Experience time and again has shown that successful PCI DSS efforts, both internal self-assessments and external assessments, have a point person or team within the organization who drives for project completion and organizational compliance. A key stakeholder interaction between that point person or team, what we will call the project manager, and the overall project owner is the project charter. We use project management terms intentionally because a PCI DSS compliance effort is like any other project, albeit with big risks, but then all projects have some form of risk.
What is a project charter, or as we PCI QSAs call it, the PCI charter?
Using your favorite search engine, you’ll find a plethora of definitions and templates. Ultimately it comes down to "a statement of the scope, objectives, and participants in a project. It provides a preliminary delineation of roles and responsibilities, outlines the project's key goals, identifies the main stakeholders, and defines the authority of the project manager." What it does is give the project manager organizational permission to expend resources, provides a high-level overview of the project (in this case, PCI compliance), and serves as an explicit contract for all key stakeholders in the project.
The Project Management Institute, PMI, assigns heavy emphasis on the project charter. They want it secured up front, before you get very far into the project; signed by the project owner and the project manager; and made a fundamental part of the overall project work papers (known to all). The intent is that it protects the project manager when she wants to get the organization pointed in a different direction (organizational commitment) and when resources (financial and people) are to be expended for the sake of the project. Without a project charter, decisions will have to keep being returned to the project owner which can bog down a project and is a risk as project goals can’t be realized without low level oversight.
Where you see the charter come up in PCI compliance is in Requirement 12.4.1.b, which is required for service providers.
Requirement 12.4.1 states, “Executive management shall establish responsibility for the protection of cardholder data and a PCI DSS compliance program to include:
- Overall accountability for maintaining PCI DSS compliance.
- Defining a charter for a PCI DSS compliance program and communication to executive management."
What the PCI SSC wants to see is for executive-level management to assign the project to an individual or an organization, and to show they back PCI compliance at the organizational level while keeping tabs on the PCI compliance effort. This doesn’t mean the project manager has carte blanc and can go out to spend huge amounts of money for the good of the project. The charter is intended to keep the scope defined to prevent boiling the ocean and is the primary means to exert management oversight over the entire PCI compliance effort.
So, should you draft a PCI charter?
If you’re a service provider, the answer is obvious, it's required for compliance. If you’re a merchant, you’re not required to draft one, but think of how well your PCI compliance effort will be streamlined without having the project owner make all the decisions. Management 101 says to empower your employees. What better way to do that than to empower your project manager (individual or organization) with the necessary tools to drive to your PCI DSS compliance goal. In the long run, a little investment in time to create the charter and an investment in the people who work the project will pay off with a successful PCI DSS compliance effort.
Thank you for reading!
Complete this form to speak with a SecureTrust representative and learn how we can help your business achieve and maintain compliance as threats to data and privacy evolve.
SecureTrust, a Trustwave division, leads the industry in innovation and processes for achieving and maintaining compliance and security. SecureTrust delivers world-class consulting, compliance and risk assessment services and solutions for the enterprise market as well as tailored merchant risk management programs and solutions for merchant program sponsors around the globe.
Contact us today for all Enterprise Compliance, Merchant Risk Management and Compliance Technology needs.
Drew Cathey has been a member of the SecureTrust team for 5 years and has been in IT for 35 years. Coming from a background in telecommunications IT operations, he has held positions in engineering, project management and IT security. Drew holds degrees in biology, engineering and an MBA in Information Technology management along with PMP, CISSP, CISA and QSA certifications. He resides in St. Petersburg, FL with his two children and enjoys running, bicycling and tennis.