Can’t Stay PCI Compliant? Consider a PCI Charter

Does this sound familiar?  You’ve gotten your Report on Compliance (RoC), but you’re dreading the next assessment because you know things have slipped. Why?  Because PCI is a lifestyle. Every day. Not just a once-a-year event. It’s time to make PCI a lifestyle within your organization. In order to make this happen, the tone at the top has to drive compliance. The PCI Council recommends a PCI charter be established that assigns responsibility for the PCI Program. For service providers, it is actually a requirement (Req. 12.4.1).

The charter is a formal document that is reviewed yearly. It assigns overall responsibility for keeping all account data secure – the entire PCI compliance program that is needed to achieve security. It outlines the purpose, goals, and responsibilities of a PCI compliance program. A PCI charter serves as a guide for the overall strategy to achieve compliance.

A well-written PCI charter should include the following elements at a high level:

• Introduction: A brief overview of the purpose and importance of the charter.

• PCI Compliance Objectives: A clear definition of the program’s objectives and the specific outcomes the organization hopes to achieve through PCI compliance.

• Responsibilities: A clear assignment of roles and responsibilities for PCI compliance activities, including who is responsible for ensuring that the organization complies with PCI standards, and who is responsible for performing regular risk assessments and security control oversight.

• PCI Compliance Processes: A description of the processes and procedures that will be used to implement and maintain PCI compliance, including the steps involved in conducting targeted risk assessments, implementing security controls, and performing regular audits.

• Data Security Measures: A description of the data security measures that will be used to protect payment card information, including encryption, firewalls, access controls, and monitoring.

• Training and Awareness: A description of the training and awareness programs that will be used to educate employees and stakeholders about PCI standards and the importance of data security.

• Communication Plan: A plan for communicating PCI compliance activities and results to stakeholders, including employees, customers, executive management, partners, and regulators.

• Review and Update: A plan for regularly reviewing and updating the PCI charter to ensure that it remains current and relevant.

Once written, the charter outlines the type of communication and topic updates that should be communicated to executive management. Defining executive management is unique to each assessed entity. It might include the C-Suite, Board of Directors, or a PCI Steering Committee that reports to the Board. A PCI Steering Committee oversees the work required to incorporate PCI compliance into business as usual. The Committee meets quarterly (more often if needed), maintains minutes, and reports to the executive management. 

A PCI charter and supporting committee is essential to a PCI compliance program. It provides a clear and concise framework for the implementation and management of PCI standards and helps ensure that the organization is able to meet its compliance objectives effectively. By including all of the elements listed above, organizations can ensure that their PCI charter provides a comprehensive guide to their PCI compliance program – and a clear declaration of importance from executive management.

If you’re struggling with getting and/or staying PCI compliant, it may be the tone at the top that needs some help or support. Contact GuidePoint for assistance in driving a top-down approach to PCI compliance.