Are you your own worst enemy?
I am frequently heard saying that PCI compliance (and strong security) doesn’t have to be as difficult as we imagine or make it out to be. What I see out there, however, are far too many individuals treating PCI compliance as a once-a-year burden…and sometimes they’re not even addressing it that frequently.
In reality, treating PCI compliance as an event actually makes you your own worst enemy. Of course the PCI compliance process will be a burden when it’s been compressed into a single moment in time! Not to mention that it sets up the organization for potentially devastating consequences.
A smooth ride involves regular maintenance.
I like to compare proper compliance and security to riding my motorcycle. Now stay with me for a moment, this will all make sense…
I find that being on the open road, feeling the wind rush past me, and being able to enjoy a moment without the distractions of daily responsibility to be quite a wonderful adventure. As a rider, it is also important to me that I am always as safe as possible and in compliance with the law. Each and every time I ride my motorcycle, I make sure that I have a proper helmet, gloves, riding jacket, boots, pants. I check to make sure my bike is fueled, tire pressure is appropriate, traffic conditions and weather are considered, etc.
When I get out on the open road, I must make sure that every decision I make is in the interest of my safety and the safety of others. If I stop thinking about safety and compliance with the law—even for a moment—I can suddenly find myself sitting in the back seat of a minivan as someone pulls out in front of me completely unaware that I was even there.
Take your time and enjoy the scenery.
Just like I enjoy riding my motorcycle, you can enjoy your day-to-day operations much more when you are operating with the confidence that PCI compliance and overall security bring. Just remember that PCI compliance is a set of ongoing activities and it will get easier to maintain once it becomes a part of your consistent processes.
The activities you’ll incorporate can vary depending on your PCI DSS scope, but some examples include scope validation, segmentation checks, bi-annual firewall reviews, active logging and monitoring, vulnerability scans, security awareness training, and policy and procedure updates.
These things are a lot like my ongoing safety and compliance checklist for riding. I recognize that there will always be temptation to disregard compliance and security…to put them on the backburner for quick results. However, I believe that risk is too great. It takes only a moment of non-compliance and poor security to lead to compromise.
The PCI compliance process is… a process.
Make certain that you are actively ensuring your compliance and proper security are achieved, and then ensure that you are always maintaining them. After all, the PCI compliance process is a process, not an event.