Resellers can help start stalled PCI projects
In the struggle for compliance, resellers can apply a range of strategies to get things moving, says Kevin Dowd
Payment card industry (PCI) projects, perhaps even more than other compliance-driven projects, have a propensity to grind to a halt, despite a lot of effort and investment from both the client and reseller.
Check the tech. Too many PCI projects have fallen prey to the "kid in a sweetshop" phase of technology planning, resulting in a lot of expensive kit that cannot or will not solve the problem, too much scope, and a project that has cost a lot and is going nowhere.
In short: suck it up, write it off, or redeploy, and start again.
Reappraise the situation. Technology may not be the only solution, but it can be a powerful component of one, and the technology has moved on a lot since this PCI business started.
Many PCI projects could benefit from taking stock of the technology options now available that can offer a short-cut through a lot of issues.
Is the strategy inadequate? The project may have taken a false step from the start. Whether the scope was wrong, or the approach just doesn't fit the business, if it just isn't going to work, don't be afraid to revisit the strategy. This may be the only way forward.
Often PCI projects stall because of one area that just cannot be made to comply. This might be a rather large issue, related to, for example, all legacy data, or it might be a particular legacy system, but it stops the project in its tracks.
Be pragmatic. One way or another it is usually possible to either solve this seemingly intractable problem or put it to one side, and get on with the project.
One size doesn't have to fit all. Too often the PCI strategy is carved in stone, and then all areas of the business are required to comply using this strategy regardless of fit or practicality.
If imposing the same strategy across the board is painful, look at the exceptions and see if there is an easier way.
Nothing is forever – there is a difference between strategy and tactics. There may be some quick, tactical ways to achieve compliance in the short term that allow the grand strategy to be implemented over the medium or long term.
Sometimes, either through self-delusion or a monumental effort that simply cannot be maintained, compliance has been attained, but proved fleeting. Look again at all the strategies above.
Many PCI projects are ripe for re-examination as there are lots of ways achieve compliance. The arrival of PCI DSS v3.0 means everyone is likely to have to do something.
For example, enhanced testing procedures will probably affect everyone as enhanced testing or audit procedures are now written through the standard.
Version 3.0 is a fairly extensive update and merits early attention from resellers and their clients. Clearly the need to be compliant isn't going anywhere and resellers cannot afford for their projects to go nowhere. The sector needs to wise up and review.
Kevin Dowd is chief executive of CNS Group