Compliance Unfiltered is TCT’s tell-it-like-it is podcast, dedicated to making compliance suck less. It’s a fresh, raw, uncut alternative for anyone who needs honest, reliable, compliance expertise with a sprinkling of personality.
Show Notes: Why Become PCI Compliant if You Don’t Process Credit Cards?
Quick Take
On this week’s edition of Compliance Unfiltered. The CU guys give the listeners an in-depth look at a topic that escapes most folks in the compliance space, and that is the benefit of becoming PCI compliant even if you don’t process credit cards. Adam will talk through the logistics and lay out a very compelling case as to why leveraging PCI makes so much sense.
- Curious how PCI aligns with other standards?
- Wondering how you can use PCI as your compliance centerpiece?
No worries, all that wisdom and more, on this week’s episode of Compliance Unfiltered.
Remember to follow us on LinkedIn and Twitter!
Read Transcript
So let’s face it, managing compliance sucks. It’s complicated, it’s so hard to keep organized, and it requires a ton of expertise in order to survive the entire process. Welcome to Compliance Unfiltered, a podcast dedicated to making compliance suck less. Now, here’s your host, Todd Coshow, with Adam Goslin.
Well, welcome in to another edition of Compliance Unfiltered. I’m Todd Coshow, alongside the proverbial Martha Stewart to your compliance garden Mr. Adam Gosling. How the heck are you, sir? I’m feeling like I got a dose of pumpkin spice about to come up and get you. I love it. Hard to beat the old pumpkin spicy spice. All right. That in mind today, we’re actually going to talk about a topic that may seem a little off the beaten path, but actually applies more to people than you think it might.
And that is, why should you become PCI compliance if you don’t actually process credit cards? Now, it doesn’t seem to make initial logical sense, right, Adam? So, stage this up for the listener if you could. Sure. The interesting part about PCI is that, as an example, if you need to go down the path of HIPAA compliance, well, then use PCI. SOC 2, use PCI first. If you’re going to head down ISO 27001, hey, you guessed it. Head down the route of PCI. The PCI DSS was a standard that was written. It stands for the Payment Card Industry Data Security Standard. And it was specifically designed for companies that are taking credit card payments. Back in the day, everybody was getting cheesed off with the fact that cards were getting stolen, there was so much fraud, etc, and thereby a standard was born. But why go up against PCI if you’re not actually collecting any credit card data? The reason is that PCI makes just about every other security standard easier to leverage and work with, takes work off of your plate, you can use it internally, you can use it with a consultant, and all of this can be done without the need to kind of expend money on an assessor out of the gate.
So why does leveraging PCI make sense, though? Well, PCI for a long time has been one of the, at certain points, the most prescriptive and certainly is one of the most prescriptive standards available. So what I mean by that is that it’s telling you exactly what do you need to do, what is expected. You know, it is rigid and yet rigorous and it makes it, that’s part of what is the joy of what makes it so much easier to leverage, you know, than other than other standards. So, you know, let’s say the listener needs to go up against HIPAA or SOC 2, you know, the those standards are highly flexible. They are less prescriptive than PCI and they allow for customization of your own controls. And a lot of people sit there and go, well, hey, I can customize this up to do whatever I want. And this sounds, that sounds much better. And it’s deceptive. The reality is, is that, you know, you then are put in charge of deciding, okay, well, how do we fulfill, you know, the requirements of HIPAA or the requirements of SOC. So, you know, if you, as an example, you know, to kind of display this variability, if you were to take, you know, a handful of different SOC engagements and compare the reports to one another, none of them look the same. And the reason why is that every organization, you know, kind of chose to do their things their own way, you know, kind of cure items, however they saw fit for their organization. You know, the quality of those engagements effectively comes down to who’s your assessor? You know, how are they going about ensuring that the criteria is truly fully covered? You know, and, you know, with HIPAA in particular, there isn’t a governing body to validate, validate compliance despite some of the organizations in the marketplace that would try to market their way to making you think otherwise, the bottom line is that there isn’t any type of governing body for HIPAA. So it gives those organizations a lot more latitude and also variability in approaching that particular standard. You know, those less prescriptive standards afford that flexibility, but it also makes the process, you know, more complicated and more uncertain because you’ve got to go through and figure everything out yourself. When all is said and done, you’re not… absolutely sure that your efforts are going to be rigorous enough for real-world cyber risks, but with PCI, you’ve got this series of extremely prescriptive controls of how to handle things, so things like access control. If you go to HIPAA, there’s a requirement, I don’t want to kind of in a secure and validated manner type of thing. Well, that leaves it wide open for interpretation, where you go over to PCI and there’s literally whatever 30-something actual controls that will ensure that the essence of that statement is actually in place. When you’re starting with those less prescriptive ones, you’re bound to go in, take a shot at your controls, and then have to go back and redo things, etc. Part of the problem is a lot of organizations will take an approach to these less prescriptive compliance standards of trying to do the least they can humanly possibly do. That notion kind of cuts in two ways. One is this minimalistic approach that you took to this directional standard, is it going to ultimately protect the organization, is the one big open question mark. And the other is the minute you try to go use the work and the effort that you’ve done to try and map it off against secondary standards, you’re going to fall short. Right, it’s going to be all over the map.
Yeah, exactly. I got to ask, does aligning to PCI DSS truly make certifications easier? Well, Uh, uh give me give me just uh just a moment uh yeah so what I was in the in the midst of is that if you’re so if you’re, you’re starting with HIPAA you’re not going to be able to readily map it to the you know to those secondaries but you know in the case of PCI um you know you, you have a framework where the technical controls are going to dwarf the directional requirements of, of those sub standards so you know if you don’t need uh if you even if you don’t need PCI by itself then leveraging PCI will make it ultimately easier for the organization the reason being that yes it does make the, the compliance with other certifications far easier because you can readily map those prescriptive controls of PCI to the even directional controls of secondary standards. So I can readily layer PCI on top of a HIPAA or on top of a SOC, and especially in the HIPAA case, the PCI is basically going to cover the technical requirements of HIPAA. If you’re, it’s gonna cover probably 85% of a SOC or an ISO type of thing once you go down and get all the mappings done. So the time and effort you end up saving by heading down the PCI route, it effectively stages the organization for ultimately being able to kill multiple certifications off with a single stone and do so efficiently. Most of the other standards, we talked about kind of the SOCs and the ISOs, but it doesn’t matter, NIST, CMMC, any of those other standards, yeah, there’s always gonna be a few items that don’t fall directly, that you can’t directly map off to PCI, but the bulk of it is effectively covered, which is a big deal, especially for those organizations when they have multiple compliance standards to comply with, you can go in, do all your work and effort once, and then apply it against a series of standards. It really works out well. If you take the totality of the controls from PCI and the secondary leftovers from any of the additional standards, that allows the organization to set up nicely to take on additional layered standards. I mean, we’ve talked about it before, where for a lot of organizations, they kind of step into the security and compliance space by getting a mandate that they have to do one. And then next thing you know, whatever, whether it’s three months down the road or two and a half years down the road, whatever. they get another requirement for another certification or a new one pops up for the industry that you’re in, etc. So it just really stages the organization to be able to navigate that path far easier.
Talk to me a little bit more about how the listeners can use PCI as their centerpiece. Well, I’ve often had this notion of kind of like, one cert or one standard to rule them all. You know, the reality is, is that PCI does a great job at being able to map off to those secondaries. The benefits of the organization heading down the PCI route, doing a little more work to get all of the controls cleanly in place and now have something I actually leverage, you know, will have benefits for years down the road. You know, you go ahead and you get all the PCI stuff in place and then all of a sudden somebody comes to you and says, hey, we want you to be HIPAA compliant. Well, no problem, you know, you know, but check, we’ve got all the technical controls. And now we just have a couple of couple of leftovers specific to HIPAA that we’ve got to go, go through and take on. You know, I was I was recently on a call with a client that were currently compliant with both PCI and HIPAA. And, you know, they came around and they said, Hey, we want to, we’re getting some mandates and we want to start looking into and staging for, you know, walking into aligning with CJIS, which is the Criminal Justice, you know, Information Security Standard, CMMC and SOC 2. So they had these three that they were getting pressure to go get. And because of the fact that they had a solid foundation of controls of PCI, they were able to they were able to easily go, go in, layer over, you know, layer over those, those engagements, identify the leftovers and, you know, kind of cure those and now they can quickly pivot as the landscape of their, you know, kind of their client requirements or industry requirements changed. You know, it literally was game changer for, you know, for that particular organization. You know, one of the things that one of the things that I have said, said to folks, you know, and this is one of the benefits of the kind of the tooling that you use for the approach to your security and compliance.
