issue, transfer the risk, or ignore the risk. The way PCI DSS states its 12 requirements – the only way to truly deal with the elements – is to resolve the issue or transfer the risk. Transferring the risk might mean that you outsource or bring in a managed service to deal with that requirement. Therefore, when you transfer the risk, you are still dealing with it indirectly. Ignoring the risk in PCI DSS is not an option. Even one noncompliant item in a Report on Compliance (ROC) or SAQ means you do not comply with PCI DSS. If you are compromised and found to be not compliant with PCI during the investigations, the fines are steep.

Management sponsorship is a critical success factor for any compliance effort. If senior management does not support the process, support from the staff will also be lacking. Why should they comply if your manager does not? As the leader of your compliance effort, you need to first work with your senior managers to make them aware of the issues and let them understand the justification of why they need to comply with PCI DSS. Make them understand the cost of noncompliance, and they will back you up as soon as they realize that the company could be in jeopardy for not complying. Start at the top, because the earlier you gain support from the CEO, the faster you will get support from the Vice President and other senior management.

Attempt to get a senior manager on your compliance team. When other employees in the company hear that he or she is part of the team, the entire project will get more support, which will help drive home the fact that the compliance effort is vital for the organization.

Your compliance team is the focal point of your compliance project and is responsible for the success of the project plan. The best time to create your team is after you have received corporate sponsorship. Many times people who heard about the compliance project from a manager and want to participate will approach you. You need to get a good mix of people on the team to make the most impact. The PCI DSS has 12 requirements that can touch different departments in your company, so be sure to include at least one person from each of those functional areas. For example, PCI DSS requires you to build and maintain a secure network; therefore, if you do not get a team member involved from networking, you cannot be sure that a firewall is installed or maintained going forward.

The best way to ensure a successful project and gain the respect from all levels of your organization is to get results fast (or at least score a few quick wins). As you are planning your compliance plan, you need to identify some low-level compliance issues that are relatively easy to fix and have your team tackle those first. People want to see results, and the faster you can show them results, the more confidence they will have in the project. If it takes you months to get the first item addressed, people might wonder if the organization will ever be compliant and become complacent about the effort as a whole, derailing all your efforts up to this point. Getting results early keeps the momentum and support moving in a positive direction for your entire project.

To give you a good example of how important it is to select the right team members, here is a real-world story of the first time Karen was on a compliance team.

Karen was approached by her manager, Christina, to help with the PCI compliance effort. Christina felt that Karen's knowledge would be an asset to the team. The team leader sent out a meeting request for the 10 team members, and Karen was excited to help make a difference in her organization. She showed up at the first meeting on time, ready to do what was necessary– even if it meant having to put in overtime to get the job done. That first meeting did not go so well. The team leader was 10 min late and only half of the team members showed up for the meeting.

During the meeting, Karen began to realize that none of the other senior managers were briefed on the compliance project, and some even wondered whether they needed to comply with these new regulations. Even though there was no senior management support, the team leader knew the company needed to get into compliance or face trouble. When Karen asked about the missing team members, the team leader thought that it was probably due to the lack of support from upper management.

After weeks of meetings, false starts, and many extra hours, the compliance team finally had senior management involved and then the wheels started to turn. The entire team showed up for a meeting for the first time, but they had to start over from the beginning. Karen and the team leader soon realized that the meeting lacked the right people for the areas need to become compliant.

After a few more weeks, the right people did get involved with the team, and miraculously senior management support was still there. The project took off like a wild fire. Karen's team did a gap analysis and figured out what needed to be fixed and hit the ground running. After months of trying to put the team together, once Karen's company had the team in place, they were able to knock out the entire project in 3 weeks. Just like the expression needing the right tool for the right job, you definitely need the right team for any compliance project you are attempting to pull off.

Setting expectations is a key factor when budgeting time and resources within your team. From the first stages of your compliance project, your team needs to know what to expect from you, other team members, and management. If this project is a priority one, the team needs to know that all other tasks are secondary until the compliance plan is in place. You also need to be sure you set the right expectations with management, so they know what to expect with the compliance plan.

Once a timeline is in place, it is important to set goals for the team on when key items should be complete. You want to make it very clear when project items are due and when parts of the compliance plan need to be in place.

Start by listing the goals of the project and assign those goals to team members. Make it clear when goals need to be met, as some will have prerequisites that must be finished before you can move on to the next task. Having goals in place will keep the project moving in the right direction. Set up milestones for success and publish your plan to everyone involved to keep them up-to-date on the project's status.

A good way to keep your time and resources managed is by using project planning software such as Microsoft Project, which allows you to create Gantt charts that map resources to goals (see Fig. 10.2). Gantt charts give you a way to easily report on your compliance project. If an item slips or is completed early, the chart will adjust and keep your project in line with the project timeline.

If you don't have Microsoft Project, some open-source equivalents are as follows:

A Web-based equivalent is:

The key to keeping your project on time is to have weekly (or daily if needed) team status meetings. The meetings should include your compliance team members and each should report on what they have accomplished in the past week and what they will be working on in the next week. These meetings also give team members a chance to compare notes and bounce ideas off each other if they are stuck on a problem.

You should also have status update meetings with senior management on a regular basis. Depending on the length of your project, the meetings should be, at a minimum, once per month. During these meetings, you can go over your goals and milestones, and show how the project is progressing. It will also give the senior managers a chance to give their input on the project and reinforce the support you need from them.

Be prepared to hand out copies of your working project plan Gantt chart. It will give a clear picture to your senior management team of where you are in the process and who is working on what issues. It is a good idea to send these charts to the managers beforehand to give them time to review the progress so that they can determine the guidance and support you will need.

When your compliance team meets for the first time, you should review common information for all members. Items should include the following:

You could even use this book's Table of Contents as a guide for your training, making sure that you pull out the relevant portions for the teams you are working with.

Training your compliance team will help them understand how the plan came together and how to execute it to make your organization compliant. It will also get all members on the same page about what PCI DSS is and why your organization is going through the effort. You want to remove all myths around the project and level the playing field for your team members, so they can be successful in making your organization compliant.

After your project is complete and you deem your organization to be compliant, you need to make sure the rest of the company knows that you need to maintain a level of compliance. You do not want to have a violation in the first week because an employee did not know about the need for compliance.

You need to put together a corporate compliance training program for all new employees and for existing employees to complete annually, which acts as a refresher course and also gives you a chance to present any information that has changed over the past year.

Be sure to set up your corporate compliance training program as an element of your compliance plan. Get the human resources department involved early on in the process to make sure that all employees of your organization receive the training. Many times you can leverage existing programs, like your current new employee orientation, to train existing employees.

The compliance training program is more than just creating a one-time training class for your employees. The following elements should be incorporated for a successful program:

With the right training programs in place, you can be sure that from the first meeting of your compliance team to the annual recurring training for your associates, your compliance efforts will have a lasting effect on your organization.

We know how to plan a project to meet compliance, but when it comes to PCI DSS, what are the specifics you should be looking at to become compliant quickly and efficiently? For an overview of the steps, see Fig. 10.3.