All organisations that accept card payments need to comply with the Payment Card Industry Data Security Standard (PCI DSS). This is not a simple task: if you make mistakes when implementing the Standard’s requirements, you’ll struggle to maintain compliance and expose yourself to data breaches and regulatory fines.
We understand that PCI DSS compliance is difficult, so we’ve laid out some recommendations based on our experience as a Qualified Security Assessor (QSA).
Create a roadmap for compliance
Conduct a PCI DSS gap analysis or pre-audit assessment to determine your organisation’s current level of compliance. This will help you see which requirements you need to address and how much work you need to do.
A gap analysis is often proposed before a formal assessment by a QSA for an Attestation of Compliance (AoC), and can help organisations establish whether they are ready for a formal Report on Compliance (RoC) audit. After the consultant performs the gap analysis, they will send your organisation an assessment report and a roadmap of the steps you need to take to achieve accredited certification to the Standard.
A PCI DSS gap analysis is similar to an actual RoC assessment, and includes a detailed review of the organisation’s compliance activities, such as on-site interviews with staff, an assessment of the in-scope system components and configurations, an examination of out-of-scope components and a physical and logical data flow analysis.
Reduce the scope of the cardholder data environment
You can simplify your PCI DSS compliance project by analysing where your organisation stores, processes and transmits data, and streamline those processes. This can be achieved by reducing the amount of data you collect or the number of locations where you handle data.
You should be careful about outsourcing the handling of cardholder data to third parties, as you’ll still be responsible for making sure the data processing meets the Standard’s requirements.
Don’t separate PCI DSS compliance from the rest of your security framework
Many organisations make the mistake of separating PCI DSS compliance from their overall IT governance, risk and compliance programmes. The PCI DSS is a baseline information security standard, so isolating it from the rest of your organisation’s security framework increases the risk of data breaches.
To achieve and maintain compliance, organisations should adopt an integrated approach that’s part of their everyday approach to processes, technology and enterprise-wide staff education.
Find out more about PCI DSS compliance
If you want to learn more about achieving and maintaining PCI DSS compliance, you should attend our webinar PCI DSS: Challenge or opportunity? You’ll find out:
- The basics of the PCI and how to become compliant;
- The biggest payment security challenges facing organisations;
- How to achieve and maintain compliance; and
- How the PCI DSS can help you meet the requirements of the EU General Data Protection Regulation.
This webinar will take place on 12 December 2017, from 3:00-4:00 pm. If you can’t make it, the presentation will be available to download from our website.