The PCI DSS requirements embody many security best practices. Security professionals from around the world have pooled their collective knowledge to establish the DSS requirements. While compliance with the DSS is by no means a security guarantee, it does provide a solid security baseline. In addition, should you suffer a data breach, compliance with the PCI DSS may provide an additional defense and mitigate your liability.
Many people are surprised to learn that every organization that accepts, stores, manages, processes, or transmits payment card information is required to comply. There are zero exceptions.
With that being said, here are 8 tips for success in becoming PCI Compliant.
- If you don’t need it, don’t store it
One of the most common missteps on the road to PCI compliance is the unnecessary storage of cardholder data. However, eliminating storage of cardholder data does NOT eliminate the need for compliance. It may reduce risk and the complexity of compliance. Also remember that certain sensitive authentication data should NEVER be stored.
- Reduce the risk and testing scope
Segmenting the cardholder data environment on the network reduces the scope of compliance requirements and testing.
- Document, document, document
A big component of PCI compliance is having the appropriate policies and procedures. You can’t enforce a policy unless it exists and users have awareness. To validate compliance the organization must also have evidence of compliance, so an audit trail of control activities is mandatory.
- It’s not about the tools
Compliance is about process, people, and technology. Start with your process and then work tools into the process as needed. Where you may need tools, stay away from vendors who claim to have a one-tool-does-it-all sales pitch. There is no silver bullet.
- Security awareness program
The biggest bang for your buck on the road to PCI compliance will come from a Security Awareness Program. Training is mandatory for all employees on hire and at least once annually. The training program must include multiple methods of communicating awareness and educating employees. Effective programs include web based e-learning, posters, monthly emails, etc.
- Third parties
Third parties that have access to your cardholder data are included in the scope of the PCI DSS. There are two options for third-party service providers to validate compliance: 1) They can undergo a PCI DSS assessment on their own and provide evidence to you to demonstrate their compliance, or 2) If they do not undergo their own PCI DSS assessment, they will need to have their services reviewed each time you undergo a PCI DSS assessment.
- Plan for incidents
Data breach incidents are increasingly common. PCI DSS requirements requires implementation of an Incident Response Plan and to be prepared to respond immediately to a system breach.
- Compliance is a journey, not a destination
Compliance regulations are dynamic and so is your business. Build compliance processes that are efficient and sustainable over the long-term.