Starting off with something like a PCI, yep, you can go in and use that standard. But then when you start layering on these secondary ones, you know, I’ve talked several times in this discussion about, you know, about leveraging PCI as the centerpiece, addressing the leftovers of the other certifications, you know, etc., you know, what I would typically guide people to is, you know, whether you’re working with an assessor or you’re working with a compliance consultant, you know, as you start to layer on those additional requirements, you know, the one of the benefits of good compliance tooling like the TCT portal is that you can go in and say, okay, well now I want to go up against these five certifications. The various assessors or consultants that you’ve got, they should be able to go in and get you the answers for, all right, the stuff you’re already doing for PCI and HIPAA, that’s going to cover these check boxes. These are the additional items that we need to also meet and effectively put together an overall matrix for the approach to compliance, where you can end up having a unique list of requests and controls that we need to make sure that we’ve got in place covered through policy, etc. and in the tool, create kind of your own custom list within your tool set, so that you can basically go and collect this stuff once, but then map it off against those secondary standards. So in the case of the client I was just talking about, they could put together a unique collection list for everything that they needed to cover PCI and HIPAA and CJIS and CMMC and SOC. And then with that kind of custom list that they gather on, then if they’ve got the mappings to the actual certifications systematically, we can go in and say, okay, this item off the custom list maps to these items in PCI, these items in CJIS and these items in SOC 2, etc. So it really gives the organization a way to dramatically improve the kind of the speed and efficiency because when you start doing two, three, four different certifications, man, shit grinds to a halt, you know? We’re using the same evidence across a myriad of requirements, across a myriad of standards. It gets really complicated really fast and that’s really where the power of your compliance tooling comes into play. It really makes a big game changer style difference for these organizations. Oh, you garbled out. You’re gonna need to cut this part out again. Try that again. That’s fine
.
Parting shots and thoughts for the folks this week, Adam. So yeah, when I founded Total Compliance Tracking and here’s the thing. This topic is very near and dear to my heart. Total Compliance Tracking or TCT. PCT, as I like to call it, was hardly, especially in the beginning, we weren’t doing anything with credit cards at all. Now, we’ve layered in some credit card capabilities since that time. But when we started, one of the first things that I did was I leveraged PCI, even though we weren’t taking credit card data at the time. I made that decision. So I have founded multiple organizations and it is truly one of the most difficult things that I’ve ever had to do in my life is basically bringing a company from nothing to something twice. And it’s an extremely challenging task. And as kind of a founder, as an owner, as a CEO, it’s my job. to do whatever I need to do to protect this organization and their clients. And I take that responsibility seriously. It’s also my job to protect the people that are depending on the organization. We’ve got vendors that we work with. We’ve got probably most importantly of the personnel that work for TCT. But all of those responsibilities I take tremendously seriously. And so the overall strength of your security and compliance program should be the most important element of leadership’s job for an organization. We’ve talked about it before. Cyber liability isn’t going to be a magic bullet. It’s not going to automatically proactively protect the organization. Yes, it will help if the worst happens. And to mitigate some of the monetary losses after some type of a disastrous event. But the cyber liability is going to do nothing to proactively protect the organization. So becoming PCI compliant, taking those security and compliance responsibilities seriously, it’s perhaps one of the single most effective ways to proactively protect your organization, your organization’s sensitive data from a breach, even if you’re not processing credit card information. So in the grand scheme of things, certainly I’ve recommended to a number of clients to leverage the framework of the PCI DSS to be able to improve the state of their organization. And certainly set them up for the future when they do have those secondary certifications that the organization needs to go in and get addressed.
And that right there, that’s the good stuff. Well, that’s all the time we have for this episode of Compliance Unfiltered. I’m Todd Coshow and I’m Adam Goslin. Hope we helped to get you fired up to make your compliance suck less.
