Celebrating Passing a PCI Audit is Like Celebrating a Passed Drug Test

A Payment Card Industry (PCI) audit is an important event. Big companies spend upwards of $500,000 on the process and devote a lot of resources to it. They carefully shop for the right Qualified Security Assessor (QSA) to conduct the audit, engage their entire risk management teams to execute it and convene internal committees and working groups to handle information requests. The process can take weeks, months, even years and the result is critical to the survival and success of the entire business. So passing a PCI audit is surely worth celebrating, right?
Wrong.  It's equivalent to someone celebrating when they find out they passed their employer's drug test.  It makes you wonder why they had doubts in the first place.

Inside the industry, we know that actual PCI audit failure is rare. According to recent research from the Ponemon Institute, roughly 98 percent of companies achieve successful PCI audit outcomes. The problem, in my mind, is re-framing the definition of success. If a company views success as merely passing the audit, they have set an incredibly low bar for themselves.  

Here’s what really matters:

Demonstrating a level of compliance that actually matters to customers and prospects. In other words, creating a transparent, real-time, all-the-time assurance position that truly differentiates a company from competitors offering snapshot certification that may be invalid or obsolete the day after the audit.

Introducing predictability, efficiency and cost-effectiveness to the auditing process. The traditional ebb and flow of the audit cycle is a costly and ineffective means of risk management. Given its 98 percent passage rate, a PCI audit should be completely predictable but instead often involves huge shifts in human and financial resources. The missing ingredient is continuous monitoring that confirms compliance on an ongoing basis.

Defining requirement interpretations and compensating controls in advance and as-needed. According to the same Ponemon Institute study, more than 40 percent of audited businesses would fail if they didn't use compensating controls. Moreover, passage for every company relies on consistency of requirement interpretation between company and QSA. With that in mind, companies should implement processes that advance those priorities outside the audit, thus eliminating costly surprises. 

Don’t celebrate PCI passage. Celebrate the smart implementation of continuous compliance and assurance that makes audit success an ongoing and foregone conclusion.