How to Improve PCI Compliance and Reduce Technical Debt

Paying down technical debt during the pandemic can reap major benefits when operations resume

At the very least, the COVID-19 pandemic has disrupted short-term business plans for almost every size and type of business. At worst, it has threatened the survival of certain industries. And there’s little doubt that it will continue to disrupt long-term business strategies for the foreseeable future.

So, what does that mean for IT teams? For many, it means watching budgets for new projects disappear. It also means doubling down on the mantra of the last decade and figuring out how to “do more with less.”

Fortunately, this type of ongoing disruption can also present unique opportunities that don’t require additional spending. Utilizing the existing skills of your team, you can still turn this into an incredibly productive time. How? By getting rid of your “technical debt.”

Technical Debt, and Why You Should Pay It Down

If you’re wondering what I mean by technical debt, it’s similar to most other types of debt. In your personal finances, you might have gone overboard with a new credit card or made a big discretionary purchase right before encountering a major unanticipated expense. Either way, you’re facing debt that will continue growing until you start paying it down.

Technical debt is similar. Think of it as the accumulation of all the questionable IT choices your company has made over the years. Technical debt can take on a variety of forms, but here are some basic examples:

  • Do you have 50 domain admins in your Active Directory simply because no one has taken the time to update file server permissions?
  • Did you neglect to apply a critical software component because the finance team couldn’t tolerate any downtime during the last month of the fiscal year?
  • Do you still have glitchy code that’s held together by a shoestring just because a certain new product feature “had to” make it to market?
  • Do you have out-of-support devices or operating systems across your environment?

All of these are examples of technical debt. And let’s not kids ourselves—we’re all guilty of letting these easily fixable items simmer on the back burner far too long while we focus on all the new and shiny IT projects instead.

None of these items is catastrophic on its own. But if something impacts security, it’s critical that you address it sooner rather than later. If your business has tabled new projects because of the pandemic (or for any other reason), now is a great time to get rid of your technical debt.

3 Tips to Get Started

Consider this your time to clean house, and one primary area to focus on is PCI compliance. Start off by familiarizing yourself with the PCI DSS 3.2.1 guidelines. This is your rulebook for being successful in all things PCI-related.

Having worked with a wide range of customers on security and PCI compliance issues, I typically see the same basic challenges everywhere. Based on those experiences, I’ve come up with three tips to help you pay down your PCI technical debt:

  1. Revise your network maps. The first, most obvious thing you can do is to make sure you have an up-to-date network map. Not only is a current map required for PCI compliance, but it’s also a great tool for training and troubleshooting. Don’t be shocked if you “discover” servers and systems that no one even remembers. But there they are, without any monitoring or oversight. And, yes, that’s a security risk!
  2. Refine your PCI policies and procedures. If your company is like most others, your policy documents aren’t at the top of everyone’s mind. If you even know where to find them, you’re probably ahead of your peers. This is an ideal time to examine your foundational documents and catalog your processes. Take the time to educate your team on why PCI compliance is so critical to risk management.
  3. Update device firmware and system operating systems. There are few things more painful in the IT world than playing catch-up with outdated firmware or OS versions. You definitely want to avoid going through long, arduous migrations just to get to the current version. Use any free time to stabilize on the latest code available.

Avoiding the Non-Stop IT Churn

Most of us have always longed for a break during the non-stop churn of IT projects. If you happen to find yourself with strategic projects on hold and a team that’s eager to work, start focusing on projects that keep getting pushed to the back of the queue. Begin paying down your technical debt while improving how you handle PCI compliance. Getting your house in order now will make life much easier when the IT churn starts all over again.

Featured eBook
Managing the AppSec Toolstack

Managing the AppSec Toolstack

The best cybersecurity defense is always applied in layers—if one line of defense fails, the next should be able to thwart an attack, and so on. Now that DevOps teams are taking  more responsibility for application security by embracing DevSecOps processes, that same philosophy applies to security controls. The challenge many organizations are facing now ... Read More
Security Boulevard

Rob Chapman

As Director of Security Architecture at Cybera, Rob Chapman is responsible for the company’s overall cybersecurity architecture and PCI compliance initiatives. During his career, he has focused on areas ranging from academic and enterprise technologies to big data and audiovisual systems. Chapman has a Masters in Educational Leadership and Instructional Technology from Tennessee Technological University. He currently resides in Columbia, TN.

rob-chapman has 1 posts and counting.See all posts by rob-chapman