PCI yai yai!

If your business accepts or processes payment cards, it must comply with the PCI DSS (Payment Card Industry Data Security Standards). All businesses and merchants that store, process and or transmit card holder information are now required to be PCI compliant.

PCI DSS is a set of requirements for enhancing data security. This originally began as individual programs from Visa, MasterCard, American Express, Discover, and JCB. To facilitate the broad adoption of consistent data security measures Visa, MasterCard, American Express, Discover, and JCB aligned their individual policies to release the Payment Card Industry Data Security Standards.

In today’s economy, with merchants and business owners required to thoroughly evaluate operating costs, merchant processing fees are an area frequently overlooked. Evaluating and comparing merchant processing solutions including fees for services, such as PCI compliance for your business, can be well worth the time it takes and may result in considerable savings for your company.

Many companies are struggling with some of the same issues repeatedly around PCI DSS compliance and Governance.  First and foremost, companies need to know whom and how to pay for PCI Compliance and where the ROI is.  Second,  how do companies free up the System administrators to do what they pay them to do (administer systems that is).  Whether they be network engineers, UNIX administrators, or Windows administrators (to name a few); too often organizations have turned our technical assets into grumpy compliance administrators and/or control owners.  I think we all know how much system administrators just love to get involved in compliance and governance (can someone get Johnny form under his desk and let him know I’m not here for PCI, SOX and Audit).  Third, spreadsheets, spreadsheets, spreadsheets.  Did I mention spreadsheets?  I’m not sure about how much I need to elaborate here, but multiple spreadsheets housing your control environment assures that everyone is working off a different set of controls.

Too often we task our administrators to be owners of controls that are poorly written (often by other System Administrators).  Most times these controls are written very broadly and are not housed in a central repository (which, by the way, external auditors love to flag).  With broad controls the external auditor can test what they believe the control defines, often times leading to the entire control failing and thus having to be retested.  Additionally, we do not supply our System administrators with the correct tool set, what tools says Johnny.  We spend many times manually going through IOS Code, systems logs, Active directory logs, and of course spreadsheets to try to test controls and assure governance.

This is where IDMWORKS can come in.  IDMWORKS QSA’s can build a framework based on Risk Drivers, write general controls that can be applied to most standards, build automation into the process, reduce your external audit time by 50% (ROI), and assist you with writing solid test plans to execute.  Look at IDMWORKS as your tax preparer, but for Compliance and Governance.  Creating a new framework along with solid test plans assure a very efficient process to reduce the amount of time wasted by your external auditor during the testing of poorly defined controls.  Additionally poorly written test plans are part of this spiral of non compliance.  IDMWORKS takes a practical approach that will assure your PCI certification and reduced your audit cycle and costs.