PCI Resources
A structured approach to the PCI standards

PCI DSS Governance

*This section is adapted from the PCI DSS books.

In the PCI DSS world (and information security in general), I would describe governance as the assignment of oversight and management responsibilities for PCI DSS and the information security program.

Contrary to what seems to be the common belief out there, PCI DSS is not an IT requirement; it is both a contractual requirement (for example, most merchant business agreements include language mandating compliance with PCI DSS) and an industry standard that has a (very) strong IT security focus. Most practitioners always recommend that PCI DSS be seen as an organizational (business) issue and not as an IT issue. I agree with them on this.

While PCI DSS compliance should not be addressed as an IT problem, it is still very technical (IT) in nature and many responsibilities will fall to technical staff. I generally recommend that one (non-IT) person be in charge of compliance with PCI DSS. If you have a chief compliance function, that would be a likely choice. If not, I would recommend looking at who has the relationship with the entity you need to report your compliance to. For merchants, this entity is your acquirer. For issuers, acquirers and service providers, reporting is made to the card brands (often multiple ones). In a merchant's case, that relationship is often held by the treasury department. So assigning the CFO, the treasury director or manager may work well. This individual does not need to be technically savvy, but would interact with individuals in charge of IT and Information Security (which depending on the organization can be one and the same) and serve as primary point of contact with the entity imposing compliance.

Requirements 12.5.* of PCI DSS mandate assigning information security responsibilities. We also recommend that these fall to a single individual, generally the CISO or CIO. Some of the responsibilities in the sub-requirements can then be delegated, but ultimate accountability should rest with the identified individual. Amongst the responsibilities are:

  • developing and maintaining (updating at least annually) information security policies and procedures (12.5.1)
  • ensuring monitoring of security alerts (12.5.2)
  • implementing security incident response processes (12.5.3)
  • administering user accounts (12.5.4), including controls over the addition and termination of users
  • monitoring and controlling all access to data (cardholder) (12.5.5)

All of these responsibilities must be documented clearly and approved by management (12.4). Again, while these requirements cover cardholder data, they should still apply in reasonably the same way to all information held by the organization.

One of the first step of the governance apparatus is the development of organizational policies. The other is the performance of a risk assessment.

Further readings: