5 Steps to Recovering from a Failed PCI ROC
A Payment Card Industry (PCI) Report on Compliance (ROC) is designed to test the effectiveness of the security controls that merchants implement to protect cardholder data.
Organizations that process more than six million card transactions a year are required to undergo a ROC assessment. Other companies may be required to complete a ROC at the discretion of the card company.
Failing a PCI ROC assessment can be a major blow, but it doesn’t mean the end of your company’s ability to do business. Our PCI experts provide you with five steps to recovering from a failed ROC.
Steps to Recovery
A failed ROC isn’t the end of the world, but it does mean your organization is currently not PCI compliant. Following these five simple steps can help your organization secure its systems and get back in good standing:
1. Notify Stakeholders
Therefore, it’s important to notify both internal and external stakeholders of the situation.
The list of external stakeholders that you need to notify depends upon whether you are a Merchant or Service Provider.
If you’re a Merchant subject to PCI compliance, notifying your point of contact at your acquiring bank or payment processor is a priority. Additionally, your point of contact may want a timeline regarding when you’ll be compliant. This will be covered in Step 3.
If you are a Service Provider providing services to a merchant, it’s important to notify your customers of the situation as it may affect their compliance and the terms and conditions of your contract with them.
2. Identify the Issue
PCI compliance requires implementation of multiple security controls that fall under the 12 PCI Requirements. If you worked towards being in compliance throughout the year, there may be only a few controls that were assessed as non-compliant.
Identifying the underlying issue and understanding the cause – whether it was not following policy, or perhaps a change in personnel resulted in being deficient in a few controls – allows your organization to make the proper changes to meet compliance for the PCI re-assessment. Remember, compliance should be a year-round effort and not a short-term task. Aiming to be compliant only during the assessment will only lead to problems.
If there were major infrastructure changes (e.g., deploying a Voice over IP (VOIP) phone system that is now in-scope), there may be a significant change needed in order to become compliant.
Identifying the exact cause of the issue can help you to focus and prioritize your remediation efforts.
After major changes to infrastructure, there may be an opportunity to consult a qualified QSA in order to perform a Gap Assessment. Doing this prior to a ROC can help to avoid a failed ROC, or at least submit a plan for an extension.
3. Make a ROC Recovery Plan
The PCI council has a tool to help prioritize the remediation effort. The PCI DSS Prioritized Approach for PCI DSS provides guidelines to help your organization speed up the process of securing credit card data and becoming compliant.
The Prioritized Approach lays out six milestones that help to prioritize efforts to achieve compliance, establish milestones and lower the risk of cardholder data breaches.
After failing a ROC or when requesting an extension, your point of contact at your acquiring bank or payment process may require your organization to fill out the Prioritized Approach Tool listing all your milestones. Additionally, your point of contact may want updates or you may need to revise the plan due to unforeseen circumstances.
You should communicate your remediation timeline to the internal stakeholders and any external customers that may rely on the security of a service you provide.
While it may be important to move quickly to minimize the impact of the failed assessment, it is vital to take the time to properly plan, implement, and test the controls to ensure that a misunderstanding doesn’t cause another failed assessment.
4. Implement and Test
After the issue has been identified and you have developed a plan, it is time to implement the missing security controls. It is important to take the time to properly test each of the new controls to ensure that they are effective in mitigating the identified issue and they do not impact the effectiveness of other security controls.
Once the control is implemented and has passed internal testing, it may be a good idea to have an external entity perform a Gap Assessment to ensure your organization did not miss an unexpected result of the implementation of the new control.
Once your organization is confident it meets the requirements for PCI compliance, it’s time to schedule another ROC assessment. Take advantage of access to your QSA to ask questions about your existing security controls and how they may be improved to meet and exceed current and future recommendations.
Getting Help with a Failed ROC
Failing a PCI Report on Compliance (ROC) can be a stressful experience. It’s often difficult to understand why your organization’s existing security controls were insufficient for compliance.
Using a third-party certified PCI QSA is a great idea when working through the re-accreditation process.
Sword & Shield provides a comprehensive set of services for helping you through every stage of the PCI compliance process. This spans from understanding the reasons for the issue to implementing new controls and getting you certified.