Asia-Pacific Community Meeting speaker Swati Sharma, QSA, CISSP, CISM discusses the payment security challenges and the new Associate QSA program.
Studies have shown that organizations struggle to maintain ongoing compliance. Why is this and what can be done to improve this challenge?
Swati Sharma: If you ask me, the lack of foresight to integrate this at planning stage causes it. The industry research shows that organizations that integrate PCI DSS compliance in their security process have yielded better business benefits. Ad-hoc approach or short-term goals don’t really take organizations very far.
When organizations plan for PCI DSS compliance and allocate proper resources including teams and budgets with the right strategic view, organizations are able to maintain ongoing compliance. Organizations with PCI DSS Governance Programmes have been successful in overcoming the struggle of maintaining the PCI DSS Compliance.
Identification of the changes in technical, business environments or in the standard should be done at the appropriate time so that required compliance action plans can be executed. Having a workforce equipped with PCI credentialed people like ISAs and PCIPs can help to maintain ongoing PCI DSS compliance
It is worth taking advice from your QSAs on controls which can provide suggestion on ‘compliance by design’.
Are there added challenges to maintaining compliance when dealing with an offshore and outsourced environment?
Swati Sharma: Interesting question! Let us unravel this complex question by splitting the risks that a typical offshore and/or outsourced environment will usher in. The local laws, culture, lack of suitable contractual/legal language/clauses could derail compliance. The choice of a right fit/secure supplier is a significant step forward in an ideal world.
As though the above would not complicate, not addressing third parties’ and outsourced entities’ PCI DSS governance will negatively dent the goal. Outsourcing does not transfer risk.
On top of that not adding third parties and outsourced entities into the organization’s PCI DSS governance program and not tracking their PCI DSS compliance can defeat all the PCI DSS compliance efforts. Assumption that responsibility of maintaining PCI DSS compliance can be outsourced or completely transferred can be a blunder.
What is the danger in viewing security with a check-box mentality?
Swati Sharma: Despite being a single standard for all and different types of organization, context of the organization introduces different types of risk that demand customized solutions and a fresh approach to a clear-cut requirement. You may have noticed that scoping in PCI DSS is different from many other standards. The check-box mentality gives a false sense of security and could put organizational goals in jeopardy. In my opinion, the check-box approach is a sure recipe to invite security attacks and issues. I have seen many organizations that rushed to achieve PCI DSS compliance when it comes as a push in the form of a new signed service contract, and PCI DSS is one of the check-boxes that has to be signed to achieve the main business objective.
As a seasoned QSA, what are your thoughts on the Council’s efforts to help attract cybersecurity talent to the payment card industry with the recent introduction of the Associate QSA program?
Swati Sharma: The efforts from the Council are much needed and seem to be going in right direction to help the industry address skill-gap requirements. But bringing in fresh talent while meeting quality standards is no mean feat. The in-house training to hand hold the new assessor on the block will help to take the program further.
I strongly believe that it is an opportunity for both QSA companies and security professionals who are keen to build careers in the PCI domain. This will ensure the right blend of experience and new innovative ideas. It is also very important to maintain the sanity and quality of PCI DSS assessments and the Associate QSA program can make sure that that new joiner has sufficient level of learning and exposure before they can lead PCI DSS assessments.
What is the one key takeaway you hope attendees will come away with after your discussion?
Swati Sharma: The attendees will get to hear a first-hand experience of the complexities and possible PCI DSS governance strategies they could adopt and tweak to handle offshore and outsourced environments.
Want to hear more insights from regional and global payment security experts? Attend the next PCI SSC Community meeting on 23-24 May in Tokyo, Japan: