-
Managing the changes introduced by PCI DSS v4.0 can be a demanding exercise, but it need not be a frustrating experience. Insufficient planning is one of the major reasons why projects spin out of control. It can lead to unintended consequences and even compliance program failure. The application of a suitable, comprehensive framework will ensure that expectations are set and assumptions identified, and it will help create a predictable winning outcome, rather than risk and uncertainty.
The three stages of PCI DSS compliance program failure
- 2022 PSR
- Introduction
- Executive Summary
- The Compliance Landscape
- Commentary
- Charting the best strategic method for your organization
- Optimizing limited resources by strengthening the weakest link
- Goals: The security and compliance rudder
- The Security Management Canvas
- Requirements: The security and compliance hull
- Preparing for PCI DSS v4.0
- Enhanced Validation Methods and Procedures
- Continuous monitoring internal assessments and validation
- The three stages of PCI DSS compliance program failure
- PCI DSS v4.0 Navigational Points
- Constraints the Security and Compliance Shoal
- 7 Constraints of Organizational Proficiency (the 7 Cs)
- The Five Focusing Steps in Brief
- The State of Compliance
- Bottom-20 Lists
- Methodology
- Appendices
- Download the full report (PDF)
Please provide the information below to view the online Verizon Payment Security Report.
Thank you.
You will soon receive an email with a link to confirm your access, or follow the link below.
Thank you.
You may now close this message and continue to your article.
-
-
A program is a cluster of projects and ongoing operations that has a common goal and is managed in a coordinated way so that benefits are achieved, which would not happen by managing the projects individually.
Security and compliance programs can fail in many ways. Multiple reasons exist for poor performance and failure. Program managers must identify and prevent or overcome numerous potential risks prior to and during program execution. PCI security compliance programs demand effective program management to ensure firm control and to maintain alignment between the five components of The Security Management Canvas (discussed on page 32).
-
Avoid misalignment on goals.
Business and security teams should not have different expectations regarding the goals of security and compliance. Shared knowledge, common understanding and alignment of goals are of utmost importance. All parties must act as a team with a singular vision for success.
The 3 stages of failure50
The challenges organizations encounter, and the mistakes that occur during the planning and execution of PCI security compliance programs, can generally be divided into three stages of failure:
Stage 1: Failure of vision
These are “why” mistakes. Participants in PCI security programs fail to understand why they are engaged in PCI security compliance, and what the overall goals are. These “why”- related mistakes occur when leadership doesn’t establish a clear direction for security and compliance with a clearly articulated vision of the goals and objectives necessary to achieve the required outcomes. This vision is about achieving and maintaining focus on executing the correct prioritized objectives toward an aligned common goal.
Stage 2: Failure of strategy
These are “what” mistakes. They occur when the CISO and team follow a security and compliance strategy that fails to be designed and executed in a manner to deliver the results they desire. The team may know why they are engaged in a PCI security compliance program and how to do the work, but they still choose the wrong “what” to make it happen. Revisit The Security Management Canvas (see Figure 3, page 33) to help you position the overall approach, and individual components and elements within each of the five domains.
Stage 3: Failure of architecture and design
These are “how” mistakes. They occur when the security team fails to build systems and a security and compliance control environment where sustainable control effectiveness is built into the design and not bolted on afterward. This type of failure also happens when you forget to measure performance and get lazy with the details. A failure of architecture and design is a failure to execute on a good plan (strategy and program) and clear vision. For additional insights, revisit the 9 Factors of Control Effectiveness and Sustainability and review how they should be applied (see the 2018 PSR, page 4).
Generally speaking, program success hinges on two fundamental concepts: a high-quality plan and effective implementation. A PCI DSS v4.0 implementation plan that remains on the drawing board is little more than a concept until the organization implements and moves it from “concept design” to a tangible solution with measurable results. It takes as much specialized expertise to effectively implement as it does to develop the plan. The organization must have the internal program implementation competence or turn to a specialized program implementation partner for support.
Proficiency: Skill and experience matter.
It’s common for organizations that undertake the management of large, complex security and compliance programs internally to lack deep knowledge of program management and implementation. Program management and implementation is a highly specialized, technical discipline that usually requires experts to help ensure success. Organizations often don’t have this expertise or in-house training because their core business operations are focused elsewhere. If an organization chooses to build and support this core competency internally, intensive education in program management and implementation—including the processes and technical tactics for success—is necessary.
-
50 James Clear, “The 3 Stages of Failure in Life and Work (And How to Fix Them),” JamesClear.com, https://jamesclear.com/3-stages-of-failure.