Organizations face persistent challenges in achieving, and more importantly, sustaining Payment Card Industry Data Security Standard (PCI DSS) compliance. Due to the burgeoning number of competing regulatory requirements, organizations often find themselves overwhelmed with PCI security complexity and repeat failures in sustaining compliance, resulting in compliance fatigue.
Two influential thought leaders of our time offer invaluable insights to help organizations solve the challenges of complexity. Eliyahu Goldratt developed the Theory of Constraints (TOC) and H. William Dettmer authored the Logical Thinking Process (LTP)[1]. The TOC is a philosophy that focuses on identifying and improving the limiting factor (constraint) in a system to enhance overall productivity. The LTP is a structured methodology designed to help identify and solve complex problems by systematically addressing constraints and creating logical solutions through various thinking and analysis tools.[2]
Goldratt’s approach provides a practical method for spotting system-level issues[3] while Dettmer dives into organized processes for unpacking complexity. This combination of approaches can empower organizations with the knowledge needed to fulfill regulatory requirements. It helps them overcome stagnation and frustration tied to sustainable compliance efforts. The outcome should be lasting compliance success, emphasizing the importance of identifying constraints while using a logical approach to develop PCI security compliance programs.
The value of pinpointing constraints
Navigating the PCI Data Security Standard encourages departing from conventional approaches, especially when organizations grapple with a persistent cycle of noncompliance. Verizon’s analysis of PCI security compliance efforts over the last decade reveals a nagging problem: how to overcome compliance program stagnation. Verizon’s research suggests there is a pressing need for organizations to break free from repetitively implementing the same strategies and their lackluster results. Despite understanding PCI DSS compliance’s importance, organizations often find themselves at a standstill with their PCI security, having effectively reached a plateau and lost momentum.
Goldratt says we should change our thinking to solve system issues. Dettmer’s Logical Thinking Process helps with this shift by identifying how to overcome underlying constraints through the use of logical methods rather than by just treating symptoms. Combining Goldratt’s practical advice and Dettmer’s method may offer organizations a path to achieve long-term compliance success by strategically using logic to identify and address constraints in compliance programs.
Challenging the constraints plateau
Achieving and maintaining PCI security compliance presents a formidable challenge for organizations already burdened by the perpetual need to adapt to technological advancements and continuously evolving regulations. This ongoing struggle is better understood through comprehensive analyses, as outlined in the Payment Security Report (PSR)[4], which Verizon has published for more than a decade. The PSR highlights that solving the challenges of PCI security compliance management extend well beyond technical solutions. Instead, the key to sustainable PCI security compliance lies in digging deep and comprehending the intricate interplay between various contributing factors. This approach provides the insight needed to understand why organizations frequently encounter stagnation and regression in their PCI security compliance efforts.
Think of your PCI security compliance program as analogous to the intricate workings of an automobile, where various interconnected parts—engine, transmission, brakes, and electronics—must function seamlessly for optimal performance. A PCI security compliance program involves regulatory and logical tools for the interconnected elements, such as network security, data encryption, access controls, system updates, change management—the list goes on and on. Like a malfunctioning part in a car that can cause disruptions, a flaw in any single PCI security compliance area can disturb the entire compliance “vehicle” or program. This analogy underscores the point that effective compliance management goes beyond addressing individual elements; it’s about ensuring the cohesive functioning and security of the entire “automobile” to create a fully operational compliance program.
The importance of constraint identification
Just as addressing a bottleneck in a car’s system can improve performance, pinpointing and understanding the constraints that are interfering with your system performance is becoming increasingly imperative. In the evolving security landscape, recognizing and overcoming PCI security constraints optimizes the efficiency of each component in the system to create a smoother journey of sustainable compliance success.
The LTP is a crucial tool for overcoming new PCI DSS compliance challenges and improving existing PCI DSS compliance programs. Just as a skilled mechanic systematically uses a step-by-step logical approach to troubleshoot and enhance the interconnected components of a vehicle, organizations must regularly apply logical thinking tune-ups to assess, strategize and innovate within their compliance framework. Regularly looking under the “hood” to observe the complex machinery in both systems—the advanced automobile and the intricate PCI security compliance structure—serves to expose constraints that can then be addressed by a systematic and logical approach.
