Every year there’s a fire drill within companies to complete their Payment Card Industry Data Security Standard (PCI DSS) audit. That’s in addition to the quarterly chaos necessary to complete the vulnerability scans that are also a part of the PCI DSS requirements. The reason behind the scramble is two-fold. First, companies are still in the archaic mode of manually compiling cyber risk data—including compliance data—into piles of spreadsheets that are then stitched together in an effort to show that the company has met all its requirements. Second, some companies do not practice continuous compliance, only worrying about it when the time comes to “check the box,” which creates a last minute rush to gather that manually generated data.
Large companies have tens or even hundreds of legacy systems—some of which store the company’s most valuable information—that are in scope for PCI DSS compliance. The systems are owned by different technology, line-of-business and application owners, each with their own administrators and experts. Enterprise security is responsible for coordinating with all of these parties to conduct vulnerability scans, penetration testing and validation and many other things required by the PCI DSS. The effort is complicated by application owners who “ give the Heisman ” to the security department, and do not allow testing and patching to be conducted regularly, because they are concerned that it will impact their application’s availability. The underlying tracking of this process is often maintained in a governance, risk management and compliance system, but just as often ends up in a dizzying array of emails and spreadsheets being exchanged right up to the deadline for reporting.
In the best case scenario, the exchange goes something like this: