PCI DSS compliance is not a "checklist" to be completed but a set of security processes and practices that should become part of your company's day-to-day operations.
Data security issues seem to be in the news every day recently. Credit card data breaches grab the headlines as companies are targeted by malicious individuals or organizations. Payment Card Industry Data Security Standards (PCI DSS) compliance is complex and the journey to reach it can be confusing with both merchants and service providers wondering how to begin.
Where to start
Experience has shown that there are some clear, focused steps you can take to begin your journey to PCI DSS compliance. Yes, a journey. PCI DSS compliance is not a "checklist" to be completed but a set of security processes and practices that should become part of your company's security framework and day-to-day operations.
- Understand how PCI DSS applies to your business. Merchants and service providers have unique requirements, so start by getting to know your merchant or service provider level.
- Read the PCI DSS and the testing procedures to gain insight and understanding of the expectations and intent of the requirements. Depending on your merchant or service provider level, there are different reporting requirements that impact how many items in the standard apply.
- Define and document the business processes and technologies that are used to process credit card payments, including the path that card data travels through your network.
- Identify the vendors you partner with in the payment process and validate that they are also PCI DSS compliant.
- Bring your policies and procedures up to PCI DSS standards. There are many specific documentation requirements and this is a key step in achieving compliance.
- Understand your options for reducing the scope of PCI DSS, such as network segmentation, tokenization, or outsourcing.
Successful PCI compliance
Successful compliance is based on the following core tenants:
- Minimize the attack surface of your card data footprint.
- Apply standards-based controls as defined by the PCI DSS. Controls should be part of day-to-day operations and they need to be diligently followed, with a rigorous exception management processes in place.
- Monitor your card data environment closely for changes to systems and suspicious activity.
- Test your card data environment. External and internal penetration testing must occur annually or after significant changes. External and internal vulnerability scanning and wireless testing must occur at least quarterly.
- Engage an expert to help you through the process. This is not a task to hand off to your IT staff to just figure out on its own.
Get help if you need it
Understanding the lengthy PCI DSS compliance requirements is a daunting task at best. It is a huge benefit to have a friendly "translator" on this journey who can understand the language of the standard and guide you through the process. Look for Qualified Security Assessor (QSA) companies, which are organizations that have been qualified by the PCI Security Council to have their employees assess compliance to standard.
Qualified Security Assessors are employees of these organizations who have been certified by the council to validate an entity's adherence to the PCI DSS. QSAs know the standard and can assist in determining how your organization stacks up and how to close any gaps. A QSA can also determine if your approach or solution meets the requirements defined by PCI DSS.
Yes, the move to PCI DSS compliance will be a journey, but you can get there, one swipe at a time.