One IT Professional’s Experience working with SecurityMetrics for their PCI 4.0 Audit

Read this blog, based on the podcast “PCI DSS 4.0: One Organization’s Experience,”, to learn how Martin tackled common PCI challenges, found new solutions, and discovered that PCI doesn’t have to be a solitary effort.

PCI Audit
PCI
PCI DSS v4.0
Enterprise
One IT Professional’s Experience working with SecurityMetrics for their PCI 4.0 Audit

"Not my job." 

That's what Martin Kenny of InfoSend used to think when compliance audits first landed on his plate. As a network engineer, he expected his days to be filled with actual technical work like Linux administration, system management, and other IT tasks. 

But then Martin was posed with a new assignment. "We need this risk assessment done. We need you to respond to PCI." Suddenly, Martin had to build a new understanding of PCI and the compliance world. 

At first, Martin struggled with this new expectation and found himself asking, "Why am I doing this?" The world of compliance, especially the jump to PCI version 4.0, seemed overwhelming.

By partnering with SecurityMetrics, Martin was able to gain the confidence he needed to tackle PCI compliance to complete InfoSend’s first PCI 4.0 audit. 

Read this blog, based on the podcast “PCI DSS 4.0: One Organization’s Experience,” to learn how Martin tackled common PCI challenges, found new solutions, and discovered that PCI doesn’t have to be a solitary effort. 

Why Do IT Roles End Up Handling PCI DSS Compliance?

If you’re like Martin, you probably got into tech to build and troubleshoot, not to pore over regulatory documents. Yet, for many IT professionals, the world of compliance, like PCI DSS and SOC audits, becomes an undeniable part of the job. 

So, how do you pivot from your technical understanding of IT networks into the world of PCI compliance? 

For Martin, it began as a general “interest in learning new things,” with the understanding that “we also just need someone to do it. It makes everybody's job here easier if somebody can help guide it and has the knowledge behind it on what the expectations are.” 

Here’s why IT roles end up handling PCI DSS compliance and the skills they have that make them up to the task:

  • Technical Expertise: PCI DSS requires organizations to secure their sensitive credit card data. Who is better suited to evaluate those security controls than the employees who helped design, build, and maintain them? This makes IT professionals an obvious pick for heading PCI compliance. 
  • Smaller Organizations: Not every organization is going to have a dedicated GRC (Governance, Risk, and Compliance) department. This means existing IT and security staff will receive compliance responsibilities out of necessity. 
  • Compliance as Applied Security: The best compliance programs won’t just check boxes but rather demonstrate that actual security is in place. It makes sense that IT roles will be chosen because PCI is an extension of their existing security responsibilities. 
  • Customers Want Compliant Businesses: More and more, compliance isn’t just about meeting regulatory requirements, but rather it’s a business decision. Customers want to know their data will be safe, and will require their partners to receive certifications that prove their safety. IT departments may be tasked with PCI compliance to meet this expectation. 

What Questions Should You Ask When Choosing A PCI Assessor? 

Choosing the right auditing partner will impact your compliance journey, your ability to meet deadlines, and the overall burden of work you take on. Martin found that his relationship with SecurityMetrics, particularly working with skilled QSAs, made a world of difference when it came to navigating the new PCI DSS 4.0 standard. 

Yet, many PCI partners don’t want to do the hard work of actually getting you secure. It’s expensive and time-consuming to evaluate networks the way a threat actor would to see what gaps in security exist. So, how do you find a PCI audit partner that actually understands your organization’s environment, rather than one that only checks off the compliance box? 

Here are some questions you should ask a potential PCI partner to determine whether they are a good fit: 

  • Does the assessor have a strong technical background with the certifications to back that up? A strong technical background can ensure you get the highest quality PCI audit possible. Remember, the goal is a partner who can actually secure your environment, not just check you off for compliance. 
  • Can they point you to a satisfied customer who has a similar environment as your organization? A great PCI partner will have customer testimonials, case studies, and more that they can point you to. An excellent PCI partner will have specific customers who have similar security environments and concerns that can share their experience. 
  • How do they foster a collaborative relationship with you and your IT team? PCI compliance should be a group effort, and communication is key. How will your potential partner ensure you’re aware of the work they're doing and vice-versa? What tools do they have for keeping track of your PCI audit process and timeline?
  • What’s their experience with helping organizations achieve PCI version 4.0? PCI 4.0 was officially the standard in 2024, so there are many organizations that still don’t have sufficient experience conducting version 4.0 audits. You want a PCI partner that not only has successfully taken organizations through the 4.0 standard, but has the process down to a science.
  • Do they offer more than just PCI audits? Depending on your organization’s size and requirements, there may be a need for more than just a PCI audit. An excellent PCI partner will have dedicated penetration testing, forensic, HITRUST, and other regulatory teams. Even if you only need a PCI audit, you will benefit from a partnership that has these other options because it means they have a built-in network of experts who know more than just PCI. 

What does Martin think of working with SecurityMetrics? When asked if working with SecurityMetrics assessors was a collaborative effort, Martin replied, “It’s been great. We’ve gone with SecurityMetrics for the past six years because of our great experience.” 

Is On-Premise PCI DSS Compliance Still Possible in a Cloud World?

With the rise of cloud-only solutions, what happens when your entire infrastructure is on-premise? Meeting modern compliance requirements is an uphill battle when most third-party solutions are designed only for cloud integration.

Many compliance solutions and third-party tools are built with cloud environments (AWS, Azure) in mind, making it difficult for organizations with entirely on-premise infrastructures to find compatible solutions for their compliance needs.

A common question becomes how can businesses with solely on-premise infrastructure find and integrate third-party solutions to meet PCI DSS 4.0 requirements, especially for areas like web page script management? 

Martin shares his experience with this, saying, "A lot of the difficulty that I'm finding with the way our business is positioned is that we don't host anything in the cloud. Everything's done on-premises with our technology. So finding companies that can integrate with our on-premise technology for compliance solutions is difficult because everybody offers to tie in AWS or Azure and we don't use any that. So, we'll look for something else. Luckily, SecurityMetrics was able to integrate and work with our on-premise needs.” 

Feeling Overwhelmed by PCI DSS 4.0? Here's How to Start.

The journey to PCI DSS 4.0 compliance can seem overwhelming, especially if you're new to the regulatory landscape. But what if the secret to success is simply approaching it with the right mindset and leveraging available resources?

Choosing the right PCI audit partner is the key to a successful assessment and overall experience. Doing the work now to vet your partner can save you a lot of time and work later. So, Martin’s most crucial advice is to remember that "It's not that scary. If you're first jumping into it, it probably seems overwhelming. But, look at your auditor as somebody who's there to help you rather than somebody who's gonna try and trip you up. Ask your auditor questions and choose someone qualified. Just take it one step at a time."

Do you have an upcoming PCI audit deadline and need help? Speak with SecurityMetrics experts now and get the advice you need to reach compliance.

Join thousands of security professionals.
Subscribe Now
Get the Guide To PCI Compliance
Download
Get Quote for PCI Compliance
Request a Quote