The Retailer's Guide to Becoming and Remaining PCI Compliant
Change vs. Modification
Any retail organization that's considered by PCI has a need to actively monitor in-scope and critical files for change. These days, the amount of changes that may have to be monitored can add significant administrative time to the process of identifying those key changes that are critical and significant to the security or compliance of the organization. A solution put in place that has the ability to stop or block unauthorized change to critical assets will greatly reduce the administrative work of sorting through all the expected and unexpected changes.
The key behind identifying critical change is that it can greatly narrow the scope of ensuring the security and compliance aspects of PCI. Controlled change enables organizations to collect and track all compelling in-scope affected assets and analyze critical change on the front end. Up-front filtering also helps provide relevant and required data for auditors and assessors who need to demonstrate security control effectiveness up to the retail board or audit committee. During assessment validation, and especially during a forensics investigation, change events that focus on the business process can save vast amounts of time and money when the data is ready and waiting without the need to mine it out of the repository and filter after the fact.
Enforcement and Execution
The last suggestion for retailers attempting to stay on top of security and PCI compliance would be to take a second look at their policies and procedures. Furthermore, retailers need to ensure that all the stakeholders that have a responsibility to uphold those policies and procedures understand their respective responsibilities. It's imperative that everyone within a retail enterprise knows his or her part in the company's overall risk management strategy.
Any compliance or security program is only as strong as the people running it. A mechanism needs to be put in place that guarantees the distribution and consumption of the security policy. Compliance managers and auditors will need to get a real-time status report on the acceptance of the policy and awareness training. A system that employs a trust policy focusing on the critical business processes of the retail business will be able to enforce the consumption of the security policy and then track compliance to the policy.