Compliance with the Payment Card Industry Data Security Standard is required of all entities that handle credit card data to help reduce fraud and identity theft. This standard is critical to minimizing risk and maximizing credit card data protection.
Many merchants and service providers are struggling to bring their credit card processing environment in compliance with the PCI Data Security standard. The key to this is planning and preparation: proper prior preparation prevents poor performance. PCI DSS compliance is a demanding task and companies must carefully prepare and plan for it.
Organizations must first seek to understand their cardholder processing environment before any planning activity. Completing a Self-Assessment Questionnaire (SAQ) and performing a preliminary gap analysis to assess your readiness are two critical steps to understanding your environment.
With a good understanding of your environment, you should now have an idea of where you are. Now you can start planning on how to get to where you need to be.
What you need to know
Find out what you need to do to demonstrate compliance: On-site audit, self-assessment questionnaire or quarterly scans?
Get senior management buy-in: Compliance with PCI DSS is a business risk issue. Get senior management support before you embark on this journey as you will need a lot of resources to achieve compliance: money, people and time.
Involve multiple departments: PCI compliance is not just an IT or corporate security initiative. Involve HR, operations, finance, accounting and others.
Leverage other compliance programs: The work required by PCI DSS may already be done. Make sure you align your PCI compliance efforts with other compliance efforts going on in your organization.
Review third-party agreements: Make sure third-party and all connected-entity agreements contain language that they must be PCI compliant, if necessary.
Segment your network: Although internal network segmentation is not a requirement of PCI DSS, it can significantly reduce the scope of your PCI assessment, and therefore the cost and effort required. A flat network design puts your whole organization in scope of the PCI assessment. Review your network diagram and have your cardholder processing environment adequately segmented from the rest of your network, if required.
Information security management system: To comply with PCI DSS you must have a comprehensive set of security policies in place.
Take advantage of compensating controls: If you will not be able to meet certain PCI requirements the way they are written, you can use alternate controls to compensate for the gaps. The compensating control must be above and beyond other PCI requirements and must also meet the intent and rigour of the original PCI requirement.
Vulnerability assessment: This will help identify vulnerabilities you may have on your network and to start the remediation efforts ahead of time.
Retain only necessary data: If you don’t need it, don’t store it. Eliminating sensitive cardholder data from your environment does two things for you: it immediately removes your risk and it reduces the scope of your PCI assessment. You do not need to keep sensitive cardholder data post authorization.
Get documentation ready for assessors: Make sure you have well documented policies and procedures, third-party agreements, configuration standards, technical documentation and network diagrams ready for the assessors. Make sure they are well organized, clear and up-to-date.
Get clarification from the PCI Council or your acquirer: If you need help with the interpretation of any of the PCI requirement, send an e-mail to the PCI Council at firstname.lastname@example.org. Your acquirer can help answer questions relating to your merchant or service provider level and compliance validation.
Finally, be ready to prove that you have exercised “due care.” Companies should focus on building good security into their network, rather than the PCI compliance itself. Mostly, the PCI Data Security Standard is all about best practices and a set of controls that organizations should have always had in place. With this approach, demonstrating your PCI compliance becomes easier as all you now have to do is document your security controls and be ready to prove you have put in your best effort and done your due diligence.