The Sweeter Side of PCI Compliance

I can’t tell you everything about security pros (be wary of those who claim they can), but I can tell you this: no one goes into security to write reports. They take time; they’re tedious; and writing them doesn’t make your organization any safer. That said, they are important. Security compliance is not all there is to keeping your organization safe, but security standards have an important role in the process. With that role comes oversight and yes, reports.

I’m a security guy myself. Before joining FireMon, I spent 7 years running in-house security for a Fortune 500 company. We handled a significant amount of sensitive data, and part of protecting that data included regulatory compliance. Among others, we adhered to Payment Card Industry Data Security Standard, more commonly referred to as PCI Compliance.

Challenges with PCI Reporting

Barb oversaw PCI compliance at our organization. She needed PCI reports on the first of the month each quarter. My team was responsible for the reports covering our firewalls. Barb was (and still is) great — nice, friendly, easy to work with, yet our teams struggled to get the reports to her on time. Struggled is an understatement. We never got them to her on time. Creating them took my team hours to manually pull the data which meant less time to do the work we needed to do to support our security posture.

However, Barb’s reports were not only necessary to keep our board of directors informed, but they were also needed for annual PCI audits. Compliance audits are justifiably no joke. Regulatory violations have penalties that can seriously impact your ability to conduct business. The process was unsustainable. I began looking for a solution.

stack of audit papers

On-time PCI Reports with Automation

I didn’t have to look far. I looked at the tools we’d acquired for security management. FireMon was among them, and although we hadn’t brought them on for compliance, we quickly discovered they had exactly what we needed. Before, my team would take hours each quarter to manually pull a report for Barb that would inevitably be delivered past deadline. But with FireMon’s built-in compliance assessments, we set up automated reports with the information Barb needed and set it to automatically send each quarter on the day she requested.

Cookies for All

Then I promptly forgot about it. When the next quarter rolled around, I began mentally preparing to start the tedious task of PCI reporting. Before I got too far down the path, Barb showed up at my office with a huge smile and some delicious chocolate chip cookies, thanking me for getting her the report on time. My team was the first team to get her the report she needed; we were also the only team to get it to her on time.

It was the solution we needed that we didn’t know existed. We no longer dreaded the beginning of each quarter, we could stay focused on projects that improved the company’s security posture, and Barb got the information she needed exactly when she needed it. Plus, you know: cookies.

I hired FireMon before I ever came to work here, and I often share this story with security folks I talk to. “Now you might not get cookies from your Barb,” I say. “But stranger things have happened.”

You May Also Like

Ransomware Attacks – The new normal?

Once again, the world is hit with another ransomware attack. Similar to the WannaCry Ransomware cyberattack last month, Petya is causing major pain among thousands of users, this time crippling banks and infrastructure in what cybersecurity experts called one of the most-devastating digital intrusions of its type. In fact, not

Read More >

Looking Forward to Seeing You at RSA 2022

RSA 2022 is almost here! I’m excited to see many of you face-to-face in just a few weeks in San Francisco. So much has changed at FireMon since RSAC in 2020, yet our core mission of protecting our customers is still true north. If you are attending RSA, I’d love

Read More >

Pragmatic Steps Toward Zero Trust

If you ask most security professionals to define zero trust, you’ll get an eye roll and an exasperated sigh. To many, it’s been little more than a marketing exercise—and let’s be honest: a lot of what we’re seen and heard about zero trust over the past decade has been more

Read More >