For Tier 1 merchants, complying with the Payment Card Industry Data Security Standard (PCI DSS) is crucial but can also be extremely challenging. PCI compliance involves procedures such as handling customer data, storing data securely and validating security controls, all of which are ethical responsibilities and contractual obligations for companies that need to be closely monitored.
To explore how to streamline PCI compliance while moving away from traditional and manual data handling through software like Excel, ERP Today tuned in to NewRocket’s webinar, “Go Beyond Excel, The Path to Efficient PCI Compliance for Tier 1 Merchants,” to define the best practices currently available to users.
New updates and industry changes
Tier 1 merchants had been waiting for the release of the newest PCI compliance for years, and as of April 1st, 2024, PCI 4.0 came out. According to Kirk Hogan, VP of technology, platform and integrations strategy at NewRocket, compared to PCI version 3.2.1, PCI 4.0 significantly impacted the strategies companies would use in the operational processes. In particular, one of the biggest differences between 3.2.1 and 4.0 is that now it allows companies to “define their destiny.”
In practice, this means that when you need something that works specifically for your organization, custom methods come into play. According to Hogan, the Security Standards Council has contemplated supporting custom methods because they can complicated in handling the controls matrix and targeted risk analysis. Trying to track them within a spreadsheet might force organizations to engineer components outside the scope of their core business. Additionally, 4.0 is now also covering any bespoke systems or customer software the inventory of which, as Hogan explains, can be a very difficult task to manage, especially with spreadsheets.
Why traditional ways are a no-go in the modern PCI environment
Apart from how the updates can be complicated to manage with spreadsheets and manual handling, NewRocket pointed out the specific challenges organizations face with PCI compliance.
Dawn Gustafson, director of business process architecture in PCL, IT and cyber at NewRocket, explained that those who are still working in spreadsheets and email are not making use of “the talented people that are supporting your PCI program today.” That is because they do not have real-time insights and the moment you collect the data from these sources, it becomes out of date the next minute.
“Moving off of that manual tools onto a platform solution is just going to help increase things significantly for you,” Gustafson said. “And then, your CDEs, your cardholder data environment, are you able to adequately articulate that and track it? Because if you’re not, then many organizations will still run a flat network […and] this isn’t a PCI tools thing to solve.”
Adding to how complicated the manual management of spreadsheets can get, Hogan continued: “Have you ever engineered the perfect spreadsheet? I know I have, but as soon as I moved it to some other network location, it broke all the links and the references and those little pound signs would show up, and that makes a fragile system. So we need something that’s encapsulated, that would give us that real-time update.”
PCI compliance with an integrated approach
According to Gustafson, there are five phases for organizations to complete to achieve PCI compliance.
First, start planning to establish clear goals and understand how they can be achieved in the real world.
Once the planning is set up, Gustafson said providers like NewRocket can help build out the systems to collect and maintain your inventory of technology and the CDE through a structure deployment method.
Next, the organization would move to the transition phase, where you would operate not just the PCI time, but also control owners – those people who could be, for instance, your internal audit group that can help you do independent reviews of your assessments, fueling important collaboration that can help better run your programs.
Upon the transition, comes the phase of actually running the program. At this point, it is crucial to not just be able to build the solution but maintain it. As Hogan explained, this means that the controls need to be reassessed, the tests need to be updated and the team needs to monitor if any updates to DSS are reflected in the solution.
Finally, in the fifth phase, companies should have the ability to scale – which is supported by platforms and advice from companies like NewRocket.
“Back to moving from 3.2.1 to 4.0, we needed to scale a solution. And we did it. We needed to be able to scale from a single CDE to multiple CDEs, and [the platform] can. So this is the area of the solution that we have been focused on so that you don’t have to focus on it. You can focus on your core business as well as your PCI compliance,” Hogan shared.
To embark on that journey, Gustafson explained that Tier 1 merchants have to build a business case, assess the current state of the business and build an action plan. Understanding internally who their stakeholders and decision-makers are, what state they’re in from the PCI compliance perspective and what this investment is going to get for their organization with time is the first important step in the process of achieving a reliable, scalable and flexible PCI compliance.
