Why You Should Go Beyond Checkbox PCI Compliance

By on

Click to learn more about author Rob Chapman.

One of the first books I ever read that wasn’t a school assignment was The 7 Habits of Highly Effective People by Stephen Covey. My father gave it to me shortly after he finished it, and it was the first real “grown-up” book I ever read. There are a ton of great ideas and tips in the book, but the one I remember most is from the chapter titled “First Things First.” There’s a 2×2 grid in this chapter that very simply lays out four quadrants to help you prioritize pretty much anything.


Learn, network, and future-proof your career at our most popular conference of the year – March 20-25, 2022!

I won’t break down the entire thought exercise here (the book does a great job of that). But the big “CliffsNotes” takeaway is that most people don’t spend nearly enough time in Quadrant II, where things are important but not necessarily urgent.

Part of that is human nature. Abstract threats or dangers that build up over a period of time just don’t generate the same level of concern as immediate threats. But they can quickly turn into urgent areas of risk if you neglect them. Ongoing processes (think journeys vs. one-time activities) such as PCI compliance and much of information security often fall into Quadrant II.

Is PCI Compliance Really a Priority for You?

If you ask anyone whether security and compliance are important, they’ll usually reply, “Yes.” That’s not exactly a controversial take. But if you dig a bit deeper, the facts don’t always align with that sentiment. It’s an entirely different story when you look at the PCI budget, the number of people dedicated to it, and the time spent on it. In other words, although PCI compliance is something all companies acknowledge, few tend to put their money (and focus) where their mouths are.

The ugly truth is that the incentives around PCI are somewhat skewed. Even when I’ve had to do an independent assessment with a QSA, I’m the one hiring the firm to do it. With the financial incentives being what they are, it’s no wonder you hear stories of people shopping their compliance around.

In fact, I once heard a CIO confess in a small gathering that he didn’t honestly know how they met their PCI requirements since he was intimately aware they weren’t actually meeting many of the technical controls. His take was that the company had simply found a willing firm to go soft on them to help verify their PCI compliance results.

Even if you ignore the ethical questions this raises, this type of approach can be dangerous in that it can give you a false sense of security. You receive your PCI AOC, and, all of a sudden, you think you’ve covered your obligations. But if you don’t have meaningful controls and practices to back it up, it’s not worth the paper it’s printed on.

Three Steps to Raise Your PCI Game

Hopefully, you’ve never seen any falsification in your environment. Still, it’s easy to fall into the trap of paying lip-service to security. So, how do you progress beyond checkbox PCI compliance?

Covey provided a good tip — examine the important things you’ve probably been putting off for far too long. You can start with these three steps:

1. Build your PCI compliance team. Even if it’s only a team of one at first, someone has to take responsibility for building your security program. This person should be empowered with authority from your company’s leaders. After all, anyone can put in all the programs, policies, and software you can imagine — but if they don’t have support from the top, it won’t mean anything.

2. Take an honest inventory of your environment. What is your security posture? This is the time to inventory your policies, equipment, licensing, digital assets, connectivity, vendor relationships, and your ability to monitor all these items. Knowing what you have and don’t have — and what you can and can’t do — will help you understand which gaps you need to fill.

3. Perform an honest risk assessment. What are the risks currently exposed in your company? What threats realistically exist? Being thoughtful about reducing risk and addressing those threats will provide an important lens to prioritize your efforts.

Build a Solid Foundation for Security and Compliance

Although there’s a lot more to a mature security program, having a team, an inventory, and an honest assessment of your risks and threats will typically keep you ahead of the competition. These elements provide a solid foundation on which you can build a great security and PCI compliance program.

If you’re looking for your next steps and more resources, I highly recommend the book Defensive Security Handbook: Best Practices for Securing Infrastructure by Lee Brotherston and Amanda Berlin. The authors do an excellent job of diving into the details and providing great resources to keep you from having to reinvent the security wheel.

Leave a Reply

We use technologies such as cookies to understand how you use our site and to provide a better user experience. This includes personalizing content, using analytics and improving site operations. We may share your information about your use of our site with third parties in accordance with our Privacy Policy. You can change your cookie settings as described here at any time, but parts of our site may not function correctly without them. By continuing to use our site, you agree that we can save cookies on your device, unless you have disabled cookies.
I Accept