TL;DR
Your employer has an Attestation of Compliance (AOC) but isn’t actually compliant with PCI DSS? This is serious. You need to document everything, escalate internally, and understand your reporting obligations. Here’s a step-by-step guide.
What To Do When Your Employer Isn’t Compliant
- Document the Non-Compliance: This is *crucial*. You need evidence.
- Identify Specific Failures: What PCI DSS requirements are not being met? Be precise. For example, instead of “weak security”, write “Firewall rule X allows inbound traffic on port 22 from untrusted networks”.
- Gather Evidence: Screenshots, logs, configuration files – anything that proves the issue. Date and time stamp everything.
- Create a Report: A clear, concise document outlining each non-compliance item with supporting evidence.
- Escalate Internally: Don’t ignore this.
- Inform Your Manager: Start with your direct line manager. Explain the situation and present your report.
- Involve Relevant Teams: If necessary, escalate to IT security, compliance teams, or even senior management (CISO, CIO).
- Request a Remediation Plan: Push for a formal plan with timelines and assigned owners to fix the issues.
- Understand Your Reporting Obligations: This depends on your role and company policy.
- Check Company Policies: Does your employer have a whistleblowing policy or specific procedures for reporting cyber security concerns? Follow those.
- Consider PCI SSC Guidance: While you aren’t directly responsible for the AOC, knowingly allowing a false attestation could be problematic. Review the PCI Security Standards Council website for guidance on responsibilities.
- Legal Counsel (Optional): If you are unsure of your legal obligations or fear retaliation, consult with a lawyer specialising in data security and compliance.
- Verify Remediation Efforts: Once a plan is in place, track progress.
- Review Changes: As fixes are implemented, verify they address the identified non-compliance items.
- Request Re-Testing: If possible, request that an independent security assessor re-test the affected systems after remediation.
- Document Verification: Keep records of your verification efforts.
- Technical Checks (Examples): These are illustrative; specific checks depend on your environment.
- Firewall Rules:
iptables -Lto list firewall rules and identify potentially overly permissive configurations.
- Antivirus Status: Check antivirus logs for up-to-date definitions and scan results. Many systems have command line tools (e.g.,
clamscan --version). - Access Control Lists (ACLs): Review ACLs on critical files and databases to ensure least privilege access.
- Firewall Rules:
Important Note: Falsely attesting to PCI DSS compliance can have severe consequences, including fines, loss of merchant accounts, and reputational damage. Your proactive action is vital.