Securing Information
Strengthening Business

PCI DSS and Corporate Governance Go Hand in Hand

This article looks at why PCI DSS cannot be divorced from the business, corporate governance and regulatory frameworks that already exist within an organisation, and the benefits of integrating it within a compliance framework.

PCI DSS often stands alone

PCI DSS is an important contractual issue for many organisations for whom payment cards are central to their business. It is often seen as a stand-alone compliance project, separate or different to other compliance areas that need to be serviced within the business. But dealing with PCI DSS separately or differently is often counterproductive.

Treating PCI DSS as stand-alone can:

  • Waste valuable resources
  • Obstruct overall continuity of the business
  • Divert scarce business resources

Don’t divorce PCI DSS from your corporate governance framework

At Ascentor we strongly believe that PCI DSS shouldn’t be divorced from the business, corporate and regulatory frameworks that already exist within organisations, such as Internal Audit, the UK Corporate Governance Code (formerly the Combined Code), Sarbanes Oxley and the Companies Act 2006.

These are some of the basic frameworks within which internal controls work within businesses. To deal with one aspect of compliance outside of these frameworks is to weaken the overall structure.

PCI DSS and the continuity issue

PCI DSS can also have a continuity problem. In the first place a programme is set up to help the business become compliant – a programme manager is appointed, a budget is agreed and the project gets underway. The remediation is successful, the QSA signs off the Report on Compliance and the Merchant Acquirer is happy. Then it starts to go wrong. The programme manager goes on to other things, the project team separates and things return to normal. And normal is not where we want to be.

Integrating PCI DSS within a compliance framework

Where we want PCI DSS to be is within a compliance framework. This will ensure that all the good work that has cost us so much is not wasted because a trivial mistake hasn’t been picked up by the internal control checks and balances.

We believe that every organisation needs an overall structure for internal control. This sets out the responsibilities and resources needed to maintain PCI DSS compliance as business-as-usual within an achievable governance structure.

Doing it this way will benefit IT departments who would otherwise be struggling to maintain PCI DSS controls within a compliance vacuum. It can also help the Board to keep a check on the big risks the company is managing.

In Turnbull’s interpretation of the Hampel combined code he sets out what it describes as a “sound system of internal control” requiring organisations to demonstrate that its risks are understood and properly managed. These risks must include the potential for the loss or compromise of Cardholder Data because the implications are so great.

What we need to do is to include PCI DSS within this overall compliance structure.

Article by Colin Dixon, Principal Consultant at Ascentor and leading authority on Corporate Governance and PCI DSS.

Related Content from Ascentor:

For Further Information

If you have any questions about the topics we've covered, or would like to have a chat about any aspect of your own cyber security strategy, please get in touch with the team at Ascentor.

Please use the contact details below - also found on our Contact Us page.


Fields marked with an * are required
Share this:

You may also be interested in:

The most popular cyber security standards explained


The Demise of IS1 & 2 – Are Risk Assessments Really Worth the Effort?

                HMG IA Standard Numbers 1 and 2 – Information Risk Management is no longer supported by CESG. The standard will still be available

How To Achieve Security Standards Quickly And Save Money

Companies are able to make big savings when going for security standards compliance by changing the way they do business rather than remediating