A Payment Card Industry (PCI) Report on Compliance (ROC) is designed to test the effectiveness of the security controls that merchants implement to protect cardholder data.
Merchants that process more than six million card transactions a year or service providers who process more than 300,000 card transactions per year are required to undergo a PCI ROC assessment. Other companies may be required to complete a ROC at the discretion of the card company.
Failing a PCI ROC assessment can be a major blow, but it doesn’t mean the end of your company’s ability to do business. Our PCI experts provide you with five steps to recovering from a failed ROC.
Failed PCI ROC: Steps to Recovery
Following these five simple steps can help your organization secure its systems and return to being in good standing:
1. Notify Stakeholders
Therefore, it’s important to notify both internal and external stakeholders of the situation.
The list of external stakeholders that you need to notify is dependent on whether you are a Merchant or Service Provider.
If you’re a Merchant subject to PCI compliance, notifying your point of contact at your acquiring bank or payment processor is a priority. Additionally, your point of contact may want a timeline regarding when you’ll be compliant. This will be covered in Step 3.
If you are a Service Provider providing services to a merchant, it will be important to notify your customers of the situation as it may affect their compliance and the terms and conditions of your contract with them.
2. Identify the Issue
PCI compliance requires implementation of multiple security controls that fall under the 12 PCI Requirements. If you worked toward being in compliance throughout the year, the number of controls that may have been assessed as non-compliant may be fewer than if steps toward compliance were an annual event.
Identifying the underlying issue and understanding the cause – whether it was policy-related, or perhaps caused by a change in personnel – allows your organization to make the appropriate changes to meet compliance for the PCI re-assessment.
Compliance should be a year-round effort and not a short-term task. The PCI DSS refers to this as “business as usual” and like the PCI DSS, we recommend it to be the approach for any organization subject to this compliance standard.
Significant changes may be needed in order to become compliant should there be major infrastructure changes (e.g., deploying a Voice over IP (VOIP) phone system that is now in-scope) since the last assessment. Identifying the exact cause of the issue can help you to focus and prioritize your remediation efforts.
Should an organization undertake a major change or changes to infrastructure, we recommend engaging a qualified QSA to perform a gap assessment. The results of such a gap assessment could inform your decision to submit a plan for an extension and potentially avoid a failed PCI ROC.
3. Make a ROC Recovery Plan
The PCI council has a tool to help prioritize the remediation effort. The PCI DSS Prioritized Approach for PCI DSS provides guidelines to help your organization speed up the process of securing credit card data and becoming compliant.
The Prioritized Approach lays out six milestones that help to prioritize efforts to achieve compliance, establish milestones and lower the risk of cardholder data breaches.
After failing a PCI ROC or when requesting an extension, your point of contact at your acquiring bank or payment process may require your organization to fill out the Prioritized Approach Tool listing all your milestones. Additionally, your point(s) of contact may want updates or you may need to revise the plan due to unforeseen circumstances.
You should communicate your remediation timeline to the internal stakeholders and any external customers that may rely on the security of a service you provide.
While it may be important to move quickly to minimize the impact of the failed assessment, it is vital to take the time to properly plan, implement, and test the controls to ensure that a misunderstanding doesn’t cause another failed assessment.
4. Implement and Test
After the issue has been identified and you have developed a plan, it is time to implement the missing security controls. It is important to take the time to properly test each of the new controls to ensure that they are effective in mitigating the identified issue and they do not impact the effectiveness of other security controls.
Once the control is implemented and has passed internal testing, it may be a good idea to have an external entity perform a gap assessment to ensure your organization did not miss an unexpected result of the implementation of the new control.
Once your organization is confident it meets the requirements for PCI compliance, it’s time to schedule another PCI ROC assessment. Take advantage of access to your QSA to ask questions about your existing security controls and how they may be improved to meet and exceed current and future recommendations.
Getting Help with a Failed ROC
Failing a PCI ROC can be a stressful experience. It’s often difficult to understand why your organization’s existing security controls were insufficient for compliance.
Using a third-party certified PCI QSA is a great idea when working through the re-accreditation process.
Avertium provides a comprehensive set of services for helping you through every stage of the PCI compliance process. This spans from understanding the reasons for the issue to implementing new controls and getting you certified.