20 Aug City of Calgary: The Big Picture of PCI DSS Compliance
In this blog post, we get insights from Lynda Daniluk, PCI Coordinator at the City of Calgary. She will co-present in Vancouver on 30 Sept. about “PCI DSS Requirements 1, 0, 13 and 14: The Big Picture of PCI DSS Compliance.”
1. Can you tell us what prompted your session topic, the “Big Picture of PCI DSS Compliance?”
I chose this topic because it relates to a challenge I’m having right now. I’ve been PCI Coordinator since 2009, and I now qualify for full retirement. So, I’m trying to do some succession planning.
The finance department says, “This task really does belong to IT.” I’m adamant it does not (even though I came from IT)! Then the IT department says, “No, this belongs to finance.” So, even our corporation, which has been PCI DSS compliant going into our fifth cycle, is still struggling with who should do what.
2. What is the most common mistake people make with PCI DSS?
“I’ve learned the attitude of most of the people is, ‘We passed the audit. Well, good. We can go back to doing what we were doing.’ That’s not just a big mistake – it’s the way organizations get breached!“
Treating PCI DSS like it’s just an annual thing. Although you maintain PCI DSS compliance all the time, you want to make sure those responsible for it have gone through that full cycle.
Shepherding your PCI managers through an entire cycle helps them see what it really takes to get ready. You don’t want them to say, “It’s audit time. I better do this or that!” like checking the log files. You need to keep that message fresh with the business units. I do random audits for the entire year. They never know when I’m going to show up!
The goal is that they are doing this every day and it becomes part of their normal business process. I’ve learned the attitude of most of the people is, “We passed the audit. Well, good. We can go back to doing what we were doing.” That’s not just a big mistake – it’s the way organizations get breached!
3. What helps a security manager be successful at PCI DSS compliance?
Defining your PCI dream team.
You’re going to have finance, the people who handle the money, the people who negotiate with the merchant bank and the company owners. Then you have an IT project manager and a business project manager. Everybody reports to finance. That is your dream team.
Underneath the IT project manager you have the usual suspects: network, database, server, and security guys. The business project manager is critical for a large organization. We’re very diversified, with 22 business units that accept payment cards, and I have one representative from each one of them.
4. What are your thoughts on changes to PCI DSS?
Each new version has become more defined, with better clarity. It’s maturing. I kind of think it’s maturing the same way we are.
I praise the Council loudly for what it’s doing, like the recent changes to SSL and TLS. That’s exactly what we needed to do. I hope they’re going to continue to further clarify what those requirements mean.
Everyone seems to have a different interpretation of the requirements. You can ask four QSA’s and get four different opinions. Clarification by the Council does not allow for misinterpretation.
5. The Community Meeting is in your backyard (relatively!) this year! What are you most looking forward to at this year’s event?
“Sometimes we think because we’ve always done compliance a certain way for 20 years, we don’t need to change it.”
When I went to the first Community Meeting, I met so many people who came up to me and said, “Hey! I heard about you, and how you did this!” They wanted to pick my brain, and I wanted to help them. I like helping people. I like sharing my horror stories with them and giving them another way to think about how to achieve PCI DSS compliance.
Sometimes we think because we’ve always done compliance a certain way for 20 years, we don’t need to change it. The Community Meeting gives you other, useful perspectives.