Walter Conway
PCI Philosophy
Home
PCI Consulting Services
Qualifications
My PCI Publications
PCI Blogs - Both of Them
Web Resources
Contact
PCI Philosophy

PCI is a business issue. It is not a technology issue, and there is no single technology solution that will make your institution PCI compliant. Because it is a business issue that affects the entire institution, PCI compliance calls for a multidisciplinary team including at least Finance, IT, and likely Internal Audit.

There are two fundamental realities of PCI. First, your costs of card acceptance will go up. This is not a surprise because you have additional work to do, and you may decide to outsource some processes you currently do internally. Therefore, your costs may go up a little or they may go up a lot, but they will go up. Second, you will change the way you take payment cards. It is likely you have cardholder data stored on your campus. While this is permitted under PCI, if you retain cardholder data you need to protect it. This is where things get expensive, so you may find a better approach is to change your procedures, limit the data your retain, and even restrict how you take cards.

I believe that while there are no bad questions, there are “right” and “wrong” questions about PCI compliance. Examples of wrong questions are: what firewall do I buy; what merchant level am I; which employees need a background check; how long do I retain my logs? My point is that before you even begin to address these questions you should take a step back and look at your institution and your payment practices and policies.

Examples of some “right” questions are: does my institution want to be in the card processing business; where are my risks; how do I minimize the scope of my PCI effort; how do I get started? Asking these strategic questions – especially limiting your PCI scope – allows the team to focus on those processes and merchants that need to be changed rather than simply dealing with things as they are. Remember the second reality of PCI: you will change the way you take payment cards.

By applying this philosophy we ask the difficult questions up front and avoid wasting time and effort on areas that may not even apply to the institution and its card acceptance environment.

 


Return to PCI DSS Consulting Services

Click here to email Walt

  © 2010 Walter Conway  All Rights Reserved