The Key Methods to Establish PCI Compliant Risk Management for BYOD Initiatives

It is clear that successful BYOD implementations are tied to a larger business push with the goal of achieving productivity gains. However, too many BYOD initiatives fail to properly prioritize and establish a risk management strategy. This is especially important in PCI compliant industries, such as banking or financial institutions. Risk management of BYOD deployments must not only meet business goals, but also align to an organization’s security policies in order to achieve success. It is therefore of utmost importance that the financial industry enhance MDM capabilities to ensure that appropriate PCI compliant risk management is in place for BYOD initiatives.

While the methods behind securing BYOD are many and far reaching, there are some key methods that I hone in on when working with financial houses. These methods ensure PCI compliance while maintaining a high degree of usability for an organization’s BYOD user base.

Know The Who’s, The What’s, The Why’s, Etc.

I like to start with knowing the who’s, the where’s, and the what’s behind network and data access. When implementing BYOD initiatives, a financial organization must know what data can be accessed by whom and through what network connectivity route said access is traveling. While this seems obvious, it brings up internal questions:

  • What email accounts are affected by BYOD?
  • What about VPN connectivity or cloud-based applications?
  • Are any BYOD accounts showing suspicious activity or an elevated level of failed authentication attempts?
  • Do any business applications have open authentication that can be accessed by BYOD users?

Having the ability to monitor BYOD users and devices is required to carefully guard data access.

BYOD Device Configuration

This should be a given, but the number of financial organizations I have seen that have multiple—and in some cases, personal—BYOD configurations is just outright baffling. Since most BYOD policies revolve around mobile devices, and mobile devices are highly susceptible to physical loss, the level of risk management in guarding from data loss also is high.

The best line of defense is to make sure that any BYOD policy includes a hardened security policy that leverages security intelligence that is easily reproducible from device to device. Financial organizations need to have a default, one size fits all, BYOD security policy that goes into effect during device provisioning. And while in some industries having the user provision the device themselves is adequate, financial institutions cannot take the risk of running afoul of a PCI requirement, and should plan their BYOD security policy accordingly.

Have a Data Breach Plan

Even the best security intelligence may not be enough to thwart a data breach and it would be largely impossible to prevent data breaches altogether, which is why I always stress that the best approach to preventing a data breach is to reduce the risk. This means organizations need to be prepared for what to do when a breach does occur.

Think about who needs to be notified, what a root cause analysis needs to include, what configuration changes are needed, and most importantly, remediating the immediate threat. While getting this setup may be time consuming, it will pay dividends when the proverbial you know what hits the fan, and will keep the situation from becoming overwhelming to the business.

Something I like to recommend is to have both a digital and print copy of a data breach plan runbook. In the event of a DDoS, the ability to access any online systems, internal or cloud, will be severely inhibited. It is best to have a physical copy so an organization can spring into action without pause.

Initiate Regular Internal Audits

Instead of waiting for an auditor to tell your organization what is wrong, conduct regular and equally (if not more) stringent audits on your BYOD environment. This aids financial organizations in keeping BYOD risk management processes up-to-date with the business needs and regulatory changes.

Use an All-In-One BYOD Management Tool

The best way to go about implementing all the above steps is to find a great all-in-one tool that eliminates the user factor for the most part while maintaining a secure and standardized BYOD environment. I always go reach with IBM’s BigFix as my MDM tool of choice. It is an all encompassing, security and management heavyweight that is configured right out of the gate with PCI compliance in mind.  BigFix provides a single, scalable solution that provides constant real-time monitoring of not only your BYOD devices, but any asset in the organization. The easy to configure baselines can provision BYOD devices with an organization’s security compliant policy, and remediate devices on the fly as needed.

When I put these abilities into play during a BYOD initiative has always resulted in huge gains and increased ROI for the organization. The ability to manage, report and remediate devices in real-time is a must for a financial organization with PCI concerns.

The Key To Success

Experienced and proven solutions are a must when it comes to establishing a risk management policy for BYOD devices. Champion is a great partner in maintaining BYOD usability for device users while meeting a financial institution’s stringent regulatory and PCI requirements through the use of an advanced MDM system like BigFix.


SAP S/4HANA is Helping Enterprise Customers Digitally Transform Their Businesses


Best Practices to Prevent Revenge DDoS in Banking Using QRadar


Erick Bacallao joined Champion Solutions Group in 2015 after a career of Software Development in Cuba at the National Cancer Care Institute of Cuba, followed by moving to the States with allAware.


Champion acquired allAware and its properties and Erick has utilized his extensive background and expertise in IT and Software Development to rise to VP of Product Development in less than 5 years. During this time, Erick has been involved with key projects that led to the launch of numerous products including CSP Boss, Inscape platform and 365 Productivity Insights.


Erick has a Bachelor of Science in Computer Science from the University of Havana. He won Gold Medals for Programming from the Ministry of Education in Cuba, and he is certainly still a Gold Medalist for Champion!


As President and CEO, Chris is responsible for the development of key strategic alliances and solution portfolio. He leads Champion’s go-to market and execution strategies for integrated offerings in the cloud, in security, and in digital infrastructure, always focusing on improving the customer experience and driving transformative business outcomes.


He also aligns key partner initiatives with company strategy and oversees corporate marketing and messaging to gain mindshare with customers and partners. It’s his vision and innovativeness that have catapulted Champion up the ranks to become a $100M+ organization—and one of the most respected solution providers in the industry.


Over the past two decades, Chris has also focused on mergers and acquisitions, as well as innovative product development. He is the original founder and an active member on the Board of Managed Maintenance, Inc., a SAAS provider and consulting firm that utilizes their award-winning One-View Portal to help the IT Channel and its customers manage their IT Maintenance.


Chris is also the original founder and chief strategist behind one of the original storage cloud providers, Storage Access / BluePoint. During the course of a few short years, he had raised $20M and took that company public on the Toronto Stock Exchange. It has since been acquired by Pomeroy.


In 2012, Chris led the acquisition of MessageOps and continued the product development and worldwide launch of its premier SAAS, 365 Command. Built on Microsoft Azure, 365 Command is currently managing over 1 million seats of Microsoft’s Office 365. After achieving this phenomenal milestone, 365 Command and other MessageOps O365 utilities were sold to Kaseya.


Over the past 35 years, Chris as worked tirelessly to not only advance his own career, but those of his employees. In addition to leading a $100M organization, Chris can also be found sitting with sales teams, cold calling and coaching, and validating why Champion has been listed on Best Places to Work by both South Florida Business Journal and Computerworld.

Ultimately, the success garnered by Champion Solutions Group, its associated companies, and their employees is due in large part to the leadership of its President and CEO. Perhaps the most fitting award Chris has earned is South Florida Business Journal’s 2013 Ultimate CEO Award.