PCI Compliance: Practices to Achieve Savings

A recent article was published that proffered that companies need not hire expensive consultants to meet PCI compliance. The author goes on to detail the best approach is to first – walk through the documents internally, and second – document your controls. I whole heartedly agree that self reflection and properly recording controls is absolutely pivotal to reaching compliance with PCI, and in fact you could apply it to any mandate or legal burden.

I feel however the author has left a few rocks unturned, and wanted to highlight additional practices (demonstrated by clients in the U.S.) that can maximize your efforts in demonstrating, maintaining, and operating a compliant control environment.
Align control environments and produce a single repository:
Organizations should consider how their existing control environments are deployed, and whether other attestation events will examine the same systems. It is very likely that the identity management system, firewall, logging servers, anti-virus, etc that are identified as core controls for PCI are also applicable to SOX, FERC/NERC, and many others. So, identifying what controls are in place, and then producing a single set of audit documentation can maximize the audit engagement and remove duplication.
Consider having more than one audit at a time:
Audits are done to examine a period of time in the past to validate that the controls are operating correctly. If audit events are stretched out over several months then the test period in question shifts with the audits, and while it is good for the organization to maintain an optimal level of compliance due to these long audit windows it is also extremely wasteful. Similar to the alignment savings, having to provide the logs of your LDAP server once instead of six times has obvious benefits and results in clear savings.
Assign an internal resource to conduct your PCI audit:
Merchants required to produce a report on compliance to VISA and the other card associations may hire an assessor, OR through an “internal audit if signed by an Officer of the company“. That can translate to very large savings both in audit fees and the fact that internal audit departments (or assigned persons) will have greater knowledge of the business than an outsider. A note of caution to this saving recommendation – third parties come with experience of multiple environments (likely areas of weakness), and without assumptions made and accepted by being part of a culture within a company. Extreme diligence must be taken when internal resources are relied upon – especially if those assigned are those running the environments (fox watching hen house).

There are many other areas of savings that can be achieved for PCI, and a larger amount of practices for SOX, and others… but another time. I welcome any additional areas of savings people have seen!!

Best regards,

James DeLuccia IV

IT Compliance and Controls Book Release is March 19th 2008!! Pre-Order Today

Upcoming Speaking Engagements:

3 responses to “PCI Compliance: Practices to Achieve Savings

  1. I have heard many comments stating that the need for “high priced” consultants is not necessary while going through the compliance process for PCI. What I am seeing is, the road to compliance while not hard is time consuming and not always what employers are willing to spend time on. Secondly a fresh set of eyes is quite often what is needed to ensure a company complies with PCI. I have been through ISO registration many times and this resembles it in many ways. It can all be done in house but what are the tradeoffs. As the fines and penalties for not being compliant become heavier, the desire to get it done right the first time may be what tips the scales here

  2. The society is facing problems with such laws. This has to go legal
    and it’s needed to be sorted at the earlier.

    Expert Savings Advice

  3. johnssmith5082

    Yes, I agreed Now a Days society facing the problem…….
    Best Savings

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s