A Payment Card Industry (PCI) audit is an important event. Big companies spend upwards of $500,000 on the process and devote a lot of resources to it. They carefully shop for the right Qualified Security Assessor (QSA) to conduct the audit, engage their entire risk management teams to execute it, and convene internal committees and working groups to handle information requests. The process can take a several weeks (or even a few months), and the result is critical to the survival and success of the entire business. So passing a PCI audit is surely worth celebrating, right?
Free Download: How To Keep Your Mobile Safe From Cybercriminals!
Wrong.
Inside the industry, we know that actual PCI audit failure is rare. According to recent research from the Ponemon Institute, roughly 98 percent of companies achieve successful PCI audit outcomes. The problem, in my mind, is re-framing the definition of success. If a company views success as merely passing the audit, they have set an incredibly low bar for themselves.
It’s time to shift the conversation from pass/fail to considering smarter, more efficient methods of information security. With this in mind, a growing number of companies are moving towards continuous compliance, an ongoing process of proactive regulatory management that delivers predictable, transparent and cost-effective results to meet information security goals.
The centerpiece of any effective continuous compliance solution should be a portal or dashboard that offers real-time, all-the-time access to standard interpretations, performance against goals, violations and compensating controls. It’s a platform that allows risk managers to pre-qualify assumptions and interpretations with the QSA and speed the delivery of information during the audit. Continuous compliance addresses what is truly important:
– Demonstrating a level of compliance that actually matters to customers and prospects. In other words, creating a transparent, real-time, all-the-time assurance position that truly differentiates a company from competitors offering snapshot certification that may be invalid or obsolete the day after the audit.
– Introducing predictability, efficiency and cost-effectiveness to the auditing process. The traditional ebb and flow of the audit cycle is a costly and ineffective means of risk management. Given its 98 percent passage rate, a PCI audit should be completely predictable but instead often involves huge demands in human and financial resources. The missing ingredient is continuous monitoring that confirms compliance on an ongoing basis.
– Defining requirement interpretations and compensating controls in advance and as-needed. According to the same Ponemon Institute study, more than 40 percent of audited businesses would fail if they didn’t use compensating controls. Moreover, passage for a particular company depends on the requirements being consistently interpreted by the company and the QSA. With that in mind, companies should implement processes that advance those priorities outside the audit, thus eliminating costly surprises.
[wp_ad_camp_4]
To summarize: don’t celebrate PCI passage. Look for a continuous compliance solution that introduces transparency, efficiency and budgetable predictability into your information security management. With that in place, the audit will be a ho-hum affair.
Now that is worth celebrating.
By Jon Long, Director of Compliance Solutions, CompliancePoint
About CompliancePoint
The Direct Marketing Compliance practice group of CompliancePoint, a PossibleNOW company, offers consulting, audit and training services that help businesses mitigate risk and ensure compliance with the complex array of state, federal and international laws. The company’s focus on consumer regulatory legislation and privacy preference compliance lets customers reap the benefit of years of experience. Its teams can evaluate customers’ outbound consumer marketing operations against their best practices models to determine overall compliance risk.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.