Skip to content

PCI DSS Program Charter

Last Reviewed: 2025-02-17:19:44:43-UTC

Background

APS accepts credit cards as a form of payment for services related to the hotel and hospitality industry, specifically to guarantee hotel room reservations on behalf of our hotel customers. APS is contractually responsible with our acquiring banks for the security of customer cardholder data; the security requirements are defined by the Payment Card Industry Data Security Standard (PCI DSS).

Business Need

Achieving point-in-time compliance can be a difficult task in itself, but sustaining compliance has proven to be more difficult. Achieving and maintaining PCI compliance is mission critical at APS. Maintaining compliance is accomplished through collaboration from critical stakeholders including information security, technical operations teams, and business operations. Without clear and effective communication, compliance cannot be achieved.

Business operations support is crucial in achieving and maintaining compliance with the PCI DSS; PCI compliance is more than an IT Operations and Security initiative that requires input from the entire organization. The following are core reasons the company and business operations need to address PCI DSS compliance:

  1. It shows customers that the company takes the security of their private data and information seriously and adequately protect it with the guidelines set down by the major card brands Visa, MasterCard, American Express, and Discover.
  2. The business will enhance its reputation with both customers and banking partners and facilitate a trust relationship.
  3. Implementing PCI DSS security compliance program will demonstrate a commitment to enhancing the purchasing experience for the consumer.

Program Goals and Objectives

The primary goal of the PCI Program is to achieve and maintain PCI Compliance while reducing risks associated with the transmission, processing, and storage of cardholder data. This will be accomplished by:

  • Educating personnel on credit card security and best practices
  • Maintaining a library of actionable policies, standards, and procedures
  • Securing technologies handling cardholder data with industry best practices in accordance with the PCI DSS

The secondary goal of the PCI Program is to establish business as usual (BAU) processes to facilitate ongoing PCI compliance. This will be accomplished by:

  • Defining critical roles and responsibilities
  • Developing a Steering Committee
  • Developing a process to identifying organizational changes that impact PCI compliance

Program Objectives Statements

The primary objectives of the PCI Program include:

  • Develop a robust inventory of policies, standards, and procedures
  • Establish repeatable, compliant processes and procedures
  • Establish and deploy PCI-relevant security training materials
  • Achieve and maintain a constant state of PCI Compliance (business as usual)
  • Establish an inventory of critical roles and responsibilities
  • Develop a centralized compliance validation process
  • Develop a centralized reporting process
  • Establish visibility and collaboration across the organization through a PCI Steering Committee
  • Proactively identify and document key changes impacting PCI compliance

Success Factors

The following factors will determine if the program is succeeding; these are not the specific criteria that will be used to measure program success or failure, but rather are the benchmarks the program requires in order to be successful.

The continued success of the PCI Program is contingent upon the following activities being completed:

  • Quarterly steering committee meetings, including reviews of:

    1. Daily log reviews
    2. Firewall rule-set reviews
    3. Application of configuration standards to new systems
    4. Security alert responses
    5. Change management processes

  • Annual PCI DSS compliance certification

  • Annual security awareness training with quarterly knowledge review
  • Annual review of policies and standards
  • No cardholder data breaches in previous year

Risks

Risks may be related to the business, technology, or a combination thereof. These risks should be analyzed and validated periodically as the program moves forward.

PCI Program risks include but are not limited to:

  • Mergers and acquisitions having an unforeseen impact to PCI compliance
  • PCI DSS Requirements changes over time impacting PCI compliant status
  • Evolving sophistication of criminals and techniques compromises security

Program Constraints

It is imperative to document assumptions and constraints, both real and perceived that may impact the PCI Program from achieving its goals. Constraints may be related to the business, technology, or a combination thereof. These assumptions and constraints should be analyzed and validated periodically as the program moves forward.

PCI Program constraints include:

  • Maintaining a large scope across multiple operations (e.g., locations and entities)
  • Enforcing configuration and hardening guidelines across the enterprise
  • Effectively segmenting in-scope systems
  • Migrating from “point in time” assessment mentality
  • Raising employee security education and awareness
  • Assigning and enforcing control ownership
  • Limited resources dedicated to PCI Compliance
  • PCI requirements evolve

Charter Change Procedures

The PCI Program Charter is a “living document” maintained by the Chief Security Officer. The CSO reviews the Program Charter on an annual basis and provides updates as required. Change Control procedures are adhered to during the update process and the Program Charter is under version control at all times. Updated versions are submitted to the Security Committee and subsequently provided to all stakeholders.

Charter Acceptance

All members of the Security Committee attest to the objectives and goals of the PCI Program Office and commit to serving in an advisory capacity to the governance teams, guiding and monitoring the PCI Program Office to ensure compliance with the Payment Card Industry Data Security Standard (PCI-DSS).