Regulatory compliance is about conforming to governance, operating standards, and laws. To achieve it, organizations must ensure that they are aware of each compliance standard and regulation that affects their business, and take the necessary steps to comply with them.
What is PCI compliance?
PCI compliance refers to the Payment Card Industry Data Security Standard, established in 2006. PCI DSS is a set of requirements for any company that processes credit card transactions. Those requirements stipulate how the business should process, store, and transmit credit card information or cardholder data. They also require businesses to take steps to protect financial data by implementing an information security strategy.
PCI DSS compliance is no minor detail for an organization. Failure to maintain PCI compliance can result in a lawsuit and fines for every month an organization is in violation. Fines can exceed $100,000 per month, and in extreme cases a business might lose its credit card processing privileges.
Moreover, non-compliance can leave a business vulnerable to data breaches and the compromise of customer payment data. Breaches bring the burdens of investigations, possible monetary penalties, civil lawsuits, and loss of reputation with your customer base.
PCI DSS compliance is governed by the PCI Security Standards Council, created by representatives from Visa, MasterCard, Discover, JCB, and American Express card brands.
What does a PCI compliance manager do?
The role of a PCI compliance manager is to assess the organization’s readiness for PCI compliance, create a program to achieve PCI compliance, and then monitor business activities to assure the organization maintains its PCI compliance certification in the future.
The compliance manager can file for certification as a PCI-compliant business at one of four levels, each based on the number of transactions performed by the business.
- Level 1: This is the highest level, required for all businesses that process more than 6 million transactions on Mastercard, Discover, or Visa cards annually.
- Level 2: Required for businesses that process 1 million to 6 million transactions on Mastercard, Discover, or Visa Cards.
- Level 3: Requires for businesses that process 20,000 to 1 million transactions via Mastercard, Discover, or Visa.
- Level 4: The most basic level, required for businesses that process fewer than 20,000 transactions a year on Mastercard, Discover, or Visa.
Once the PCI compliance manager is ready to file for certification, he or she will use the PCI Self-Assessment Questionnaire (PCI SAQ) as a statement of PCI compliance to begin the process.
To whom does a PCI compliance manager report?
Depending on the size of the organization and the work it does, there may be a single compliance manager who handles all aspects of compliance, or there may be an entire team with various duties.
In the latter case, a PCI compliance manager would report to the chief compliance officer for the organization, or to whomever holds the most senior role in compliance.
Who is qualified to be a PCI compliance manager?
A PCI compliance manager should have experience in managing compliance within the PCI framework.
He or she should also possess a relevant college degree, experience in data protection or cybersecurity, and often, certifications or experience in additional frameworks or compliance aspects, depending on the nature of the business.
Additional qualifications may include:
- CISSP (Certified Information Systems Security Professional)
- CISM (Certified Information Security Manager)
- CISA (Cybersecurity and Infrastructure Security Agency)
- PA-DSS (Payment Application Data Security Standard)
- CHC (certified healthcare compliance) for this specifically working in healthcare
How do PCI compliance audits work?
All businesses that process customer payment information are subject to PCI audits by a third-party service provider, typically a PCI SSC Qualified Security Assessor (QSA).
This assessor will audit your business and administer PCI testing to assure your security compliance measures are adequate.
Additionally, an Approved Scanning Vendor (ASV) can be employed to use a set of data security services and tools to ascertain whether a company’s payment solutions and point-of-sale payment processors meet PCI DSS external scanning compliance requirements.
If your organization passes the audit, you will receive PCI DSS certification which indicates that it has taken all the necessary precautions to protect customer data.
How Can ZenGRC Helps PCI Compliance Managers
As your business grows, managing and maintaining compliance will get more complex. The commonly used spreadsheets from your early days as a small business will become unmanageable, costing your program manager hours in lost productivity and significantly increasing the opportunity for non-compliance.
With ZenGRC, stakeholders, employees, and your PCI compliance managers have access to a single source of truth that covers all of your current and future PCI compliance risks.
ZenGRC’s user-friendly dashboards show you at a glance which risks need mitigation; track workflows; collect and store the documents you’ll need at audit time; and more.
Furthermore, the ability to gather documents rapidly and to monitor compliance saves man-hours and reduces the possibility for human error.
For more information on how ZenGRC can support your PCI compliance program, request a demo today.