Ok, so what now?
Implementing the Logical Thinking Process should result in a better understanding of how each component, process and team plays a pivotal role in the overall success of the system. Starting a thorough system assessment isn’t just about reviewing individual parts; it’s an exploration of how these parts connect and impact one another as a whole.
When identifying and prioritizing constraints, it’s crucial to acknowledge and identify how each constraint’s impact ripples through the entire PCI security compliance framework. Just like a mechanic diagnosing and tweaking a vehicle’s exhaust system for it to pass inspection, component constraints can either improve or worsen the overall system performance. This underscores the importance of accurate diagnoses by a reliable mechanic, as even well-intentioned efforts may lead to a breakdown on the highway if the root cause of the problem is misunderstood.
Employing the Logical Thinking Process helps to establish a systematic and precise approach when addressing PCI security compliance challenges. In sum, the LTP can help:
Define the overall goal of compliance
Before delving into assessments and constraint identification, clearly define the goal, critical success factors, and necessary conditions that MUST exist for you to achieve PCI security compliance. Understand why compliance is crucial for your organization and its stakeholders. This step lays the foundation for a targeted and purpose-driven approach, ensuring that efforts are aligned with the overarching objective of safeguarding sensitive data.
2. Conduct a comprehensive system assessment
Once the overall goal, critical success factors, and necessary conditions are established, initiate a thorough assessment of your current PCI security compliance system in its entirety. Recognize that each component, process, and team contribute to the achievement of the defined goal. Ask yourself if you currently are meeting each of the critical success factors identified in Step 1. This holistic view ensures that the evaluation goes beyond individual elements to understand their interdependencies and collective impact.
3. Identify and prioritize constraints
Apply the Logical Thinking Process to systematically identify and prioritize what prevents you from achieving your critical success factors – essentially, constraints within the PCI security compliance system. Emphasize how each constraint may affect the attainment of the overall compliance goal. This step involves recognizing the interconnectedness of various elements, similar to a mechanic diagnosing and prioritizing issues in a vehicle’s components for optimal performance.
4. Root cause analysis and strategic planning for innovation
Conduct a thorough root cause analysis to explore the underlying factors contributing to constraints. Recognize the broader impact these constraints can have on the overall compliance framework. Formulate a strategic innovation plan that considers how enhancements in one aspect can positively influence the entire system. This step aligns with the comprehensive nature of the compliance program, emphasizing the interconnected dependencies crucial for sustained success. Acknowledge the ripple effect these constraints may have on the overall PCI security compliance framework. Develop a strategic plan that considers how improvements made in one area can positively impact the entire system. This step aligns with the comprehensive nature of the compliance program, emphasizing the interdependencies crucial for long-term and sustained success.
Conclusion
When navigating the complexities of achieving PCI security compliance, success hinges on a nuanced understanding of the interdependencies within the PCI security “system.” Establishing the overall goal of compliance sets the stage for a purpose-driven journey, where every component, process, and team member understands and plays a crucial role in achieving this overarching objective. Following the Logical Thinking Process is a highly effective means not only for systematically addressing constraints, but for optimizing the entire compliance framework as a whole.
[1] H. William Dettmer, The Logical Thinking Process: A Systems Approach to Complex Problem Solving, Milwaukee, Wisconsin, ASQ Quality Press, 2007
[2] Verizon Payment Security Report, 2022, pages 9 and 64-79, www.verizon.com/paymentsecurityreport
[3] Eliyahu M. Goldratt, Jeff Fox: The Goal: A Process of Ongoing Improvement, North River Press, 2004
[4] www.verizon.com/paymentsecurityreport
Matthew Arntsen is senior manager of security risk management and the North America lead for Verizon Cyber Security Consulting.
Data and Information Security