Nettitude Blog

PCI DSS: The Best Show In Town

Posted by Peter O'Sullivan on May 9, 2016 10:30:28 AM

PCI DSS – The Longest Running Show

Coming to a theatre near you!

Not everybody understands the importance of PCI DSS, so sometimes making it accessible with analogies can help bring others on the journey.  PCI DSS is the script and your company is the theatre, preparing for ‘Showtime’!

Figure 1: PCI DSS Play

Picking the script

The budget can be a key factor in the decision to put on a production:

  • How many tickets will you sell?
  • What can you afford to pay?

A small community theatre can’t handle a large production like you’d find on Broadway or in the West End, therefore a show is scaled down and the script abridged.

Within PCI DSS, the choice of the payment channels you offer and the technology used to deliver them can have a huge impact of how many controls are required to implement and what it’ll cost.

Choose wisely to meet your objectives and select that smaller script in form of an:

  • SAQ-A,
  • SAQ-B,
  • SAQ-B(IP) or
  • SAQ-P2PE

Be sure to ask the licensee (Acquiring Bank) though, after all its their decision which they want to let you use.

Stage Directions

NETT_STAGE_DIRECTIONS Figure 2: PCI Stage Directions

The success of a production is the people on stage and the performance they give, their:

  • Passion
  • Timing
  • Delivery

This is often the difference between a hit and a flop!

The best shows are consistent in their delivery and exhibit a “Business As Usual” feel but the performers and stage crew go above and beyond each time to make it better and better each time.

By having good direction (policies and business processes) to interpret the script you've chosen, the actors (employees) give you a performance which endures and matures over time.

  • Technical and Dress Rehearsal - Before you let in the critics (your QSAs), any production goes through  technical and dress rehearsals.
  • The technical rehearsal - Before opening the doors, ensure that lights, sound,  props and staging are setup and operating as per the stage direction.  For the PCI DSS, this takes the form of a penetration test, technical standards and implementation, ASV scans, vulnerability management and so on, but depending on which script you chose, you might not need all of these. Not everything can be fixed on day one, but plans are put in place ready for dress rehearsal.
  • The dress rehearsal - This is your pre-assessment by a QSA to provide notes to the directors of where you’re not quite hitting the mark.


Critics Figure 3: PCI DSS Show Critics

The critics come in and watch the performance carefully, writing up the review of your PCI DSS production; your assessment begins!

At the end of previews, they may tell you about something that isn't right, so come back within a short timescale to check you've remediated the problems so they can publish the review to the licensees.

In this case, if they like what they see, then you've landed yourself a license for one year, but you have to keep that production running smoothly with regular technical rehearsals throughout the year.

You cannot rely solely on your performance at night!

Keeping the House Lights Lit

The best shows and plays run for years and years, but why and what is their secret? It’s quite easy really, they are well managed, with good scripts, with an excellent cast, to deliver consistently day after day, but they keep working on it and don’t rest on their laurels.

Mistakes and problems lose money and eventually the curtain comes down. Mistakes in your production of PCI DSS can lead to the licensee fining you, or worse still, they’ll withdraw you license.

The value of consistency cannot be stressed enough, so work with a good QSA company and engage with the license holder to keep that show on stage in an award winning manner.

Keep an eye on the script though, sometimes it changes, so work them into your performance as the SHOW MUST GO ON !


To contact Nettitude’s editor, please email

Topics: Security Blog, Uncategorized

About Nettitude

Nettitude is the trusted cyber security provider to thousands of businesses around the world. We stop at nothing to keep your data and business secure in an age of ever-evolving cyber threats.

In 2018, Nettitude became part of Lloyd’s Register, an 8,000 person strong professional services organisation, with 300 years of heritage in safety and risk management. Nettitude now provides true global coverage, through a network of over 180 offices strategically placed around the globe.

Subscribe Here!

Recent Posts