Reaching the milestone of PCI DSS compliance is a big thing – a great achievement (and relief) for both company and the security team – but staying compliant is the next challenge. And, it is a challenge that won’t go away. Planning, scheduling tasks and analyzing are key factors for success.
It may sound easy after the first audit, but if you plan to expand your business, the parameters will not stay the same. Customer requirements, competitors, innovation and new trends in IT will change the way you do and handle your business. These factors will affect your scope, as well as security, and will probably introduce compliance gaps into your organization.
During my years of living with PCI DSS, the most common approach for achieving compliance is usually to handle it as a project, adding a layer of security over the existing application and trying to make it work. It will work! However, it will cost you more in the long run, in terms of money, time and resources. And, on top of that, this approach is difficult to manage.
Building sustainable PCI DSS compliance requires it to be more than a project. The required amount of effort is very high at the start, but the good work and sustainable infrastructure will payoff in the long run. It will end up being more cost effective, sustainable, automated, time saving and easy to manage.
A sustainable compliance approach should be treated as part of the business, not just as a yearly activity, which most likely is a very stressful one. The PCI DSS components and requirements should be integrated within the application rather than toping it up in layers and be taken into consideration before you expand your business horizon.
To achieve sustainable compliance you need to come up with a framework for governance and control, compliance and scoping plan and a responsible to team to drive, review and embed these working practices in your daily routine.
To conclude, a well maintained compliance culture will embrace your company audit, avoid unpleasant situations with auditors and evade your audit rush. There are no ways around it being an ongoing process.