Read this blog, based on the podcast “PCI DSS 4.0: One Organization’s Experience,”, to learn how Martin tackled common PCI challenges, found new solutions, and discovered that PCI doesn’t have to be a solitary effort.
"Not my job."
That's what Martin Kenny of InfoSend used to think when compliance audits first landed on his plate. As a network engineer, he expected his days to be filled with actual technical work like Linux administration, system management, and other IT tasks.
But then Martin was posed with a new assignment. "We need this risk assessment done. We need you to respond to PCI." Suddenly, Martin had to build a new understanding of PCI and the compliance world.
At first, Martin struggled with this new expectation and found himself asking, "Why am I doing this?" The world of compliance, especially the jump to PCI version 4.0, seemed overwhelming.
By partnering with SecurityMetrics, Martin was able to gain the confidence he needed to tackle PCI compliance to complete InfoSend’s first PCI 4.0 audit.
Read this blog, based on the podcast “PCI DSS 4.0: One Organization’s Experience,” to learn how Martin tackled common PCI challenges, found new solutions, and discovered that PCI doesn’t have to be a solitary effort.
If you’re like Martin, you probably got into tech to build and troubleshoot, not to pore over regulatory documents. Yet, for many IT professionals, the world of compliance, like PCI DSS and SOC audits, becomes an undeniable part of the job.
So, how do you pivot from your technical understanding of IT networks into the world of PCI compliance?
For Martin, it began as a general “interest in learning new things,” with the understanding that “we also just need someone to do it. It makes everybody's job here easier if somebody can help guide it and has the knowledge behind it on what the expectations are.”
Here’s why IT roles end up handling PCI DSS compliance and the skills they have that make them up to the task:
Choosing the right auditing partner will impact your compliance journey, your ability to meet deadlines, and the overall burden of work you take on. Martin found that his relationship with SecurityMetrics, particularly working with skilled QSAs, made a world of difference when it came to navigating the new PCI DSS 4.0 standard.
Yet, many PCI partners don’t want to do the hard work of actually getting you secure. It’s expensive and time-consuming to evaluate networks the way a threat actor would to see what gaps in security exist. So, how do you find a PCI audit partner that actually understands your organization’s environment, rather than one that only checks off the compliance box?
Here are some questions you should ask a potential PCI partner to determine whether they are a good fit:
What does Martin think of working with SecurityMetrics? When asked if working with SecurityMetrics assessors was a collaborative effort, Martin replied, “It’s been great. We’ve gone with SecurityMetrics for the past six years because of our great experience.”
With the rise of cloud-only solutions, what happens when your entire infrastructure is on-premise? Meeting modern compliance requirements is an uphill battle when most third-party solutions are designed only for cloud integration.
Many compliance solutions and third-party tools are built with cloud environments (AWS, Azure) in mind, making it difficult for organizations with entirely on-premise infrastructures to find compatible solutions for their compliance needs.
A common question becomes how can businesses with solely on-premise infrastructure find and integrate third-party solutions to meet PCI DSS 4.0 requirements, especially for areas like web page script management?
Martin shares his experience with this, saying, "A lot of the difficulty that I'm finding with the way our business is positioned is that we don't host anything in the cloud. Everything's done on-premises with our technology. So finding companies that can integrate with our on-premise technology for compliance solutions is difficult because everybody offers to tie in AWS or Azure and we don't use any that. So, we'll look for something else. Luckily, SecurityMetrics was able to integrate and work with our on-premise needs.”
The journey to PCI DSS 4.0 compliance can seem overwhelming, especially if you're new to the regulatory landscape. But what if the secret to success is simply approaching it with the right mindset and leveraging available resources?
Choosing the right PCI audit partner is the key to a successful assessment and overall experience. Doing the work now to vet your partner can save you a lot of time and work later. So, Martin’s most crucial advice is to remember that "It's not that scary. If you're first jumping into it, it probably seems overwhelming. But, look at your auditor as somebody who's there to help you rather than somebody who's gonna try and trip you up. Ask your auditor questions and choose someone qualified. Just take it one step at a time."
Do you have an upcoming PCI audit deadline and need help? Speak with SecurityMetrics experts now and get the advice you need to reach compliance.