Business Process Management & PCI Compliance: The Essential Approach

In 2006, the Payment Card Industry (PCI) Security Standards Council (SCC) was established by the credit card brands to provide standards regarding protection of cardholder account data. Specifically, the PCI Data Security Standard (DSS) outlines guidance for processing, transmitting, and storing cardholder account data.

The purpose of PCI DSS is to increase controls around cardholder account data, thereby reducing credit card fraud via exposure. It’s included as a mandatory compliance term in the credit card’s contracts with issuers, merchants, and servicers. While PCI compliance is not a state or federal legal requirement, the reporting of data breaches is generally legally binding at state levels and is used as a mechanism for notifying card brands of potential non-compliance.

All organizations handling cardholder account data are required to attest their compliance with the standard and provide their attestation to an Acquirer or Payment Brand requesting it. This means documenting and understanding where and how cardholder account data is handled throughout the enterprise. In our experience working with large financial institutions, we’ve found that the use of BPM tools and standards provide the most complete view that can be easily understood by both business and technical leadership. BPM methodologies also lead to the shortest and most well-informed path for developing remediation and self-improvement strategies.

Financial institutions, such as banks and credit unions, have a particularly challenging time given they act as both a merchant and card issuer. They must understand every aspect of how they handle account data, including manual and paper operations; information and systems; and the compliance of their third party providers. Because financial institutions manage a large volume of account data, there is potential for significant financial loss in the event of a data breach. This makes the need for efficient and compliant business processes even stronger.

So…just how do you go about incorporating a Business Process Management approach using BPM solutions into your PCI DSS Compliance initiative?

A Simple Two-Step Approach

The first step is to capture an enterprise view of how and where cardholder account data is used. This means documenting all of the DSS-relevant business processes and then identifying the related systems.

Developing the inventory is no small task and requires time and commitment driven by senior leadership. Effective and efficient tools also play an essential role and it’s recommended to use a leading industry standard, Business Process Model and Notation (BPMN), for capturing the business view. It provides a clear graphical representation of processes, which speeds the review and approval process from key stakeholders. It also allows for the high level capture of related systems. In addition, BPMN diagrams become a re-usable artifact that can be leveraged during any future process reengineering work and help facilitate the creation of an inventory of processes and systems.

Once the business processes are well understood, the second step shifts the focus towards automated processes and understanding how cardholder account data is used, stored, or transmitted by the technology systems. With a slight style adaptation, BPMN can again be used to capture the data flow for systems. By using the same method of depiction, business and technical teams can easily read and validate the data flows and offer business process management solutions.

This simple two-step approach is valuable because it focuses on the business first to identify the potential impact to how business is conducted; then applies the business process intelligence (artifacts/knowledge gained) to the technology systems to understand how the cardholder data flows through information technology processes.

It’s a nearly impossible task to focus on and effectively remediate technology without understanding the impact to business. With both perspectives well understood, you can begin making strategic decisions for improving your PCI compliance posture and execute them using Agile development methodologies.

To learn more, see this use case describing the successful application of BPM to help a national credit union achieve PCI compliance.