I’ve spoken with several people in the past few months that have come right out and said that they believed they were not compliant with the PCI DSS and were simply unsure what to do. Their questions were basically the same; what should we do first, who should we tell, how long will this take, and the most popular – how much will it cost to become compliant?
While these are all great questions, given the circumstance of knowing you’re not compliant the most appropriate question to be asking is; how much would a breach cost my company? A quick search reveals that fines and costs associated with a breach can become tremendous. From the Incident Response & Forensic Analysis investigation, to the actual fines imposed, to remediation, and damage to the brand reputation, some businesses never recover.
While there is no real answer to how long it will take or how much it will cost (as both vary greatly depending on your specific situation) the first two questions may be a bit easier to answer. What to do first & who to tell? Depending on how you know you’re not compliant & what your requirements are (based on your merchant level) the first thing to do & who to tell can be accomplished in one step. Call a QSA, let them know your situation and get some sort of a PCI discovery / audit done. Guessing (or doing nothing) will only make matters worse. With these initial steps complete, you can do the next best thing; create a schedule and plan for compliance. Be realistic, yet aggressive – and follow through on your plan.
Solid advice across all levels is to integrate PCI compliance into your Information Security Management System. Integrating compliance into your overall strategy helps to establish security as a baseline rather than an objective or goal. Talk with your security company about getting into a program that not only addresses PCI compliance, but establishes overall security as a companywide priority, complete with management buy-in.