How She Passed Her First PCI Audit

Inclusive Security Conference Alert: Hou.Sec.Con is April 3-4, 2018! Click here for details.

Jordanne Barrett tweeted about how excited she was to pass her first PCI audit.  I worked in retail once upon a time, and I vividly remember the excitement and sense of accomplishment I felt when I passed my first PCI audit.

I also remember how much I cried.

I was completely out of my comfort zone learning new requirements while implementing solutions to satisfy the updated standards. I was also simultaneously trying to overcome the myriad of challenges associated with doing the second most thankless job on the planet (behind parenting).

Her tweet brought back all these memories, and the one thing I regret is not publishing lessons learned after winning my PCI wars.

Passing an audit of updated security standards is a big deal, especially if you’re new to the industry with little or no tribal knowledge or existing relationships in the company. There is value in sharing our experiences to help others, so I reached out to Jordanne to ask if she would be so kind to share what she learned during this process.

I was so excited when she agreed!

Here is her story on how she conquered PCI DSS compliance as a novice:

I recently assisted my company in becoming PCI DSS certified for the first time. I had no idea what I was getting myself into–all I know is it was a challenge I wanted to conquer.

I also had no experience with PCI DSS audits before. All I knew was the definition and purpose, nothing in depth.

For those of you who are not familiar with PCI DSS, it is the Payment Card Industry Data Security Standard that companies must comply with as a condition of accepting major credit cards.  This includes most retailers, hospitals, power utility companies, online brands, and many other industries that accept debit/credit cards.

PCI DSS is established by the major credit card companies, including Visa, MasterCard, American Express, Discover, and JCB. These companies came together to form the Payment Card Industry Security Council and created the industry standards for handling sensitive data. Sensitive data is defined as your credit card information, social security number, passwords, etc.

The Beginning

I began the project as a complete novice to anything that dealt with sensitive data and the payment card industry. My first approach was to read through the PCI DSS version 3.2 document to see what will be expected regarding compliance.

I spent a lot of my free time after work and on weekends researching different articles about audits and looking up YouTube videos just so I could grasp what exactly is involved with the process.

After doing my research, I started to experience anxiety because a lot of the terms and requirements were going over my head since I’d simply never encountered the topics before. I didn’t let this discourage me though. I just approached it one requirement at a time.

During

The PCI auditor came to our site for about four days to do an assessment. This is where I believe all panic set in mentally!

After four days of seeing our gap grow larger, I started to think to myself ‘we will never be able to remediate this in 90 days’.  I reached out to my mentor for guidance on what resources I can utilize to make this process easier along with Google.

Once again, I started spending my weekends reading through NIST documents on how to create incident response plans, how to draft company policies along with cross referencing our current policies with what is outlined. I was learning and trying to execute changes within the company at the same time.

Editor’s note: Taking initiative is a big part of succeeding in this industry. It is important for students and others considering switching to this field to understand that you will have to spend time outside of work learning. This is not a “get a cert or degree and then your work is done” field.

Challenges

Lack of Confidence

A lot of hindrance in this project came from me simply not believing I was smart enough or capable enough of bringing us to full compliance. I believe my lack of confidence started to show to our auditor who in return started losing respect for my role in the project. It was not until I removed negative thoughts and attitudes that everything started coming together for us to close out our gap report.

Lack of education

A part of my lack of confidence was I felt I simply did not have the knowledge to complete this project. Outside of me doing excessive research on PCI DSS, I also started to study for my CompTIA Security+  exam. Once I started studying for my certification exam, everything I was doing for PCI started to all come together and make sense. I felt I could now speak in confidence because I knew and understood how everything works together.

Time

I became very frustrated with the amount of time it took to get to 100% compliance. I did not realize I would need evidence to prove my evidence! I wanted to be done with this project in a timely manner and did not consider the time it would take to implement the required changes within our company.

Editor’s Note: Dear every woman reading this: if 45 can be president, YOU ARE SMART ENOUGH TO DO EVERYTHING! Dassit!

Advice to Anyone New to PCI Audits

To any other novices out there ready to take on PCI DSS compliance, my advice is do your research on PCI DSS, have a strong team within the company to assist you, and have patience.

Why Research?

Research will help you familiarize yourself with PCI requirements and set expectations about what the audit will entail.

Why Collaborate?

The second suggestion is to have a strong team within your company to assist you. There is no way only one person can remediate all gap items. You will need to involve someone from your system admin team, development team, and even human resources just to name a few.

Why Patience?

My last suggestion is to have patience. Even though a remediation item might not seem that difficult to implement, it could take longer depending on your network.

Editor’s note: Remediation could also take longer than expected due to company politics, understaffed IT department, and if security has been treated as the stepchild that the company neglected until the CEO received marching orders from the Board to have an independent assessment performed because investors are asking questions.

Now you have to fix years of neglect in 90 days.

Yes, this is still a thing in 2017.

[Related: This phenomenal woman in security used PCI compliance as a backdoor into a security career.]

Jordanne, thank you so much for sharing your experience. Our voices are needed in this industry!

Want to continue the conversation with Jordanne? Connect with her on LinkedIn and/or Twitter @jaidbarrett

My name is Jordanne Barrett, I am a University of South Florida Alumni and have been an Information Security Professional for a year. I am currently an Information Security Administrator for an E-commerce company. I am responsible for the overall compliance of the company, implementing cyber security awareness, and creating company policies, standards, and procedures. I love compliance and new challenges which is why I love InfoSec. I am constantly on the pursuit of trying to solve issues. I have a passion for educating kids on cybersecurity and I hope to be able to pursue this full time also.

Share the love!