“How does driving a 1,300km journey during the COVID-19 lockdown relate to PCI compliance?” I hear you say…
As those of you who know me, or have seen me present will know, I love a good metaphor.
Over Easter weekend I had the somewhat surreal experience of driving the 1,300km journey from home to Auckland International Airport and back again during New Zealand’s level 4 COVID-19 lockdown. On the trip home I was reflecting and couldn’t help thinking about the similarities between the lockdown, making this a safe compliant trip and PCI DSS compliance.
Over the years most conversations regarding PCI DSS compliance are centered on how you get there. Let’s face it, achieving PCI DSS or compliance with most standards and frameworks, can be difficult. At times I have also been asked ‘so what’s the benefits of doing this? (PCI compliance)’, but not frequently enough. I have often thought more time should be spent thinking about the maintenance and benefits of compliance.
Changes to standards to keep up with the ever-changing risk landscape, key staff churn, changes in senior leadership, and initiatives that deliver to the bottom line often distract from maintaining compliance. More awareness of the need to maintain compliance and the benefits of doing so can help organisations view the ongoing journey in a more positive light.
So, how does a 1,300km journey during the COVID-19 lockdown relate to PCI compliance?…
For the past few months, my family have had a couple of exchange students living with us. Tim from Austria and Justus from Germany. Understandably as concern regarding COVID-19 grew their parents wanted them to be at home with their families. Tim was able to get a flight home quickly. We dropped him off at Wellington Airport and said our Goodbyes. Justus also had a flight home. However, this was approximately three weeks later, once we were in level 4 lockdown. At this point, there were limited domestic flights, all of which were full, and of course travel between regions was not permitted unless essential.
While we could use our modern short-range electric car to get Tim to the local airport without permission from anyone, this was not going to be the case for Justus. In essence, the goal to get each student to the airport was similar but due to a change in the environment and current risks, the approach needed to be different. To get Justus to Auckland airport I needed a safe longer-range vehicle, and I needed permission from the National Crisis Management Centre (NCMC) to even go on the journey.
I wasn’t expecting to go on a long journey so I decided to put off some work that needed to be done to our family car until after the lockdown as I thought our Nissan Leaf was all we needed. Thankfully our large extended family provided me a good range of cars I could use. Although I had to ‘burst our bubble’ slightly and borrow a car, everyone in the family had been compliant with the lockdown so it was a calculated and necessary risk.
I decided on an Alfa Romeo, Giulietta. It was a well-optioned car that had also been lowered and chipped. My wife’s auntie kindly loaned it to me and showed me how to access all the car functions, connected my phone, etc and let me know about the cars quirks and any oddities with the electronics (AKA part of Alfa Romeo’s character). I was heading on a long journey in an unfamiliar car, but a small fast Italian car that corners like it’s on rails and looks good while doing it should be fun!
I have worked on compliance with organisations from their startup phase through to becoming multinationals. When I assessed one organisation initially their compliance program was fairly straight forward. However, as the risk landscape changed, innovations were implemented, payment facilities changed, and their transaction volume grew that changed. As a result, maintaining compliance became more complex and required more effort and controls. They made the necessary adjustments and have maintained compliance for approximately 8 years at the time of writing this.
As with most journeys, the time to prepare can vary depending on the surrounding circumstances. In my case, none of the controls I needed to use were new, although I did have to make a slight adjustment, by borrowing a car due to unforeseen circumstances. That said, my technical controls, a warranted and registered car were in place. My physical controls to make it a safe trip, staying at the family Bach to break up the journey, was something I had done on many occasions. My plan and necessary documentation had been submitted to the NCMC …on Good Friday, I was just waiting for sign off and permission to go. After refreshing my email throughout the day to see if we had been given permission to go, nothing….
The next morning, I picked up the car and packed to leave confident there would be no issues. I knew everything I was going to do was compliant and met the intent of the lockdown. As we were only driving to the Bach that day, we didn’t have to rush our departure as this leg of the journey was only 350km. At 9:53 am I got a call from the NCMC to clarify a few details such as Justus’s name, flight number, and the registration number of the car. At the end of the call I was told all the necessary requirements had been met and was wished a safe journey, I would receive a letter that I should print out and have with me for when I was stopped. Although we had discussed the risk of just going without permission, I was pleased to have got the call and to be able to leave knowing I had done everything I needed to make this as safe and easy a journey as possible.
Compliance takes preparation and effort. Although the benefit of compliance may not be immediately realised, an organisation should take comfort when they have done what they need to do to make their journey as easy as possible.
As we drove north, we saw a number of police cars but none of them stopped us. It was a surreal experience driving on state highway 1 during the Easter break and most of the time being only car on the road. I learned quickly, if I saw another car – to assume it was a Police car because 99% of the time it was. The only other vehicles on the highway were the occasional truck. As we approached Waiouru and the start of the Dessert Road I was sure we would be stopped. As we passed the Police station a Police car did follow us briefly but then pulled over.
