The journey to PCI DSS compliance begins one swipe at a time.
Data security issues seem to be in the news every day recently. Credit card data breaches grab the headlines as companies are targeted by malicious individuals or organizations. Payment Card Industry Data Security Standards (PCI DSS) compliance is complex, and the journey to reach it can be confusing, with both merchants and service providers wondering how to begin.
Where to Start
Experience has shown there are some clear, focused steps you can take to begin your journey to PCI DSS compliance. Yes, a journey. PCI DSS compliance is not a checklist to be completed, but a set of security processes and practices that should become part of your company’s security framework and day-to-day operations.
- First, understand how PCI DSS applies to your business. Merchants and service providers have unique requirements, so start by getting to know your merchant or service provider level.
- Read the PCI DSS (available at pcisecuritystandards.org) and testing procedures to gain insight and understanding of the expectations and intent of the requirements. Depending on your merchant or service provider level, there are different reporting requirements that impact how many items in the standard apply.
- Define and document the business processes and technologies used to process credit card payments, including the path that card data travels through your network.
- Identify the vendors you partner with in the payment process and validate that they are also PCI DSS-compliant.
- Bring your policies and procedures up to PCI DSS standards. There are many specific documentation requirements, and this is a key step in achieving compliance.
- Understand your options for reducing the scope of PCI DSS, such as network segmentation, tokenization or outsourcing.
Successful PCI Compliance
Successful compliance is based on the following core tenets:
- Minimize the attack surface of your card data footprint.
- Apply standards-based controls as defined by the PCI DSS. Controls should be part of day-to-day operations, and they need to be diligently followed, with a rigorous exception management process in place.
- Monitor your card data environment closely for changes to systems and suspicious activity.
- Test your card data environment. External and internal penetration testing must occur annually or after significant changes. External and internal vulnerability scanning and wireless testing must occur at least quarterly.
- Engage an expert to help you through the process. This is not a task to hand off to your IT staff to just figure out on its own.
Get Help If You Need It
Understanding the lengthy PCI DSS compliance requirements is a daunting task at best. It can be a huge benefit to have a friendly “translator” on this journey who understands the language of the standard and can guide you through the process. Visit pcisecuritystandards.org to look for Qualified Security Assessor (QSA) companies, which have been qualified by the PCI Security Council to have their employees validate an entity’s adherence to the PCI DSS. QSAs know the standard and can assist in determining how your organization stacks up, as well as how to close any gaps.
Yes, the move to PCI DSS compliance will be a journey, but you can get there, one swipe at a time. iBi
Jody Speer, ITIL V3F, CRISC, CISA, PCI-QSA is engagement director of information security at CliftonLarsonAllen LLP. She can be reached at jody.speer@CLAconnect.com or (612) 376-4696.