Now I’m in a fast car that’s been lowered and chipped. I haven’t been stopped and even if I am, I have permission to be on the road. So far, I’ve passed a lot of Police cars, and even with the cruise control set a nudge over the speed limit I haven’t even had lights flashed at me, and I’ve probably got the dessert road to myself. The temptation to put my foot down was immense! However, being possibly the only car on the dessert road meant I stood out so instead of risking a ticket I notched up the cruise control a little more and patiently waited to have some fun on the twisty bits.
Along the way, we pulled over so Justus could enjoy the scenery. If only we could fly our drones in the national park and have a look at the road ahead. If the road ahead was clear I would have the opportunity of a lifetime… but who would do a thing like that?
About now we were wondering what the point of getting permission was. Perhaps the news about people being stopped was just propaganda to keep us at home and the effort I had gone to get permission was a waste of time. At this stage we almost wanted to get stopped to justify the effort. As we approached the end of the Dessert Road we got our wish as there was a roadblock stopping all traffic in both directions. We pulled over and I handed the Police Officer my letter.
The Police officer thanked us for doing the right thing and getting permission for our Journey. He asked if we had been stopped many times along the way. He was a little surprised we hadn’t but pointed out the registration number of the car was ‘in the system’ so the legitimacy of our journey was easily checked. Aside from the necessary details the letter from NCMC also said ‘We would appreciate that you assist their (our) safe travel to our final destination.’. Basically, what that seems to have meant was don’t stop us unnecessarily. As we pulled away from the checkpoint, I was happy I had done the right thing getting the travel exemption, or our Journey could have ended when we passed the first Police car at which point our goal would have rapidly become unachievable.
At times clients have wondered who cares about their compliance?. There is the obvious answer, the banks, credit card schemes, and the customers that use the payment systems. Organisations that you want to connect to may also care, but the thing to remember is that compliance is difficult to do retrospectively and result in non-compliance fines or missing an opportunity if being compliant is part of a potential customers requirements. More importantly as PCI compliance can directly impact an organisations income stream it should be well understood by leadership.
Justus and I enjoyed our afternoon staying at the Bach to break up our journey and had an early night since we had an early start the following day. The trip to Auckland Airport and back to the Bach was much like the first stage of our journey, a little bit surreal, visible Police presence on the expressways and state highway but was plain sailing and without incident. I considered drive straight through to Wellington on the way back but decided after a long drive and with the forecast predicting a change for the worse, I decided the safer choice was to spend the evening at the Bach again and leave refreshed the following day.
There had been some heavy rain overnight and there was a light drizzle as I headed for home. I knew the road ahead and had some idea what the traffic would be like. What I hadn’t thought about was without much traffic to disperse the water it had a chance to settle on the road. This became obvious when I headed round the first bend and aquaplaned across a big puddle giving me a hell of a fright. Thankfully as I’d had a rundown of the car’s features before I left, I knew how to put it in ‘All-Weather Mode’! I engaged all-weather mode and decided on a less spirited driving style to mitigate the risk.
By the time I got back to the Dessert Road the weather had cleared up. I switched the car back into a sportier mode and had another fun drive. I felt like I had a police escort from Waiouru to Hunterville but there wasn’t anyone else on the road to pay attention to, so I re-engaged cruise control and relaxed.
There were another couple of unexpected road conditions due to the altered traffic flows. The autumn leaves settled on the road with little traffic to disrupt them. In the shade they were a bit slippery as I noticed the traction control kicking in. It was also fun to watch the tunnel of leaves the wind flow created by the car caused behind me in the rearview mirror. More animals seemed to venture onto the road, so I had to watch for that and in at least 6 cases avoid the falcons and hawks feeding on existing roadkill. It’s been a long time since I’ve seen so many of those awesome birds. It was inspiring to see how quickly nature reasserts itself when we give it the chance.
It may feel like some of the controls needed by the PCI DSS are unnecessary or are just for the sake of compliance. However, when clients have been protected from an attack and alerted to it by controls and monitoring systems they may not have otherwise had, the value of compliance is realised. I’ve seen this happen on a number of occasions. I have also seen situations where organisations have been able to leverage their controls and monitoring systems to reduce the risk when innovating or trying to achieve compliance with other standards or frameworks.
Just as I had questioned the need to comply with the travel requirements during the lockdown, the value of compliance with security standards can often be overshadowed by the difficulties of achieving it. Instead, we should consider the journey beyond and embrace the safety net and metrics compliance can provide. We should look at how the effort that has gone into compliance can be leveraged for other necessary standards and frameworks, and reduce ongoing risk. Just as I was only stopped once on my journey, we also need to be aware that although you may not be directly asked about compliance, it is noticed, and it can give confidence that you try to do the right thing.